New Zealand's primary industries have the poorest understanding of cybersecurity threats and are the least prepared to manage them, according to the Cyber Security NZ SME Landscape 2014 survey.
The survey, conducted early this year, covered 500 businesses across New Zealand. The majority of participants surveyed were in the service industry (56 per cent), followed by primary (15 per cent), retail (15 per cent) and secondary industries which include manufacturing and transport and storage (14 per cent).
Primary industries support the bulk of the New Zealand economy, says Dr Ryan Ko, senior lecturer at the University of Waikato. These industries include agriculture, forestry, fisheries, electricity, gas, mining and construction.
"If these and other export companies will face security glitches that might take the business down, it is not them who will just be affected, the whole of New Zealand is affected," says Ko on the key findings of the survey.
"We are on the same canoe, if one canoe has a hole, it will sink," Ko tells CIO New Zealand at the cybersecurity briefing organised by Vodafone, which had commissioned the survey undertaken by the University of Waikato's Cyber Security Lab headed by Ko, and Colmar Brunton.
Ko says the "good news" from the survey was that organisations holding "sensitive data" such as banking, finance, insurance, and professional services companies that handle scientific data, have the highest awareness of cybersecurity threats.
The survey found more than half (56 per cent) of New Zealand businesses experience IT security attacks at least once a year, and that 70 per cent have been affected by computer scams, online fraud or viruses and malware.
Moreover, nearly half of all companies survived (45 per cent) felt their business did not have adequate tools and policies in place to prevent or mitigate cyber threats.
"The statistics are pretty alarming across the board but for the primary industries, it is particularly concerning when you consider the huge importance of the sector to the New Zealand economy," says Colin James, head of security at Vodafone New Zealand.
Globally, James says Vodafone sees around 65 billion cyber-attack indicators against its own infrastructure per month, but it is also seeing a marked rise in the number of attacks within New Zealand.
"You get a lot of noise when it comes to security, how do you find that one little gem amongst all that noise that means something bad has happened and potentially you have been compromised?
"Geographical isolation isn't a safety net against threats. Gone are the days when all you needed was a firewall or virus scan to secure your company's private data. Threats are becoming more sinister and advanced in their capability; the players are the same, but the tools they have access to have evolved astronomically."
James says there are also software update services for malware, so the malware updates itself. "They are taking a leaf from our own IT systems."
The rise of mobility also means businesses now grapple with security information outside the business environment, says James.
Read more:The evolving CIO agenda
Mobile devices are outgrowing laptops, and there is more likelihood a tablet or mobile will be left behind in a bar or taxi compared to a laptop. The survey found 83 per cent of lost smartphones in 2014 resulted in compromised business data.
Small businesses or those with under 250 staff account for 30 per cent of targeted attacks. To avoid detection, most of the attacks and hacking occur during weekends.
Despite these statistics, six out of 10 companies have no plans to increase their investment in IT security, notes James.
"Business leaders and IT managers need to re-evaluate where information is sitting these days; who has access to it and what security policies they have in place to protect against and prevent attack," says James.
"The future for true cybersecurity lies with the vigilance of IT decision-makers -- to ensure their systems are capable -- and network providers to build more intelligent infrastructure capable of acting on threats to protect not only an individual user, but the overall integrity of the network," says James.
Vodafone, he says, has deployed its own system called Vodafone Secure Device Manager (VSDM), which enables a company to remotely manage and secure any device on its network -- whether company owned or part of a BYOD program.
"We need to ensure information is protected, regardless of where it resides. Intelligent networks operate by understanding what devices are connected to it, who is using those devices, who and what they're communicating with and what they're talking about.
"Without this intricate knowledge, businesses run the risk of creating chinks in their armour and opening themselves up for attack," says James.
Ko, meanwhile, says the Cyber Security Lab at the University of Waikato is working on user centric tools. "The goal is to create tools which will allow everyone to have capability to get back to business or address a security problem as easy as it is to send an SMS."
Send news tips and comments to [email protected] Divina Paredes on Twitter: @divinapFollow CIO New Zealand on Twitter:@cio_nzSign up for CIO newsletters for regular updates on CIO news, views and events.Join us on Facebook.