Kiwi businesses taking cyber security more seriously – but there’s room for improvement.
New research from Kordia, a leading provider of business-critical technology and cyber security solutions, has revealed that New Zealand businesses are taking cyber security more seriously as the number of cyber-attacks continues to rise. However, the company notes that while progress is being made, chinks remain in the corporate armour – and people still present the greatest risk of all.
According to Esmée O’Brien, head of communications at Kordia, the results of the research are encouraging, particularly in regards to cyber security awareness and preparedness.
“Over half of New Zealand businesses now acknowledge their risk of falling victim to cyber-crime. Two thirds of businesses updated or reviewed their policies in the wake of the recent high-profile ransomware attacks. And, more than half of all businesses are planning to increase their budget for information security in the year ahead.”
In addition, in the crucial area of employees being prepared for a cyber-attack, O’Brien notes two thirds of respondents have carried out employee training or awareness programmes.
“This is a great result. Technology can only go so far when it comes to securing information – the rest is up to people. We’d like to see that number higher, but it does show that more businesses are getting the message and understanding that cyber security is a company-wide issue.”
Kordia commissioned the research in September this year. In the online survey, 225 business Information Technology (IT) decision makers were polled, drawn from organisations with more than 20 employees. Respondents identified as decision-makers for IT or information security within their company, holding a position as manager or higher.
The findings confirm the prevalence of cyber-attacks, which is unlikely to slow in the year ahead. A quarter of businesses surveyed were impacted by the recent NotPetya and WannaCry attacks, and 46 per cent of businesses have been targeted by ransomware, malware or phishing attempts in the last 12 months.
Interestingly, company size did not have an impact on whether businesses felt at risk or not – with businesses with 20 to 49 employees feeling just as at risk as those with 100 to 199 employees (46.7 per cent and 47.6 per cent respectively).
Almost two thirds (65 per cent) of respondents stated that recent high-profile ransomware attacks – such as NotPetya and WannaCry – had prompted their business to review or update its cyber security policies.
In terms of spending, almost 60 per cent of respondents estimate that between 5 and 14 per cent of the IT budget is allocated to cyber security. Some 62 per cent believed the amount allocated is sufficient, while 22 per cent believe more should be invested.
Notably, those close to the security operations – in Chief Information Security Officer, CIO, CTO and COO positions – were more likely to believe the sufficiency of the security budget. CEOs and General Managers are more likely to expect an increase in spending in the next year, something 54 per cent of respondents anticipate happening.
O’Brien notes that there is no ‘correct’ amount, as spending on its own is not a determinant of an appropriate security posture.
There’s further good news for the people factor. Three quarters of respondents are confident their staff understand cyber security best practice, including strong passwords, locking devices, and avoiding malicious links or attachments in email.
Questioned on their ability to respond to a cyber-attack, New Zealand businesses expressed a high level of assurance in their preparedness, with 68 per cent of respondents believing their company is ready to deal with an attack and 59 per cent saying a response plan is in place.
These findings, says O’Brien, reflect progress in awareness of the inevitability of cyber-attacks for the modern business. However, she notes that the positives have a flip side.
“Though half of NZ businesses now acknowledge their risk of cyber-crime, this means the other half doesn’t. Two thirds of businesses updated cyber policies after the recent high-profile attacks – however a third didn’t bother, which is especially concerning considering a quarter of respondents said their business was affected by the WannaCry and NotPetya ransomware attacks.”
Despite over half of businesses being aware of the risk of cyber-crime, a concerning 41 per cent do not have any cyber insurance in place whatsoever, and almost one third (29 per cent) do not have a cyber-incident response plan in place should an incident occur.
With a constantly evolving threat environment, O’Brien warns that businesses can’t afford to rest on their laurels.
“It is no longer a case of ‘if’, but ‘when’ your business will be targeted. Being prepared and taking a risk-based approach is therefore an essential part of being in business. It is not the attack itself that will determine the eventual outcome, but how you respond to it. We’d like to see all New Zealand businesses acknowledging cyber security risk, training their people, establishing response plans – and testing them regularly,” she concludes.
Launched in April 2017, Cyber Security by Kordia encompasses New Zealand’s most comprehensive range of cyber security products and solutions. Services offered are defined by three pillars – Advise, Protect and Insight & Response – with each providing a range of specialist services designed to assist New Zealand businesses in protecting themselves against a growing number of cyber threats.