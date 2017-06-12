A new Wellington cyber security firm is offering New Zealand businesses a virtual chief information security officer, fulfilling one of the most expensive roles in a company.

Cyber Toa chief executive Mandy Simpson said the role of chief information security officer (CISO) is crucial to Kiwi companies but is a prohibitvely expensive role to fill.

"I worked as a chartered accountant and I can tell you CISOs are paid more than chief financial officers," she said.

"This is expertise that is almost impossible for medium size businesses to employ directly, and there's not that many of them in New Zealand."

Cyber Toa, which started in Wellington in October last year, offers a subsription based model where companies can pay to have a virtual chief security information officer for a certain amount of days per month.

Companies who have, for instance, a virtual CISO for 3 days a month would be able to call them in an emergency such as a ransomware attack.

"It's a huge reputational and financial hit when businesses are subject to attacks," Simpson said.

Simpson, who has around 40 to 50 clients including govertment agencies, said medium size business often don't know where to begin with cyber security.

Companies which hold sensitive information such as financial or healthcare data are particulalry at risk of crypto-locking or phising attacks. Lawyers and manufacters are also vulnerable to corporate espionage and Simpson said months can go buy before they even realise they've been hit.

An invisible problem

New Zealand currently does not have mandatory breach disclosure for cyber attacks, which Simpson described as a "serious problem".

"We need mandatory breach disclosure," she stressed. "New Zealand is falling behind in this."

Unlike Britain, the US and Australia, Kiwi businesses do not need to disclose that they've been the victim of cyber attacks. For affected companies, this means they can protect themselves from reputational damage but effectively put other businesses at risk.

"If there's a coordinated campaign of attacks, businesses simply don't know," she said.