Companies that stay competitive in our digital landscape can\u2019t blindly trust that their businesses and customer data will stay secure\nPwC\u2019s Global State of Information Security Survey finds staff, service providers, suppliers or business partners, are rated among the biggest cyber risks for Kiwi companies.\nNearly a third (26.9 per cent) of respondents in this country say staff were responsible for cyber attacks in their respective organisations.\n\u201cThe \u2018unknown hacker\u2019 was picked as the largest category responsible for cyber attacks and that\u2019s because attribution is difficult, and most companies end up not knowing know where or who the attackers are," says Adrian van Hest, PwC partner and cyber practice Leader.\nAdrian van Hest of PwC New Zealand: 'Cybersecurity is no longer just an issue for IT departments - it\u2019s an issue that cuts across the entire digital society.'\n"However, it became clear people known to the company were also among the biggest threats.\u201d\nNo caption\n\u201cWe\u2019ve seen the amount being invested in cybersecurity is increasing, but the number and cost of incidents are also increasing.\nSource: PwC New Zealand\n"So while there\u2019s continued spending, it doesn't mean that the investments are effective or they are being spent on the right things," says van Hest, reporting on the New Zealand results of the global survey, conducted by PwC and CIO.\nSource: PwC New Zealand\nNearly 10,000 cybersecurity and IT leaders - with 62 from New Zealand - participated in the survey in May 2017.\n"We are investing in the technology layer, it probably has reduced the risk in that space," says van Hest.\n"Now, the attack is to the people layer, or to the trusted third party layer, and you just have apply a different set of controls.\n"And that is where people should be investing in, in trusted identity, in security awareness."\nWhile there are "malicious insiders" involved, he says more often than not the insiders themselves are victims.\n"They are not the targets, they are just the way to get in.\n"That is the nature of the attacks," says van Hest. "It is just recognising that people are the weakest link. It may not be where we traditionally invest in, which is the technology layer. Your weakest link will be the trust you place in your third party providers and staff.\n"There is a lot of direct trust, if suppliers are good then they are trusted as being good."\nHe says as more organisations move to the cloud, he believeS their current identity management system will not work in the new environment.\nYou end up with a proliferation of digital identities, he says. This could mean lots of password sharing or using the same email address.\nIn the past three years, there have been compromises around major companies like Dropbox, Yahoo and LinkedIn.\nThere are risks if the user credentials in those accounts, are the same with the accounting software or personal email.\n"People spent millions of dollars and we are more at risk and that is the point as well," says van Hest. "Spending money does not equal success, spending money on the right things equals success."\n"The investment should be in security awareness and training, because that is the most effective ways to empower that group of people."\nInvest in your people "because they can be your biggest weakness and they can be your biggest strength," says van Hest.\n"If your entire staff are vigilant about security, you are in a much better position," to fight cyber crime.\nVan Hest says one approach is through 'red teaming'. This means allowing somebody to behave like an attacker and try social engineering to get access to systems through the employees, or through third parties like suppliers and contractors. This will train staff to be on the alert for similar attempts.\nThe report notes new business models present different cyber risks.\nThe continuing uptake of cloud computing and reliance on mobile devices brings new risks \u2013 not because the technologies are not safe, but because they require companies to take a different approach to the way they manage cybersecurity.\n\n\u201cWe\u2019ve also found that investment in identity management is growing faster overseas, as they are experiencing more cyber incidents through increased cloud usage.\n"Kiwi companies are slightly behind the trend as most of our cyber incidents still seem to occur because of outdated software.\n"However, as more businesses move to the cloud, it\u2019s only a matter of time before we face the same risks,\u201d says van Hest.\nThe report, meanwhile, tracks the growing popularity of cyber insurance and the rise of the chief information security officer and chief security officer.\nThe survey finds it is more common for a company\u2019s CISO or chief security officer to report directly to the CEO (40 per cent globally, 38 per cent in New Zealand) or the board of directors, (27 per cent globally, 25 per cent in New Zealand) than to the chief information officer (24 per cent globally, and 25 per cent in New Zealand).\nOver half of the NZ respondents now have a cyber security policy (58 per cent), slightly behind Australia (at 63 per cent) and at par with global figures (57.9 per cent)\nBut PwC says it is seeing insurers taking the front foot and proactively manage their cyber risk.\n"It won\u2019t be long before New Zealand\u2019s cyber insurers are demanding companies have their cybersecurity processes independently verified, to confirm they\u2019re maintaining best practices."\nSource: PwC New Zealand\nThe report highlights the need for leaders to assume greater responsibility for building cyber resilience.\nFor instance, less than half (44 per cent globally, 32 per cent in New Zealand) of respondents say their corporate boards actively participate in their companies' overall security strategy.\nCybersecurity is no longer just an issue for IT departments - it\u2019s an issue that cuts across the entire digital society, says PwC.\nOutlook for the year ahead\nWhich safeguards does your organisation not have in place, but is a top priority over the next 12 months?\nThe Global State of Information Security Survey, now on its 19th year, is conducted by PwC and CIO.\nNo caption\nNo caption\nNo caption\nNo caption\n\n\u201cWe can\u2019t rely on yesterday\u2019s cybersecurity practices to keep organisations secure. The need for more robust processes and policies has never been greater,\u201d the report concludes.\n\u201cUltimately, we have to transform cybersecurity by being laser focused on the risks involved.\n"Companies that stay competitive in our digital landscape can\u2019t blindly trust that their businesses and customer data will stay secure," the report states.\n"Building and maintaining trust is going to be the greatest differentiator for New Zealand businesses in our digital society, and now is the time to start taking that seriously."\nFollow Divina Paredes on Twitter:@divinap\nFollow CIO New Zealand on Twitter:@cio_nz\nSign up forCIO newsletters for regular updates on CIO news, views and events.\nJoin us on Facebook.