What is key, however, is "actually putting in place putting long term remedies".
"Technology and how we use it is constantly evolving. We need to find the optimal point between being afraid to adopt new technologies that will increase our competitive positions, and seriously addressing security implications," says Slater.
Slater says security awareness training should not be seen as a "bit of a nice to have".
"Your people are your most effective deterrent and your most effective control," he says. "I actually think it's the most important thing that you can do."
He says enterprises can tailor the training to meet their business culture. When this is done, he says, "You have just multiplied your change agents and your security agents out in your workforce. And that is a really effective strategy."
"It's a concept that's really, really such a basic thing to do, but the ROI on it is so high," says Richard Tims, director, risk and control solutions at PwC NZ.
So how can CIOs get the executive management buy in for information security?
Getting executive support and endorsement is about context and consistency, says Slater. For CIOs he works with, "their biggest challenge is filtering their security privacy risks into a consistent view that's digestible by senior management and the execs.
"So how do you dashboard your risk and threat profile? The really successful ones are the ones that articulate risks really clearly and have a plan to manage them," says Slater.
The missing security piece
Slater and Tims point to the security implications for organisations deploying customer facing mobile applications.
They cite a "staggering" 55 per cent of respondents either did not know or did nothing in relation to the launch of customer facing mobile application. Only 15 per cent performed security testing or had secure development standards in place.
"If you are going to launch something mobile, have a conversation with somebody that understands the risks," says Slater. Following this, "You can put a plan in place to give you the comfort that you need and make sure it is safe and doesn't expose your business to undue risk.
"Often, when people get into that 'we've got to do it' mode, they get tunnel vision, they put the blinkers on and they just crack on and try and do it. Sometimes it works, but it's a big risk.
"You can rebrand it as much as you like but people won't go back," he says, citing the experience of online auction site Wheedle, which had to close down for six months following revelation of serious security flaws. "If something goes wrong with your mobile site, however simple the functionality might be, people are going to not want to go back there again."
Sign up for CIO Asia eNewsletters.