Where is your most valuable data?

Insights from PwC’s Global State of Information Security Survey

Digital business models have fundamentally shifted the way organisations should think about cyber security.

With greater mobility and access to the cloud, gone are the days of ring fencing an organisation’s entire digital presence – now it’s about understanding what your most valuable data and technology functions are, as well as who has access to them. Only then can you focus your efforts on protecting your organisation and on effectively responding when those protections fail. Recognising this as a serious business risk has to be a priority for business leaders, it can’t just an issue to hand over to the technology team.

This isn’t easy and it’s something that many businesses are struggling to do. In this year’s Global State of Information Security Survey, we asked New Zealand organisations whether they were aligning their security spend with revenue – in other words, whether their security spending was matching the areas that are the most valuable to their business. Only 20.5 per cent reported they are, compared to 73 per cent in Australia.

While this is a worrying number on its own, it’s part of a bigger trend. Our survey found that New Zealand organisations across the board were less likely to have developed an integrated, well-funded and holistic cyber security strategy compared to their overseas counterparts. The good news is that local companies are focusing more on this area, with 56 per cent looking to invest more in collaboration efforts across IT, digital and the rest of their organisation.

This is a great trend to see emerging, but in order to be successful, it has to be accompanied by strategic thinking to be effective. That starts with an understanding of what your most valuable data and related functions are.

Protecting what matters

For most organisations, the really critical systems and information aren’t just operational, they also play a key role in client’s trust and the company’s wider reputation. This is why understanding your risk as a combination of impact and likelihood is a critical first step. That means knowing what is important as well as the wider context of who has access to it (for example, is it only accessible to staff or it shared with suppliers and business partners?) and what the consequences would be of a cyber attack.

Once you know what your critical information and systems are and the risks you should be concerned about you can take meaningful action as how it can be dynamically protected.

The access question is especially relevant. In our survey this year, the percentage of respondents stating that they have experienced an attack from a supplier or business partner more than doubled, from 10 per cent to 21 per cent. Threat actors are increasingly seeing business partners and service providers as a way to bypass an organisation’s cyber security infrastructure. While that’s still only half the rate we saw from other areas like current employees (47 per cent), the dramatic growth certainly showcases how supply chain risks are exposing businesses to greater risks.

Part of this has been driven by the uptake of cloud-based services, with the vast majority of our New Zealand respondents now hosting some part of their organisation’s IT infrastructure in the cloud. This technology is not inherently risky in itself, however it means that an organisation is now reliant on the cyber security strategies of their supply partners. When it comes to cyber security, the supply chain is only as strong as the weakest link.

Are you investing in the right areas?

While our survey findings confirm that New Zealand spends proportionally less on cyber security when compared to the rest of the world, more worrying is how poorly we are spending what little we have. Effectively we are focusing much of our spend on technology and things that are still just about protecting this now mythical perimeter. An example being the prevalence of very basic penetration testing, which doesn’t take into account the relevant value of the systems and data involved, isn’t holistic and continues to perpetuate the myth that cyber security is a technical issue, rather than a business risk.

So success starts with knowing the value of your data, not just to you, but recognising its value as a tradable commodity. This means getting a more contextual understanding of your digital risk as a foundation of your cyber security strategy. Business leaders must ensure that this business risk is appropriately owned and supported across your organisation, so that it’s not just seen as a technology issue, but one that impacts your entire organisation. Your strategy needs to be holistic; not simply focused on technology, but taking into account that staff and suppliers are often the most significant threat. Finally, businesses need to recognise that in this dynamic and ever changing environment – where your capability has to evolve and adapt accordingly – prevention alone will not be enough. You also need a tested ability to detect issues early, respond effectively and recover quickly.

{{filterContent.facetedTitle}}

{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}

Contact us

Follow us