Most of the way the attacks were affecting New Zealand businesses and organisations was "beneath the surface" — unseen and not necessarily reported — and it was difficult to quantify the extent of economic impact or service disruption they caused.
However, cybercrime was affecting the country "widely and deeply".
Next Tuesday, Mr Nayar — a cybersecurity expert at Deloitte — and fellow partner David Seath will share their insights on cyber resilience and fraud prevention at an Institute of Directors event in Dunedin.
Increasing digital dependency was amplifying the risk of cyber-attacks and opening doors to issues relating to service disruption, fraud and data privacy.
Only 35% of directors in a 2020 IoD director sentiment survey said their boards had the right capabilities to lead their organisation’s digital future.
When looking at the effect of cyberattacks and their possible harm, financial or economic harm usually came to mind, Mr Nayar said.
But there was also service disruption, trust and reputation, physical safety and wellbeing and, for regulated entities, regulatory harm.
Cyberattacks translated to tangible harm and at individual, organisational and societal levels. In recent years, the degree of seriousness and effort going into the issue had shifted; more senior people in organisations were "asking questions and having conversations", particularly concerning cyber strategies.
However, it was still early in the understanding of the topic. .
It changed every day and to take a mature approach to it was not to necessarily to try to prevent "everything bad from happening".
"We can’t realistically do that."
What was important was making sure there were disciplines that enabled businesses and organisations to manage it.
New Zealand was in "quite an interesting position"; it was a small country that traditionally operated in its physical world in modes of high trust. Being at the bottom of the globe and semi-isolated, it had benefited in some ways from that physical safety and trust.
Moving to the digital landscape, that high trust had been carried over into the digital world, yet anyone in the globe could affect New Zealand within milliseconds, he said.
New Zealand was a member of The Five Eyes, an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States.
In many ways, New Zealand was perceived as being the "softest touch" in that group. Its high trust made it particularly vulnerable, he said.
Add in Covid-19 and, with the exception of possibly Australia, when compared with those other countries New Zealand had fared "reasonably well" and had been put on the world map because of that. That meant it became even more attractive as a target.
Thanks to the pandemic, those involved in organised crime had seen their supply and distribution and revenue channels significantly disrupted.
So they had looked at what else was lucrative and changed their method in efforts to make money from cybercrime.
Everyone was far more dependent on technology and digital channels and data and that footprint of different ways in which there could be disruption was growing rapidly.
The point of vulnerability that someone could exploit for their own gain was growing and, because of that, the number of attacks would increase. The question was whether the amount of harm would exponentially increase.
That part was "up to us in terms of a nation" as to how good the country was in its approach to the issue, Mr Nayar said.
At Deloitte, the tendency was to think of solutions from three aspects — secure, which was about prevention; vigilant, about monitoring situational awareness detection; and resilient, which was about response and recovery.
Whatever strategy was applied to a business or organisation, all those three needed to be looked at.
New Zealand historically had "focused most of its eggs in the secure basket" but paid very little attention to vigilant and a little bit of attention to resilient.
There were some good cyber insurance schemes in New Zealand although there was still reasonably low take-up of that.
A good place for resources was CERT NZ which supported businesses, organisations and individuals affected by cyber security incidents, while contacting business partners was also valuable. When there was an issue from a cyber perspective, time was "of the essence", Mr Nayar said.
Cyberattacks were now a very real feature of day-to-day life; five years ago, it would be incredibly hard for cybercriminals to amass the technology, knowledge, tools and ability to launch a successful attack. Today, the cybercrime economy was also highly commoditised and designed to be very adept at being self-service, he said.
