"High trust" society means cyber spending is going into the wrong places.
New Zealanders are too trusting - and it's causing us to waste much of our cyber spending confronting the wrong risks.
Adrian van Hest, partner and cyber practice leader at PwC, says our own people (not technology, software or hardware) are the biggest risk factor for businesses when it comes to the millions of dollars lost to cybercrime.
"We are a high-trust society; we are known for low levels of corruption and high levels of integrity when it comes to doing business.
"But as soon as you enter the digital domain we are connected to some of the most untrustworthy parts of the globe," he says.
"If you take the average Kiwi and fly them to Bogota or south central Los Angeles, you'd see a big change in their behaviour. But online, in the digital world, it often doesn't happen that way - many don't change behaviours; they don't seem to realise they can't trust what they see on the screen."
The business imperative for change is stark - cybercrime is estimated to cost New Zealand businesses $250 million a year, although the real figure is likely far in excess of that as not all attacks are reported. About 58,000 of the 500,000 companies in New Zealand (97 per cent of them small-to-medium enterprises) are known to have been compromised by cyber criminals in the past two years.
Although the costs involved for business are substantial, many aren't investing in areas where attacks are likely to occur.
While 63 per cent of respondents to PwC's new report, Who's managing your identity? had a security strategy in place, only 30 per cent had a strategy to manage security around cloud computing. That's compared to 46 per cent globally.
Adrian van Hest, partner and cyber practice leader at PwC. Photo / supplied.
PwC's report also found New Zealand companies are failing at identity management. Just as individuals can experience 'identity theft', so can companies who fall victim to cyber criminals who can access and manage their way through a company by using legitimate user credentials.
And how does most of this now occur? It's not so much through anonymous hackers winding their evil way through company systems - though they are still a significant danger. It's compromising current employees, former staff members, service providers, suppliers and business partners.
People are the biggest problem, which is why the trusting Kiwi is so vulnerable.
van Hest says PwC's research shows New Zealand is way ahead of global incidences when it comes to unwittingly providing access to cyber criminals.
"It's a big problem because our attractiveness as a connected economy hinges on local businesses understanding the changing global cybersecurity risks - and taking steps to reduce their exposure so they can be trusted partners in the global marketplace.
"It used to be that attacks would come from someone attacking your website," he says. "Now they aim at you through a trusted employee or a trusted third party."
Everyone had heard of employees, for example, being conned into providing funds when they received an email from someone pretending to be their CEO: "New Zealand has lost hundreds of thousands of dollars to this simple trick - although it is professionally done and appears very real.
"It's the trusting Kiwi again - someone tells you to do something and it's a simple matter of trust for you to do it. But, these days, it's also about ensuring that the person doing the asking is authorised to do so and that it is actually he or she who is doing it, not someone pretending to be them.
"That's the new environment - a lot of companies have recognised earlier threats and have moved to counter them by putting up barriers, but people are now the point of attack," says van Hest.
"They used to come through the front door but now they come in through the back door or the cat flap."
As the nature of our digital society changes - with heavy use of cloud computing and mobile devices - so the nature of cybersecurity must change. van Hest says many New Zealand companies, having taken the first step to make themselves cyber-secure, think they have done all that needs doing.
"But it is not a matter of one-and-done," he says. "It is a matter of understanding the risk - and risk is dynamic and changes constantly."
New Zealand companies were still under-investing compared to global counterparts in identity management - the average global company is spending almost US$1.5m more on security each year than New Zealand companies.
A key method of defence is employee and partner education as well as clear obligations, he says: "They [attackers] are bypassing the technology approach and heading straight for the human element, so there is a lot to be said for the cost-effectiveness of education, policy and meaningful contracts."
