Many small and medium New Zealand businesses are still "burying their heads in the sand" even after recent global ransomware attacks WannaCry and NotPetya.
The attacks disabled computers and ransoms were demanded to unlock them. A number of New Zealand companies were affected and all local businesses are, experts say, no safer from these attacks than those overseas.
Adrian van Hest, partner and cyber practice leader at PwC, says dealing with cybersecurity is "frightening" for New Zealand business owners, especially if technology is not their area of expertise.
He says a "heads in the sand" approach of ignoring and not confronting the issue leaves their businesses unprotected.
But van Hest says it is not good enough to rely on the "I will do nothing" approach and urges firms to look at security techniques to allow them to prevent, detect and recover from a cyberattack.
"Many think because they're far away here in New Zealand nothing will happen," he says. "But nearly 30 per cent of all New Zealand companies have been hit by cybercrime in the last two years and it is not a case of if Kiwi businesses will be affected, but when; ignoring the issue is never a good approach.
"The rise of digital business models means every New Zealand organisation is exposed to digital risk not just from unknown hackers but from customers, employees, suppliers and service providers."
Adrian van Hest, partner and cyber practice leader at PwC. Photo / Supplied.
His comments come as PwC's recently released 2017 Global State of Information Security Survey has found less than half New Zealand digital businesses use managed security services for cybersecurity; and this at a time when the risk of cyberattack facing Kiwi firms has heightened because "the megatrend of technological breakthroughs is here to stay".
van Hest says before companies can adopt appropriate security measures and invest in protective software it is important for them to understand what areas of the business are important, where their data is and who has access to it both within and outside the business.
"If a database is the life blood of your business then you need to ask what you are doing to protect it - and how to respond quickly in the event of an attack.
"Businesses have to take a personalised approach to their cyber security, one that is specific to their business needs, their existing digital systems and their relationships with their business partners," says van Hest.
"They should be looking at good back-up systems and off-line storage of data; and be asking if they have undertaken patching (use of software to update and fix a computer's security vulnerability) - all this comes back to understanding what areas of the business are most important so they know where best to focus.
"Technology is ubiquitous, it is everywhere, easy to get and if businesses are not conscious of the risk it brings, then they are left exposed," he says.
The survey shows 17 per cent have a security strategy in place for the Internet of Things (how devices collect and exchange data) while 20 per cent say they are implementing IOT security. In addition only half (48 per cent) require the third parties they work with to comply with their privacy policies.
The survey says New Zealand firms are more likely to develop in-house security policies with just eight per cent out-sourcing to a third party.
"As a result," it says, "companies are running the risk of saddling themselves with systems and practices that can't protect them against new risks, that don't scale up as the business expands and aren't based on industry best-practice."
The survey also shows New Zealand businesses are as likely to be affected by the actions of their workers as they are by unknown hackers - 47 per cent of companies saying they believe security incidents are originating from each of these groups.
Almost 25 per cent of threats emanate from service providers and 21 per cent from suppliers and business partners.
More data than ever before is being generated across multiple devices and van Hest says it is becoming easier for people to access this information either legitimately or through a cyberattack.
"Customers are more willing than ever to hold an organisation to account for breaches of privacy," he says. "But despite this, local companies are struggling to put safeguards in place to protect the data they gather."
He says only 42 per cent currently safeguard personal data from customers and employees, 11 per cent lower than the global average.
Cybercrime is estimated to cost New Zealand businesses $250 million a year, although not all attacks are reported. About 58,000 of the 500,000 companies in New Zealand (97 per cent of them small-to-medium enterprises) are known to have been compromised by cyber criminals in the past two years.
