New Zealand organisations are trailing behind their global counterparts in managing their security and privacy risks, according to The Global State of Information Security Survey 2015 by PwC, in conjunction with CIO and CSO magazines.
"New Zealand organisations were above average in developing a cyber security strategy, however poorer when it comes to executing it, particularly the supporting elements such as standards, policies, classification of data and tools such as identity management, activity monitoring, risk management tools and encryption," says Adrian van Hest, PwC partner and cyber practice leader.
"So while senior executives in New Zealand organisations seem to be taking cyber security and privacy seriously by assigning ownership and responsibility for this within their organisations, we're behind other countries in a number of key areas.
Globally, 29 per cent of respondents reported having employee records compromised, the figure is 42 per cent for New Zealand.
Fifty four per cent of global respondents have implemented a mobile security strategy — in New Zealand, the figure is 28 per cent.
Local organisations are also lagging behind in using big data analytics to measure the risk and impact related to information security. For instance, 55 per cent of global respondents — compared to 40 per cent in New Zealand — reported increased use of data analytics for this purpose.
"These risks are exposing organisations to financial, regulatory, brand and productivity impacts and we're encouraging them to address these. Cyber risks will never be completely eliminated, so organisations must understand that the perpetual and ever changing nature of threat, demands a fairly dynamic and proactive approach," says van Hest.
The report points out cybersecurity is now a persistent business risk. "It is no longer an issue that concerns only information technology and security professionals; the impact has extended to the C-suite and boardroom." it states.
Effective security awareness requires top-down commitment and communication, a tactic that the survey finds is often lacking across organisations. The report, for instance, finds only 49 per cent of respondents say their organisation has a cross-organisational team that meets regularly to discuss, coordinate and communicate information security issues.
The report notes the C-suite and the board should be directly involved in information security. "It is incumbent upon the executive team to take ownership of cyber risk and ensure the board understands how the organisation will defend against and respond to cyber risks," it states.
Sign up for CIO Asia eNewsletters.