Only one in three New Zealand boards of directors are equipped to deal with cyber-threats - and most do not know how to get started, according to a leading cybersecurity company.
Kordia Group CEO Scott Bartlett says research they conducted recently showed 82 per cent of IT decision-makers in almost 200 businesses with 20 employees or more felt their company was doing "a pretty good job" when it came to cybersecurity.
"But when we asked the board the same question, that number more than halved."
Cybercrime, regarded as one of the world's biggest threats to businesses large and small, costs New Zealand companies an estimated $250m-$400m a year - estimated, because a vast number of cyber-attacks are not reported.
Bartlett says not only are millions of dollars at risk from cyber breaches but many boards are also missing an opportunity to steal a march on rivals.
"Cyber-attacks are regarded as a massive risk because of all the bad guys lining up to steal your customer data and your money. But there's an incentive here that is being missed.
"As the world becomes more digital, and socially connected, companies deemed to be taking cybersecurity seriously will have a competitive advantage in the minds of their customers and their business partners. There will be a value premium associated with that, I'm sure of it."
However, it is boards overlooking their cybersecurity obligations ("it strikes right at the heart of a director's fiduciary duties") which most concerns Bartlett. He compares that with the way many boards have picked up on the new health and safety legislation, requiring directors to be aware of (and take measures against) dangers in the workplace.
"New Zealand had a pretty poor health and safety corporate culture and a lot of boards paid lip service to it. We didn't really see any impact until new legislation made everyone snap to attention.
"Internationally, what we are seeing is billions of dollars wiped off companies in cyber-attacks like those that affected Target, Yahoo, Sony and many others," he says.
"We haven't seen much of that in New Zealand yet but a lot of businesses have been hit with millions of dollars worth of damage - but it hasn't been publicly disclosed.
"I have to say I wouldn't want that public disclosure either but the fact it is not out in the open means we are not growing our awareness of what could happen in the minds of our boards and leaders."
It is not just New Zealand where boards are struggling to get their digital heads around cyber-threats. In February, the Harvard Business Review published the results of a survey of more than 5000 directors in over 60 countries.
The survey found boards lack both the processes and expertise needed to identify, evaluate and address cyber-threats. While directors recognised cybersecurity was a top issue, it still took a back seat to other risk and reputational issues - with only 38 per cent reporting a high level of concern about cybersecurity with an even smaller percentage prepared for those risks.
Only 24 per cent of directors surveyed said their boards had above average or excellent processes to deal with cyber-threats. IT and telecoms industries led the way, with 42 per cent reporting strong cybersecurity measures but in the health care industry - often targeted by hackers - 79 per cent of directors said their organisations lacked robust cybersecurity processes.
"On an anecdotal basis, it is much the same in New Zealand," says Bartlett of boards and directors. "I often ask directors I meet what their cybersecurity is like and the response I get is usually: 'Ah, well, cybersecurity - that's right...cybersecurity is a thing, isn't it? We have to get some of that.'
"It would be humorous if it wasn't so serious. The question I most often get asked by directors is: 'How do we get started?'"
Bartlett says there are several tips for any board when addressing cybersecurity:
• Get it on the board agenda. Evaluate your risk, strategy and mitigation - understanding your risk is key.
• Ask lots of questions - talk to your CEO, your CIO and ask for regular reporting on cyber issues from your management team.
• Lead by example - get board papers prepared, ask questions about staff training and preparedness.
• Prioritise budgets - "sometimes when CIO ask for more funds to address cybersecurity, those funds are given - but it feels like reluctant money; that needs to change".
• Investigate whether there is room on the board for a director with digital knowledge and experience who can help.