Many NZ businesses lack comprehensive cyber security strategy

by Mina Martin 07 Oct 2016

Many NZ businesses lack comprehensive cyber security strategy

Kiwi businesses are over-reliant on basic penetration tests and are lagging behind their global counterparts in understanding cyber security risks across their supply chain, a PwC survey has found.

The first part of PwC’s Global State of Information Security Survey (GSISS) 2017 indicated that a number of Kiwi businesses were having difficulties with the consequences a digital business model was having on their cyber security profile.

Adrian van Hest, PwC New Zealand partner and cyber practice leader, said: “It’s heartening to see the change in perceptions among businesses in their approach to cyber security.”

“However, leaders are struggling to fully grasp the breadth of cyber risks their organisations face and the value of the data they are gathering, let alone translating awareness into action. Companies that are making this transition to a digital operating model have to make cyber security central to their transformation efforts.”

The survey showed that 63% of Kiwi businesses used basic penetration tests as their primary control. The focus on such basic measures, PwC said, was keeping companies from employing measures more likely to address the fastest-growing sources of cyberattacks which was insiders and partners.

Kiwi businesses also appropriated less of their spending to cyber security as compared to other countries, focusing more on basic measures than on insider and partner issues, the survey found.

PwC cited as an example NZ businesses’ uptake of managed security services which at 44% was almost half that of Australia’s 78%. At the same, it was found that security breaches that originated from business partners were less likely to be reported, at 21% compared to 10% last year.

“A major concern is the focus on only a narrow range of methods to detect cyber security weaknesses. New Zealand companies are over-reliant on very basic penetration tests, and less focused on understanding their risk, let alone more advanced analytics and how to respond when something actually happens,” van Hest said.

The survey also suggested that many NZ companies were struggling to respond to the complexity brought about by the rise of digital businesses, mass adoption of cloud technology, and compound network of relationships with customers, employees, and supply chain partners.

It was found that only 29% of local firms evaluated the security of third-parties. PwC noted that organisations continue to focus on external threats when suppliers and business partners as well as employees are increasingly causing many of the cyberattacks.  

“Rather than trying to ring-fence their organisation, companies now have to develop a proactive security approach across their entire digital presence. That means holding suppliers accountable for breaches, addressing the risk from employees and treating customer data privacy as a competitive advantage,” van Hest said.

“Every organisation’s cyber security approach has to begin with understanding their risk profile. Only then can they develop a strategy to protect their assets, detect when they experience a breach and then respond and recover effectively.”


Related stories:
Cyber security, a top concern in AsiaPac
SMEs more aware of risks, survey