With the data breach notification laws expected to become reality in New Zealand, the security practices and policies of Kiwi organisations are coming under the spotlight.
Because as the legislation looms large, the cyber health of a nation is coming under question.
Irrespective of legalities however, businesses today remain unprepared to handle the requirements of security, creating a need for external guidance and advice.
But is the channel ready to capitalise?
As reported by Reseller News, New Zealand’s new data breach notification laws carry sharp penalties for organisations that are found not to be properly compliant with them - individuals can expect fines of up to $100,000, and body corporates can expect penalties of as much as $1 million.
These laws follow similarly strict laws adopted in overseas markets, such as the recently-enacted GDPR requirements in the European Union.
However, just as over half the companies throughout Europe are not properly compliant despite the risks, even past the deadline, so too are New Zealand organisations of all sizes scrambling to catch up with the local laws.
Consequently, vendors and channel partners alike now find customers in urgent need of both guidance and technology solutions to mitigate against this potentially business-ending level of risk.
“This legislation means that a small business in New Zealand can effectively go bust just because they’re breached,” said Lewis Holden, general manager of Cogent. “You’ve got to remember that 95 per cent of the local market is made up of small businesses.
“It’s an incredibly competitive space, with plenty of others that will fill the gap when one of them goes down. They can’t afford those kinds of fines.”
Learning the law
Threatening though the laws may be, they’re also reasonable, according to SecureCom director, Greg Mikkelsen said.
For Mikkelsen, when assessing the high-profile breaches occurring in the market during recent years - think Equifax, Facebook and Cambridge Analytica controversies - it’s understandable to see why New Zealand must also develop a strong framework for handling data security and privacy.
This in turn offers an opportunity for the local business community to realign itself behind data security.
“I think that if these laws came at an earlier point in time people would have seen it as a solution looking for a problem,” Mikkelsen said.
“People are realising what’s at stake far more than before, and that it’s an issue that has to be dealt with. The legislation will just sharpen individuals and organisations up to realise that they do have some personal responsibility in this area.”
Locally speaking, Mikkelsen said the challenge that businesses face centres around a “lack of genuine understanding” at the executive layer about what is involved in becoming – and maintaining – compliant.
“Very few senior executives in New Zealand come from an IT background,” Mikkelsen said. “So, when you’re trying to explain risk from an IT perspective, and what’s involved in addressing that risk, it’s challenging to properly articulate it to such leaders.
“On occasions, you can be trying to teach them things that they have no basic comprehension of. As a technology provider, you can’t go back and teach them 20 years of IT knowledge around switches, routers, firewalls, data security, and so on.”
Instead, partners must highlight examples such as Equifax, and the extent of damage that a data breach can have, both to the company and the executive team themselves.
“Equifax had 47 million records breached, and didn’t tell anyone for months afterwards,” Mikkelsen added. “Now the company is facing massive costs, the CEO is gone, half of the board of directors is gone, the CIO and CTO are gone also.”
As a result, it’s important to drive home the executive’s role in managing the technology risk profile of their company because, according to Mikkelsen, that awareness is just not there yet.
“I’m still not seeing any connection between a director’s sense of responsibility, their knowledge and understanding around IT, risk and security, and their interest in engaging with companies like us who are providing services in an IT world,” Mikkelsen added.
Such a disconnect is widely expected to change however, as business leaders begin to realise that they don’t need to have a breach of the scale of Equifax for the organisation to be exposed.
In time, businesses will naturally look to their suppliers to develop and execute solutions to manage the risk profile.
Read more on the next page...