Story image

NZ lagging in security and privacy risk management

02 Oct 2014

Kiwi organisations are being unnecessarily exposed to financial, regulatory, brand and productivity impacts though poorer management of security and privacy risks, according to a new security report from PwC.

The Global State of Information Security Survey says while Kiwi organisations seem to be taking cyber security and privacy seriously, we're lagging our global counterparts in some key areas.

The survey shows the number of detected security incidents leapt 48% in the past year, resulting in a real financial cost increase too with total financial losses attributed to security compromises increasing 34% over 2013.

The number of detected incidents hit 42.8 million – the equivalent of 117,339 attacks per day – in 2013. Detected security incidents have increased 66% year-over-year since 2009, the survey data shows.

Globally, big losses have been more common this year as organisations reporting financial hits in excess of US$20 million nearly doubled.

On the local front, 42% of New Zealand respondents have had employee records compromised – well above the global average of 29%.

Adrian van Hest, PwC partner and cyber practice leader, says New Zealand organisations were above average in developing a cyber security strategy, but were poorer at executing it, particularly the supporting elements such as standards, policies, classification of data and tools such as identity management, activity monitoring, risk management tools and encryption.

“So while senior executives in New Zealand organisations seem to be taking cyber security and privacy seriously by assigning ownership and responsibility for this within their organisations, we’re behind other countries in a number of key areas.

“For example, when it comes to privacy, we’re at odds with global practices such as requiring employees to complete training on privacy policy, formally acknowledging compliance and imposing disciplinary measures for violations.

“We’re also lagging behind in using big data analytics to measure the risk and impact related to information security,” van Hest says.

“These risks are exposing organisations to financial, regulatory, brand and productivity impacts and we’re encouraging them to address these.

“Cyber risks will never be completely eliminated, so organisations must understand that the perpetual and ever changing nature of threat, demands a fairly dynamic and proactive approach.”

Budget positivity

There was some good news when it came to security spend, however.

While globally, information security budgets have decreased 4% compared with 2013, with security spend as a percentage of IT budget stalled at 4% or less for the past five years, 6% to 7% of New Zealand organisations plan to spend more on their security budgets in the next 12 months.

“ Hopefully this means the increased level of activity in ownership of the issues and a strategic approach is now translating into investment and action,” van Hest says.

“Organisations will need to identify and invest in cyber security practices that are most relevant to today’s advanced attacks. It’s important that their processes are fully integrated for predictive, preventive, detective and incident-response capabilities to minimise the likelihood and impact of incidents.

Meanwhile, high profile attacks by nation-states, organised crime and competitors are among the least frequent incidents, yet the fastest-growing cyber threats. This year, respondents who reported a cyber-attack by nation-states increased 86 percent – and those incidents are also most likely under-reported. The survey also found a striking 64 percent increase in security incidents attributed to competitors, some of whom may be backed by nation-states.

Effective security awareness requires top-down commitment and communication, a tactic the survey finds is often lacking across organisations.

“It is vitally important for companies to focus on rapid detection of security intrusions and to have an effective, timely response.

“Given our interconnected business ecosystem, it is equally as important to establish policies and processes regarding third parties. Larger organisations need to be particularly wary as they’re more likely to be targets since they offer more valuable information and their size and complexity make attacks less likely to be detected,” van Hest says.

“Organisations must change from focusing on prevention and controls for security, to an information-centric and risk-based approach that uses controls to enable the business Information is a powerful business asset and the right approach to security and privacy will empower organisations to maximise its potential,” he concludes.

NVIDIA announces Jetson Nano: A US$99 tiny, yet mighty AI computer 
“Jetson Nano makes AI more accessible to everyone, and is supported by the same underlying architecture and software that powers the world's supercomputers.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
NVIDIA introduces a new breed of high-performance workstations
“Data science is one of the fastest growing fields of computer science and impacts every industry."
Apple says its new iMacs are "pretty freaking powerful"
The company has chosen the tagline “Pretty. Freaking powerful” as the tagline – and it’s not too hard to see why.
NZ ISPs issue open letter to social media giants to discuss censorship
Content sharing platforms have a duty of care to proactively monitor for harmful content, act expeditiously to remove content which is flagged to them as illegal.
Partnership brings AI maths tutor to NZ schools
“AMY can understand why students make a mistake, and then teach them what they need straight away so they don't get stuck."
Polycom & Plantronics rebrand to Poly, a new UC powerhouse
The name change comes after last year’s Plantronics acquisition of Polycom, a deal that was worth US $2 billion.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.