More than half of New Zealand's companies are likely to have been affected by hackers or suffered breaches of information security, says a security specialist at Auckland computer systems installer Axon.
Kirsty Shores has taken up the job of enterprise security group manager at the company, after returning to New Zealand at the end of two years of leading a security programme at UK telecomms company Energis Communications.
Shores cites a survey by the UK Department of Trade and Industry last year that found 60% of UK companies had experienced breaches of information security over the previous two years. Almost half of those breaches were viewed as serious.
When those identified as having suffered a serious breach were asked to cite the cause, 13% quoted equipment failure, 11% reported deliberate malicious action and 6% said software error. Incompetent staff accounted for 6% and 5% identified contractors and others working on site.
Shores says New Zealand companies are continuing to focus on security technology, rather than the people and business processes that support and use the technology.
"You need both," she says. "Information security is not just an IT problem, it's a business problem. It may not be enough to have a firewall on your network and standard password authentication.
"You must identify your most important information assets, the business impact of not having those assets available and the threats towards those assets. Then you have to assess controls you can put in place to minimise those threats."
Shores says continual, incremental changes in technology, using more sophisticated technology and growing numbers of third-party connections, inevitably increases the chances of incurring security breaches.
A key issue is not only how companies can best minimise disruption, but also how quickly and effectively they can restore normal operations when disruption occurs and resolve any gaps in current processes.
The UK DTI survey found that organisations that had suffered a breach that they considered was "serious" were ill-equipped to deal with the consequences of the breaches. Nearly three quarters had no contingency plans in place.