The largely unregulated state of cybersecurity in New Zealand, and the consequential ambivalence of most local businesses, risk hurting the country's global trading prospects, according to cybersecurity specialist Daniel Watson.
Author of the book 'She'll Be Right (Not!), a cybersecurity guide for Kiwi business owners, Watson says that apart from the Privacy Act, there is very little in the way of IT security regulation in New Zealand. However, overseas markets like the United States and Europe have implemented strict legislation to protect the public and businesses from international cybercriminals.
"Anybody can call themselves a cybersecurity expert in New Zealand, and many do, but selling anti-virus software isn't even the tip of the iceberg when it comes to protecting your data, assets and intellectual property," he says.
"Critical security controls, anti-malware, security awareness, good practise authentication protocols and processes to manage unintentional data breaches are a whole other level of control that most New Zealand SMEs, in particular, just do not have."
Watson, who at a local level helps companies comply with the European Union's GDPR legislation and NIST in the United States, says international companies are increasingly demanding that local companies show compliance with relevant international standards.
"Not only do they expect you to be compliant with standards like the GDPR, but they also expect you to be able to prove it, and I fear that many New Zealand companies because there is no local pressure, will be caught with their pants down," he says.
"It isn't hard. Globally there are standards like ISO27001 which will help ensure that New Zealand companies will comply with most if not all overseas cybersecurity regulations and a growing set of cybersecurity insurance compliance demandsISO is holistic and neutral."
When faced with demands for greater compliance from their insurer, Watson says one local company abandoned cybersecurity insurance altogether.
"Which is just nuts when you consider that cyber attacks increased 31% in 2020-2021 alone and is expected to cost the world more than $10.5 trillion by 2025," he says.
Watson urged local New Zealand businesses to take the following steps to protect their client data, their business and their markets:
IT security must become a top-down responsibility. The board, the chairman of the board, CEOs and owner-managers, should take personal responsibility for their cybersecurity rather than outsourcing or delegating responsibility.
2. Cybersecurity Insurance
Ensure your company has cybersecurity insurance to protect against attack and ensure some compliance.
3. Adopt ISO27001
The lack of proper cybersecurity legislation in New Zealand can be addressed by adopting ISO27001 because it is agnostic and recognised globally.
"We need the Government to begin taking property oversight of this issue, and better communicate around the grave risk that cybercrime presents to the New Zealand public and local businesses," Watson says.