Companies that are making this transition to a digital operating model have to make cybersecurity central to their transformation efforts.
New Zealand businesses are going digital, but many are struggling to cope with the consequences a digital business model is having on their cybersecurity risk profile. As a result, many are relying on basic penetration tests, without developing a comprehensive security strategy.
This is one of the key finding of the Global State of Information Security Survey (GSISS) 2017, which PwC conducted with CIO and CSO.
The report tracks the transformation that digital business models are bringing to local companies, and the impact this is having on their cybersecurity efforts.
“It’s heartening to see the change in perceptions among businesses in their approach to cybersecurity,” says Adrian van Hest, PwC New Zealand partner and cyber practice leader.
“However, leaders are struggling to fully grasp the breadth of cyber risks their organisations face and the value of the data they are gathering, let alone translating awareness into action. Companies that are making this transition to a digital operating model have to make cybersecurity central to their transformation efforts.”
Every organisation’s cybersecurity approach has to begin with understanding their risk profile. Only then can they develop a strategy to protect their assets, detect when they experience a breach and then respond and recover effectively
Cyber spending lags behind the rest of the world
Compared to the rest of the world, the survey finds Kiwi businesses are lagging in the amount of spending they are directing towards cybersecurity. These efforts are also focused more towards basic measures like penetration tests, at the expense of those that are more likely to address the insider and partner issue, such as comprehensive identity management systems and tighter control over administrator privileges.
The uptake of managed security services, for example, is almost half that of Australia (44 per cent compared to 78 per cent). At the same time, the origins of cyber attacks are becoming more diverse, with respondents twice as likely to report security breaches that originate from their business partners, compared to last year’s findings (21 per cent compared to 10 per cent in 2016).
“A major concern is the focus on only a narrow range of methods to detect cybersecurity weaknesses. New Zealand companies are over-reliant on very basic penetration tests, and less focused on understanding their risk, let alone more advanced analytics and how to respond when something actually happens,” says Adrian.
Blurring the lines of a cybersecurity strategy
The rise of digital businesses, mass adoption of cloud technology and the increasingly complex network of relationships with customers, employees and supply chain partners have all blurred the lines of traditional cybersecurity.
As a result, New Zealand companies are struggling to respond to the added complexity.
Only 29 per cent of local firms evaluate the security of third-parties, despite suppliers and business partners being the fastest-growing source for cyber attacks. Likewise, employees were the single largest source of cybersecurity breaches, yet organisations are still focusing on external threats.
“Rather than trying to ring-fence their organisation, companies now have to develop a proactive security approach across their entire digital presence. That means holding suppliers accountable for breaches, addressing the risk from employees and treating customer data privacy as a competitive advantage,” says Adrian.
“Every organisation’s cybersecurity approach has to begin with understanding their risk profile. Only then can they develop a strategy to protect their assets, detect when they experience a breach and then respond and recover effectively,” says van Hest.
Penetration tests are a preemptive measure to identify vulnerabilities in a company’s IT infrastructure so they can be addressed before they lead to a security breach.
Success or failure in cybersecurity comes down to how well companies respond after a breach
Bake a cybersecurity framework into new digital initiatives: "Retrofitting digital infrastructure with security measures will never be as effective as building these features in from the start."
Invest in detecting and responding to new types of cyber attacks: "Local companies are over-reliant on penetration tests compared to the rest of the world and have to diversify into more advanced tools like risk-based authentication/authorisation, while also addressing the risk posed by staff and suppliers."
Move away from solely in-house cybersecurity: "New Zealand firms rely more on in-house measures than their global counterparts. Outsourced expertise, open source security software and scalable third party tools can all provide a more effective security solution – and are all measures that overseas firms are actively pursuing."
Be ready to respond: "Success or failure in cybersecurity comes down to how well companies respond after a breach." (Source: PwC New Zealand)
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz