New research reveals the state of NZ businesses’ cyber security defences
Kiwi businesses taking cyber security more seriously – but there’s room for improvement
New research from Kordia, a leading provider of business-critical technology and cyber security solutions, has revealed
that New Zealand businesses are taking cyber security more seriously as the number of cyber-attacks continues to rise.
However, the company notes that while progress is being made, chinks remain in the corporate armour – and people still
present the greatest risk of all.
According to Esmée O’Brien, head of communications at Kordia, the results of the research are encouraging, particularly
in regards to cyber security awareness and preparedness.
“Over half of New Zealand businesses now acknowledge their risk of falling victim to cyber-crime. Two thirds of
businesses updated or reviewed their policies in the wake of the recent high-profile ransomware attacks. And, more than
half of all businesses are planning to increase their budget for information security in the year ahead.”
In addition, in the crucial area of employees being prepared for a cyber-attack, O’Brien notes two thirds of respondents
have carried out employee training or awareness programmes.
“This is a great result. Technology can only go so far when it comes to securing information – the rest is up to people.
We’d like to see that number higher, but it does show that more businesses are getting the message and understanding
that cyber security is a company-wide issue.”
Kordia commissioned the research in September this year. In the online survey, 225 business Information Technology (IT)
decision makers were polled, drawn from organisations with more than 20 employees. Respondents identified as
decision-makers for IT or information security within their company, holding a position as manager or higher.
The findings confirm the prevalence of cyber-attacks - which is unlikely to slow in the year ahead. A quarter of
businesses surveyed were impacted by the recent NotPetya and WannaCry attacks, and 46 per cent of businesses have been
targeted by ransomware, malware or phishing attempts in the last 12 months.
Interestingly, company size did not have an impact on whether businesses felt at risk or not – with businesses with 20
to 49 employees feeling just as at risk as those with 100 to 199 employees (46.7 per cent and 47.6 per cent
respectively).
Almost two thirds (65 per cent) of respondents stated that recent high-profile ransomware attacks – such as NotPetya and
WannaCry – had prompted their business to review or update its cyber security policies.
In terms of spending, almost 60 per cent of respondents estimate that between 5 and 14 per cent of the IT budget is
allocated to cyber security. Some 62 per cent believed the amount allocated is sufficient, while 22 per cent believe
more should be invested.
Notably, those close to the security operations – in Chief Information Security Officer, CIO, CTO and COO positions –
were more likely to believe the sufficiency of the security budget. CEOs and General Managers are more likely to expect
an increase in spending in the next year, something 54 per cent of respondents anticipate happening.
O’Brien notes that there is no ‘correct’ amount, as spending on its own is not a determinant of an appropriate security
posture.
There’s further good news for the people factor. Three quarters of respondents are confident their staff understand
cyber security best practice, including strong passwords, locking devices, and avoiding malicious links or attachments
in email.
Questioned on their ability to respond to a cyber-attack, New Zealand businesses expressed a high level of assurance in
their preparedness, with 68 per cent of respondents believing their company is ready to deal with an attack and 59 per
cent saying a response plan is in place.
These findings, says O’Brien, reflect progress in awareness of the inevitability of cyber-attacks for the modern
business. However, she notes that the positives have a flip side.
“Though half of NZ businesses now acknowledge their risk of cyber-crime, which means the other half doesn’t. Two thirds
of businesses updated cyber policies after the recent high-profile attacks – however a third didn’t bother, which is
especially concerning considering 25 per cent of respondents said their business was affected by the WannaCry and
NotPetya ransomware attacks.”
Despite over half of businesses being aware of the risk of cyber-crime, a concerning 41 per cent do not have any cyber
insurance in place whatsoever, and almost one third (29 per cent) do not have a cyber-incident response plan in place
should an incident occur.
With a constantly evolving threat environment, O’Brien warns that businesses can’t afford to rest on their laurels.
“It is no longer a case of ‘if’, but ‘when’ your business will be targeted. Being prepared and taking a risk-based
approach is therefore an essential part of being in business. It is not the attack itself that will determine the
eventual outcome, but how you respond to it. We’d like to see all New Zealand businesses acknowledging cyber security
risk, training their people, establishing response plans – and testing them regularly,” she concludes.
Launched in April 2017, Cyber Security by Kordia encompasses New Zealand’s most comprehensive range of cyber security
products and solutions. Services offered are defined by three pillars – Advise, Protect and Insight & Response – with each providing a range of specialist services designed to assist New Zealand businesses in protecting
themselves against a growing number of cyber threats.
ENDS