Medium-sized companies are more likely to leave themselves open to cyber-attacks, business leaders have little confidence in the policies in place to deal with the aftermath of a data breach, and technology and business executives aren’t on the same page when it comes to information security.
That’s emerged in new research conducted by Perceptive for leading provider of business-critical technology and cyber security solutions, Kordia. While it shows that businesses in New Zealand are generally well-prepared and positioned to respond to cyber security attacks, gaps remain and information security tends to be confined to the IT department rather than being a company-wide discipline.
“Cyber attackers thrive in gaps. While it’s good to see that most businesses are aware of the necessity for sound information security policies, procedures and enabling infrastructure, more needs to be done – particularly around training and policy implementation. And the ‘she’ll be right’ approach taken by medium-sized businesses is potentially leaving them wide open to attack,” says Scott Bartlett, Group CEO at Kordia.
The research, which polled more than 180 IT decision makers from New Zealand organisations with 20 or more employees, took place in March. Respondents provided insight on a range of information security issues, including structures for reporting breaches to boards of directors and customers, completeness of tools available, and the presence of policies and training to support an appropriate information security posture.
Kordia recently announced the launch of Cyber Security by Kordia, which encompasses New Zealand’s most comprehensive range of cyber security products and solutions. The business has defined three pillars – Advise, Protect and Insight & Response – with each providing a range of specialist services designed to assist New Zealand businesses in protecting themselves against a growing number of cyber threats.
In businesses with more than 200 employees, 82 per cent of respondents felt their business had enough tools available to them to educate and assist their business in making informed cyber security decisions, this dropped down considerably to just 58 per cent for those with 60 – 99 employees. Similarly, seven in ten respondents overall stated that their company currently has policies or training in place relating to online security, but the number drops to 58 per cent for medium-sized businesses.
“Businesses with 20 to 99 employees are less well prepared as they likely don’t have the budget, the skills or the inclination to focus on information security. Instead, energies are more likely to be focused on operational issues,” adds Bartlett.
He notes that the survey findings demonstrate a clear lack of communication and alignment between Chief Executive/General Managers on the one hand and Chief Technology Officers on the other. IT staff members are much more likely to know that there are policies or training systems in place relating to online security, at 84 per cent, while only 54 per cent of CEOs/GMs know this information.
And while 70 per cent of those who have cyber security policies in place are confident that those policies will prevent a cyber breach, the number comes down dramatically depending on who is asked: just 46 per cent of CEOs/GMs believe that the policy in place will be effective in dealing with a cyber-attack.
“Technical staff are more confident in the response policy because they are probably responsible for its design. The ‘business’ side either perceive the policy as inadequate, or they may simply not know enough about it to have a higher level of confidence,” says Bartlett. “That’s a problem because it’s crucial cyber security is a company-wide culture.”
Like a chain, he says cyber security is only as strong as the weakest link. “It is encouraging that most companies do recognise the necessity for cyber security as a component of their IT and business organisation.
“However, there is still work to be done in terms of making this a company-wide issue, rather cyber security remaining in the domain of technical staff members. And both small and medium-sized businesses should realise that they are just as much in hackers’ crosshairs as their larger counterparts,” Bartlett concludes.