The good news: New Zealand businesses are putting more money and effort into digital transformation projects. The bad news: They are increasing the potential for cyber-attacks.
Adrian van Hest, partner and cyber practice leader at PwC, says New Zealand companies and organisations are putting much more effort into digital innovation and future-proofing businesses.
But the vital element often forgotten or pushed into the background is a key item that can severely damage a company or even bring it crashing down – cyber-security: "There's more spending going on but the number and cost of cyber-incidents is also increasing, so companies have to be sure they are spending their significant budgets on the right things," he says.
The latest example of cybercrime has affected Christchurch-based Cryptopia, the cryptocurrency exchange that has lost somewhere between $16m to $23 million to hackers, according to various reports; police have been investigating.
But in spite of examples like this and many other real-life 'scare' stories, van Hest says too few New Zealand companies are taking adequate prevention measures.
Take the example of the Internet of Things (IoT), the global network linking all manner of devices and data creating a vast mass of information potentially invaluable to many (or even all) businesses.
PwC's 2019 Digital Trust Insights report says that 81 per cent of New Zealand businesses say the IoT is critical to their future success. However, only 29 per cent are building in digital controls to ensure this rich source of data is protected from hackers. Worse, only 16 per cent are planning on investing in security.
"You can imagine the scenario where an entrepreneur or an innovative company is focusing on realising the opportunity – and let's face it, collecting and mining this data is a huge, complex task," says van Hest. "They are thinking only, 'will it work?' or 'will I find customers?'
"But at the end of it all, all that hard work and innovative thinking can be totally undone by a cyber breach. You can see how a company can lose that trust if customers say, 'I trusted you and you installed this electronic gear in my home and there was a breach – and now I don't trust you."
Just google a phrases like "the survival rate of small companies surviving a cyber attack", he says, and there are many examples. The usual global rule of thumb is that 60 per cent of small to medium enterprises close down about six months after a cyber-attack. Trust has gone.
The trend to cloud-based businesses and the ever-increasing functionality of mobile phones enhances the risk – "with any opportunity comes risk" – and it is human nature to plough ahead and develop an idea without adequately covering factors that might stand in your way.
"I understand the problem – cyber-security is a whole new domain; you kind of have to invent the cart before you hitch it to the horse. Maybe a better way of saying it is that it like asking a CFO to assess the finances of a company before accounting has been invented…
"But it is vital and there are ways to achieve that protection."
However, the PwC Digital Trust Insights report showed that only 25 per cent were including proactive risk management "fully from the start" in digital transformation projects while only 16 per cent of New Zealand business leaders were comfortable that the projects pitched to the board of their company covered all the necessary ground.
Building in cyber-security from the start was the cheapest and most effective way, he says, yet three-quarters were only introducing security during or at the end of the process – a practice that often obstructed or damaged the user experience of the project they had spent millions of dollars developing.
Pitching such projects to the board of the company concerned often involved highly technical challenges and language and PwC could help untangle and de-mystify such projects so boards could answer three essential questions: do we understand the risk; is it managed appropriately and how can we prove it?
New Zealand also lags behind other countries in data security, privacy measures and testing resistance to cyber-attacks. Only 20 per cent have a comprehensive programme to address that, compared to 40 per cent in the US. Only 18 per cent have tested resistance, compared to 34 per cent in the US.
van Hest says businesses should be asking themselves:
●Does your business include cyber and privacy management in their digital transformation "fully from the start"?
●Are you comfortable your company provides the board with adequate reporting on metrics for cyber and privacy risk management?
●Is the Internet of Things (IoT) critical to at least some of your business, do you have confidence in your digital controls and are you investing in keeping it secure?
"With the continuing rise of cybercrime, we identify vulnerabilities so companies can protect themselves more effectively and emerge stronger."