Lax security at New Zealand businesses

New Zealand businesses tend to be lax in implementing information security strategies. What is the next move for HR in the high-stakes game of information security threats?

Almost 90% of consumers globally use a personal mobile device for both work and pleasure, while only 45% of businesses have a security strategy for personal devices in the workplace. In New Zealand – where BYOD is more popular than in other regions – that figure is even worse.

“It is surprising and disappointing only 30 percent of New Zealand businesses have a security strategy in place, and in fact, 25 percent of respondents are planning to reduce their security budgets,” said Colin Slater, of PwC New Zealand.

This is the result of a recent study conducted by PwC the aim of which is to highlight key security issues facing business. Online polling of executives took place between February and April of this year, and there were 180 New Zealand respondents – twice as many as last year. 

One of the principal areas in which New Zealand falls down is raising staff awareness. Less than one third of New Zealand respondents offer security awareness programmes to their employees, and even fewer than this have staff that are responsible for improving security awareness.

“There’s an underlying expectation staff know about the importance of security and take action to ensure they’re secure.  Yet, staff assume their employer has appropriate information security controls, so it’s not something they need to worry about,” Slater warned.

Educating staff on security awareness is one of the best ways to protect information, and it’s cost effective, according to Slater. “The cost of dealing with an avoidable incident is far greater than the cost of any awareness programme,” Slater added.

Employees remain the biggest threat to information security – although it has decreased from 67% to 48% –  so the risk to business seems clear.

“With technology adoption moving faster than security, businesses that want to be information security leaders should prepare to play a new game, one that requires advanced skills and strategy to win against emerging threats,” Slater concluded.

PwC’s suggestions:
 

  • Make IT security and risk inherent in your business strategy.
     
  • Don’t assume employees are aware of cyber threats: one of the best ways to protect information is to make sure your people understand what security procedure is in place and how they can help enforce it.
     
  • Try not to over-complicate information security…it’s important all levels of your organisation are presented the facts both with context and in plain English.
     
  • The cost of dealing with an avoidable incident is far greater than the cost of any awareness programme, yet security training is clearly not a priority for New Zealand businesses.