CIO

Building cyber resilience: The state of the nation

Tech security spending is on the rise, yet the biggest weakness are trusted people and third parties, and it is no different in New Zealand, according to the 2018 Global State of Information Security Survey.

Companies that stay competitive in our digital landscape can’t blindly trust that their businesses and customer data will stay secure

PwC’s Global State of Information Security Survey finds staff, service providers, suppliers or business partners, are rated among the biggest cyber risks for Kiwi companies.

Nearly a third (26.9 per cent) of respondents in this country say staff were responsible for cyber attacks in their respective organisations.

“The ‘unknown hacker’ was picked as the largest category responsible for cyber attacks and that’s because attribution is difficult, and most companies end up not knowing know where or who the attackers are," says Adrian van Hest, PwC partner and cyber practice Leader.

Adrian van Hest of PwC New Zealand: 'Cybersecurity is no longer just an issue for IT departments - it’s an issue that cuts across the entire digital society.'
Adrian van Hest of PwC New Zealand: 'Cybersecurity is no longer just an issue for IT departments - it’s an issue that cuts across the entire digital society.'

"However, it became clear people known to the company were also among the biggest threats.” 

“We’ve seen the amount being invested in cybersecurity is increasing, but the number and cost of incidents are also increasing. 

Source: PwC New Zealand
Source: PwC New Zealand

"So while there’s continued spending, it doesn't mean that the investments are effective or they are being spent on the right things," says van Hest, reporting on the New Zealand results of the global survey, conducted by PwC and CIO.  

Source: PwC New Zealand
Source: PwC New Zealand

Nearly 10,000 cybersecurity and IT leaders - with 62 from New Zealand - participated in the survey in May 2017.

"We are investing in the technology layer, it probably has reduced the risk in that space," says van Hest.

"Now, the attack is to the people layer, or to the trusted third party layer, and you just have apply a different set of controls.

"And that is where people should be investing in, in trusted identity, in security awareness."

While there are "malicious insiders" involved, he says more often than not the insiders themselves are victims.

"They are not the targets, they are just the way to get in.

"That is the nature of the attacks," says van Hest. "It is just recognising that people are the weakest link. It may not be where we traditionally invest in, which is the technology layer. Your weakest link will be the trust you place in your third party providers and staff.

"There is a lot of direct trust, if suppliers are good then they are trusted as being good."

He says as more organisations move to the cloud, he believeS  their current identity management system will not work in the new environment.

You end up with a proliferation of digital identities, he says. This could mean lots of password sharing or using the same email address.

In the past three years, there have been compromises around major companies like Dropbox, Yahoo and LinkedIn.

There are risks if the user credentials in those accounts, are the same with the accounting software or personal email.

"People spent millions of dollars and we are more at risk and that is the point as well," says van Hest. "Spending money does not equal success, spending money on the right things equals success."

"The investment should be in security awareness and training, because that is the most effective ways to empower that group of people."

Invest in your people "because they can be your biggest weakness and they can be your biggest strength," says van Hest.

"If your entire staff are vigilant about security, you are in a much better position," to fight cyber crime.

Van Hest says one approach is through 'red teaming'. This means allowing somebody to behave like an attacker and try social engineering to get access to systems through the employees, or through third parties like suppliers and contractors. This will train staff to be on the alert for similar attempts.

The report notes new business models present different cyber risks.

The continuing uptake of cloud computing and reliance on mobile devices brings new risks – not because the technologies are not safe, but because they require companies to take a different approach to the way they manage cybersecurity.

“We’ve also found that investment in identity management is growing faster overseas, as they are experiencing more cyber incidents through increased cloud usage.

"Kiwi companies are slightly behind the trend as most of our cyber incidents still seem to occur because of outdated software. 

"However, as more businesses move to the cloud, it’s only a matter of time before we face the same risks,” says van Hest.

The report, meanwhile, tracks the growing popularity of cyber insurance and the rise of the chief information security officer and chief security officer.

The survey finds it is more common for a company’s CISO or chief security officer to report directly to the CEO (40 per cent globally, 38 per cent in New Zealand) or the board of directors, (27 per cent globally, 25 per cent in New Zealand) than to the chief information officer (24 per cent globally, and 25 per cent in New Zealand).

Over half of the NZ respondents now have a cyber security policy (58 per cent), slightly behind Australia (at 63 per cent) and at par with global figures (57.9 per cent)

But PwC says it is seeing insurers taking the front foot and proactively manage their cyber risk.

"It won’t be long before New Zealand’s cyber insurers are demanding companies have their cybersecurity processes independently verified, to confirm they’re maintaining best  practices." 

Source: PwC New Zealand
Source: PwC New Zealand

The report highlights the need for leaders to assume greater responsibility for building cyber resilience.

For instance, less than half (44 per cent globally, 32 per cent in New Zealand) of respondents say their corporate boards actively participate in their companies' overall security strategy.

Cybersecurity is no longer just an issue for IT departments - it’s an issue that cuts across the entire digital society, says PwC.

Outlook for the year ahead

Which safeguards does your organisation not have in place, but is a top priority over the next 12 months?

The Global State of Information Security Survey, now on its 19th year, is conducted by PwC and CIO.
The Global State of Information Security Survey, now on its 19th year, is conducted by PwC and CIO.


“We can’t rely on yesterday’s cybersecurity practices to keep organisations secure. The need for more robust processes and policies has never been greater,” the report concludes.

“Ultimately, we have to transform cybersecurity by being laser focused on the risks involved.

"Companies that stay competitive in our digital landscape can’t blindly trust that their businesses and customer data will stay secure," the report states.

"Building and maintaining trust is going to be the greatest differentiator for New Zealand businesses in our digital society, and now is the time to start taking that seriously."

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.