EMBARGOED until 1am Friday, 7 October 2016
New Zealand organisations over-investing in basic cyber security measures
• New Zealand organisations are over-reliant on basic penetration tests, with 63 per cent employing them as their
primary control despite more attacks originating from insiders and business partners.
• Local companies are lagging their global counterparts in understanding cyber security risks across their supply
• While New Zealand companies are leading the world in cloud adoption, they aren’t making the corresponding
investment in managing their cyber risk
• 56 per cent of companies will invest more to bring together IT, digital and the wider business over the next 12
New Zealand businesses are going digital, but many are struggling to cope with the consequences a digital business model
is having on their cyber security risk profile. As a result, many are relying on basic penetration tests,* without
developing a comprehensive security strategy.
That’s the finding from the first part of the Global State of Information Security Survey (GSISS) 2017. The report
tracks the transformation that digital business models are bringing to local companies, and the impact this is having on
their cyber security efforts.
“It’s heartening to see the change in perceptions among businesses in their approach to cyber security,” says PwC New
Zealand Partner and Cyber Practice Leader Adrian van Hest.
“However, leaders are struggling to fully grasp the breadth of cyber risks their organisations face and the value of the
data they are gathering, let alone translating awareness into action. Companies that are making this transition to a
digital operating model have to make cyber security central to their transformation efforts.”
Cyber spending lags behind the rest of the world
Compared to the rest of the world, Kiwi businesses are lagging in the amount of spending they are directing towards
cyber security. These efforts are also focused more towards basic measures like penetration tests, at the expense of
those that are more likely to address the insider and partner issue, such as comprehensive identity management systems
and tighter control over administrator privileges.
The uptake of managed security services, for example, is almost half that of Australia (44 per cent compared to 78 per
cent). At the same time, the origins of cyber attacks are becoming more diverse, with respondents twice as likely to
report security breaches that originate from their business partners, compared to last year’s findings (21 per cent
compared to 10 per cent in 2016).
“A major concern is the focus on only a narrow range of methods to detect cyber security weaknesses. New Zealand
companies are over-reliant on very basic penetration tests, and less focused on understanding their risk, let alone more
advanced analytics and how to respond when something actually happens,” says Adrian.
Blurring the lines of a cyber security strategy
The rise of digital businesses, mass adoption of cloud technology and the increasingly complex network of relationships
with customers, employees and supply chain partners have all blurred the lines of traditional cyber security.
As a result, New Zealand companies are struggling to respond to the added complexity. Only 29 per cent of local firms
evaluate the security of third-parties, despite suppliers and business partners being the fastest-growing source for
cyber attacks. Likewise, employees were the single largest source of cyber security breaches, yet organisations are
still focusing on external threats.
“Rather than trying to ring-fence their organisation, companies now have to develop a proactive security approach across
their entire digital presence. That means holding suppliers accountable for breaches, addressing the risk from employees
and treating customer data privacy as a competitive advantage,” says Adrian.
“Every organisation’s cyber security approach has to begin with understanding their risk profile. Only then can they
develop a strategy to protect their assets, detect when they experience a breach and then respond and recover
*Penetration tests are a pre-emptive measure to identify vulnerabilities in a company’s IT infrastructure so they can be
addressed before they lead to a security breach.
– Ends –
Adrian van Hest is a PwC New Zealand Partner and the firm’s Cyber Practice Leader. With over 22 years of international
business and IT experience, Adrian has spent significant time working in the IT security industry helping clients with
risk assessments, compliance, policy, threat mitigation, architecture, and strategy. Adrian also has extensive
experience in incident response and crisis management, disaster recovery, and contingency planning.
The Global State of Information Security Survey is our annual cyber security publication, polling 97 cyber security
specialists and decision-makers from across New Zealand as part of a global survey of more than 10,000 experts in this
area. The results are published in conjunction with CIO Magazine.
PwC firms help organisations and individuals create the value they’re looking for. We’re a network of firms in 157
countries with more than 195,000 people who are committed to delivering quality in assurance, tax and advisory services.
Find out more and tell us what matters to you by visiting us at www.pwc.co.nz
PwC refers to the New Zealand member firm, and may sometimes refer to the PwC network. Each member firm is a separate
legal entity. Please see www.pwc.com/structure for further details.
© 2016 PricewaterhouseCoopers. All rights reserved.