No captionNew Zealand organisations have far less confidence in their own information security activities (as well as their suppliers) than they did last year, according to PwC\u2019s New Zealand insights of the annual Global State of Information Security Survey. Adrian van Hest, PwC NZ Cyber Practice Leader, says that while confidence has dropped, it is likely a more accurate picture of real versus perceived risk. Last year, 83 per cent of New Zealand respondents were confident or somewhat confident that their organisations\u2019 information security activities were effective, compared to 65 per cent this year. The drop in confidence is even wider in the security activities of New Zealand organisations\u2019 partners and suppliers \u2013 last year 82 per cent of New Zealand respondents were very or somewhat confident, compared to 57 per cent this year.CIO, CSO and PwCinterviewed more than 10,000 respondents across the globe, including 102 business and technology executives from New Zealand, for the 2016 report. The survey was conducted online from May 7, 2015, to June 12, 2015. Readers of CIO magazine and CSO and clients of PwC from around the globe were invited via email to take the survey. No captionThe organisations that will flourish in tomorrow\u2019s interconnected world are those which recognise that good cybersecurity is good businessAdrian van Hest, PwC The study finds as more organisations adopt risk frameworks, they gain a better understanding of their risks and what they need to do to manage them. In recent years, the survey data in New Zealand has shown that high confidence doesn\u2019t necessarily match the actual measures taken to secure information. \u201cThe reason for this, at least anecdotally, is that some organisations say that no one has told them something is wrong so they choose to believe there is no issue. Another reason is many New Zealand organisations trust their suppliers and believe that they will simply do the right thing when needed \u2013 despite the absence of or even the specific exclusion of security obligations from contractual agreements,\u201d says van Hest. \u201cWhen called upon to conduct breach assessments in New Zealand, we have identified a significant issue about 90 per cent of the time. What is alarming is that our data indicates that two-thirds of breach notifications now come from outside of the organisation. The reality is until you have invested time in understanding your current state \u2013 and that this critical information is driving your security activity \u2013 you can never truly know. \u201cTo have an effective strategy,organisations must understand which assets are most important to them, and then focus resources on dynamically protecting them by being in a position to detect, respond and recover when there is an incident. The organisations that want to maintain trust and stay competitive are those using a targeted information security approach. \u201cThere is no magic bullet for effective cyber security. It\u2019s a journey towards a culture of security, not a solution in and of itself. It is a path that starts with the right mix of technologies, processes and people skills. \u201cThe organisations that will flourish in tomorrow\u2019s interconnected world are those which recognise that good cybersecurity is good business; and by managing their risks, they can use digital technologies and their information assets to realise opportunity with confidence,\u201d concludes van Hest.No captionWhat to do if you have been breached Ideally, any organisation (big or small) should have a cyber response plan and be ready to initiate it, says PwC in the report Exploring the Big Cyber Questions: A New Zealand Context. However, it finds many organisations in New Zealand don\u2019t have one or they view a security breach as any other technology incident. Our experience and the survey tells us cyber incidents are markedly different in their causes, impacts and treatments, says Pwc. \u201cWe know and have seen that in today\u2019s digital landscape, the speed of detection of a cyber incident and the way an organisation responds and recovers can be the difference between staying between staying in business or becoming another statistic.\u201d The report, which zeroes on the New Zealand results of the Global Information Security Survey 2016, lists the three critical success factors of navigating a cyber incident: Experience: In the middle of an incident, there is nothing like the calming influence of someone who has done this before. If you don\u2019t have it, know where to go for it. Decision-making: Having the ability to get relevant information to people who can make risk-based calls quickly. Communication: Recognising the widest possible stakeholder group and owning the messaging around the incident is critical \u2013 and it\u2019s one of the biggest mistakes organisations can make if they don\u2019t get this right.Send news tips and comments to email@example.com Follow Divina Paredes on Twitter: @divinap Follow CIO New Zealand on Twitter:@cio_nz Sign up for CIO newsletters for regular updates on CIO news, views and events. Join us on Facebook.