A lack of regulation around disclosure of company breaches by hackers means most are going unreported leading to a sense of complacency, says professional services firm PwC.
Companies are not legally required to disclose whether they have been hacked or had information lost due to hackers, so breaches are often kept quiet. A 2011 law commission report into the privacy act recommended change, but this has yet to be implemented.
PwC hopes to shake up cybersecurity with the launch of Game of Threats - an online game that pits teams posing as a company and a hacker against one another so users can experience hacking and the tools hackers have at their disposal.
PwC partner Steven McCabe said New Zealand's relaxed thinking and hacking victim reticence has led to a sense of complacency and the impression that cybersecurity was not an issue in New Zealand.
"The privacy law here is 20 years old, so it's not equipped to deal with the digital age," McCabe said.
"Because of that very trusting New Zealand attitude that we have, we struggle to get that message across in a very real way and I think the game is very powerful at doing that."
McCabe said Game of Threats was developed by PwC in the US to shake up the dry and boring view of cybersecurity education.
The team in New Zealand have been demonstrating the game to organisations including the IRD, government departments and clients, and have had received positive feedback.
"Because of the adoption of cloud and consumerisation of IT, what we're saying now is it's going to happen.
"And when it does, make sure you know how to find it, respond to it and recover from it," McCabe said.
"This is why we're using the game to get our message across."
Game participants play multiple rounds where they must decide where best to invest - either in prevention or counteracting attacks from the other team.
At the same time, the experience of playing as the hacker, either as a nation state, criminal, hacktivist or insider, gives users the experience of what they might be up against and how best to counteract these threats.
The post-game analysis provides players with a detailed review of all actions and outcomes for both sides that can be applied to their organisation.
At this stage the game is only available to PwC clients.