New tech company offers virtual cyber defenders

Cyber Toa chief executive Mandy Simpson with staff. Photo / Supplied

A new Wellington cyber security firm is offering New Zealand businesses a virtual chief information security officer, fulfilling one of the most expensive roles in a company.

Cyber Toa chief executive Mandy Simpson said the role of chief information security officer (CISO) is crucial to Kiwi companies but is a prohibitively expensive role to fill.

"I worked as a chartered accountant and I can tell you CISOs are paid more than chief financial officers," she said.

"This is expertise that is almost impossible for medium-size businesses to employ directly, and there's not that many of them in New Zealand."

Cyber Toa, which started in Wellington in October last year, offers a subscription-based model where companies can pay to have a virtual chief security information officer for a certain amount of days per month.

Companies who have, for instance, a virtual CISO for three days a month would be able to call them in an emergency such as a ransomware attack.

"It's a huge reputational and financial hit when businesses are subject to attacks," Simpson said.

Simpson, who has around 40 to 50 clients including government agencies, said medium-size businesses often don't know where to begin with cyber security.

Companies which hold sensitive information such as financial or healthcare data are particularly at risk of crypto-locking or phishing attacks. Lawyers and manufacturers are also vulnerable to corporate espionage and Simpson said months can go by before they even realise they've been hit.

An invisible problem

New Zealand currently does not have mandatory breach disclosure for cyber attacks, which Simpson described as a "serious problem".

"We need mandatory breach disclosure," she stressed. "New Zealand is falling behind in this."

Unlike Britain, the US and Australia, Kiwi businesses do not need to disclose that they've been the victim of cyber attacks. For affected companies, this means they can protect themselves from reputational damage but effectively put other businesses at risk.

"If there's a co-ordinated campaign of attacks, businesses simply don't know," she said.