Cyber Security NZ SME Landscape

COLMAR BRUNTON NEW ZEALAND Julie Benzie Group Account Director Dale McCarter Senior Client Executive

Ryan Ko, PhD Head, Cyber Security Lab University of Waikato New Zealand

AUTHORS

REPORT PREPARED FOR VODAFONE NZ LTD.

24TH JULY 2014

2

Table of Contents

Executive Summary ........................................................................................................................................... 3

Project Overview ............................................................................................................................................... 4

Research Methodology ...................................................................................................................................... 4

Sample Profile ................................................................................................................................................... 6

Survey Results .................................................................................................................................................. 9

Appendix: ......................................................................................................................................................... 26

3

Executive Summary

Half of the businesses surveyed say they have a defined information technology (IT) security policy. However, it is apparent that there is a vast range in terms of what these policies cover. For example, the policy for company A may be aligned to ISO/IEC 27001:2013 standards but the policy for company B may just state a regular virus scanning without consideration of incident management or business continuity, and both are flagged as companies with an IT security policy. This highlights that there is room for improvement in terms of business’ awareness of IT security policy guidelines and education on modern cyber security threats and how to prevent them. While companies with defined IT security policies are confident in their understanding of potential cyber threats, as many as two in ten do not have guidelines on what to do if their company was attacked by a hacker or a serious malware. When asked about the importance of security elements to their business, it becomes apparent that most companies are ready for more traditional threats – which are not necessarily the main culprits in the current cyber security landscape. Many feel that because they have a virus protection or firewall in place, their security is well covered. Areas such as social engineering, are an alarmingly prevalent threat, which companies are not prepared for in terms of inclusion into IT security policies; this area is only included in 38% of policies. The low importance attributed to security elements such as multi-factor authentication and infrastructure monitoring systems indicates a lack of awareness of new-generation threats against businesses. While the majority of companies do make some investment in IT security, one in ten businesses are vulnerable due to no spend in this area. Smaller companies are most at risk, 20% of those with 1 to 9 full time employees not investing in IT security at all. It is concerning that six in ten companies say they will not be increasing IT security measures in the next 12 months, indicating that companies are satisfied with the current condition of their policies and may not be exploring a continuously improving mindset on IT security. Smaller companies in particular do not seem to see the need to improve IT security, 76% not planning to increase IT security products or processes in the next year. This is a worrying trend, as we know that small companies are potentially the most at risk, due to low current investment. Nearly half of all companies surveyed (45%) feel their business does not have adequate tools and policies in place to prevent or mitigate cyber threats. Nine in ten of these companies have less than 100 staff. When asked how often their business IT security was threatened, over half (56%) of the companies’ surveyed claim to be attacked at least once a year Companies in Service industries have higher awareness and knowledge of cyber threats and are more active in mitigating these. This is not surprising given the importance of business continuity in Service sector industries such as Professional, Scientific and Technical Services, Health Care, Information Media and Telecommunications, Finance and Insurance. Primary industries, such as Construction, Trades Services, Agriculture, Forestry and Fisheries have the poorest understanding of cyber security threats and are the least prepared, which is of concern given the importance of this sector to the New Zealand economy.

4

Project Overview

Colmar Brunton and the University of Waikato, were commissioned by Vodafone New Zealand to conduct quantitative primary research with IT decision makers across New Zealand. The key output of this report is to capture an accurate snapshot of how aware and prepared New Zealand Companies are for potential cyber security threats.

Research Methodology

In total, 500 businesses from the Colmar Brunton Business panel completed an online survey in May 2013. The online interview averaged 10.44 minutes in duration, and to maximise participation, participants were incentivised with FlyBuys points. The maximum margin of error for a sample of 500 is +/-4.38% (at the 95% confidence level).

The person spoken to within the company was the main (62%) or joint (38%) IT decision maker for their business.

Quotas were set on business size and main telecommunications provider, with a breakdown as follows:

Business size

• n=210 businesses with 1 to 9 full time staff (Small) • n=210 businesses with 10 to 99 full time staff (Medium) • n=80 businesses with 100+ full time staff (Large)

Main telecommunications provider

• n=230 businesses with Telecom • n=220 businesses with Vodafone • n=50 businesses with other provider

5

Questionnaire

The questionnaire was created in partnership with Vodafone New Zealand, Dr Ryan Ko from Cyber Security Lab (CROW), University of Waikato and Colmar Brunton. A copy of the final questionnaire used is appended to this report.

Notes to the reader

Subgroup analysis has been undertaken for business size and industry. To ensure robust sample sizes, industries have been grouped into the following categories:

• Primary industries n=77 • Secondary industries n=72 • Service industries n=278 • Retail industries n=73

Please note, all commentary relating to subgroup analysis refers to results which are statistically significant at the 95% confidence level.

6

Sample Profile

IT decision maker S1

The person spoken to within the company was the main (62%) or joint (38%) IT decision maker for their business. Unsurprisingly participants from small businesses (1-9 FTE’s) are significantly more likely to be the main IT decision makers at 78%, compared to 52% for medium (10-99 FTE’s) and 46% for large businesses (100+ FTE’s).

Industry Q2

Businesses from across all industry types were included in the sample. Figure 1 shows how these industries are grouped for the analysis in this report. Figure 1: Q2 – In what industry does your organisation operate?

7

The majority of participants surveyed are in the Service industry (56%), followed by Primary (15%), Retail (15%) and Secondary industries (14%). Within the Service industry a third are in the Professional, Science and Technical Services industry, the largest group surveyed, and fifteen percent from the Health Care and Social Assistance industry. Retail Trade forms the second largest group surveyed. The Primary industry is mainly made up of those in the Construction & Trades Services, followed by those in the Agriculture, Forestry and Fishing industries. Unsurprisingly as the majority of businesses in the Secondary industry are made up of those in the Manufacturing industry, they are significantly more likely to be medium sized businesses, with over half employing 10-99 full time staff.

8

Role in organisation Q3

Owners (47%) and Senior Management (28%) make up 75% of the survey’s sample population, giving a strong reflection of the reality of policies implemented in these companies. Figure 2: Q3 – Which of the classifications below best describes the role you have within your organisation?

Those completing this research for smaller businesses, with 1-9 FTE’s, are significantly more likely to be Owners (82%). Participants from businesses with 10-99 FTE’s are significantly more likely to be in a Senior Management position (42%), while those answering on behalf of larger businesses (100+ FTE’s) are significantly more likely to be in Executive (21%), Senior Management (40%) and Middle Management roles (21%). Those surveyed in the Retail industry are significantly more likely to be the Owner of the business (60%), while those in Secondary industry are significantly more likely to be in a Senior Management position (40%).

9

Survey Results

IT security policy Q4 and Q5

Half of businesses surveyed have a defined IT security policy, and as expected, the bigger the business, the more likely they are to have a defined IT security policy. See Figure 3. Figure 3: Q5 – Does your company have a defined IT security policy?

Those operating in Primary industry are significantly more likely not to have a defined IT security policy (61%), this is a worrying statistic given the huge importance this industry has to the New Zealand economy. While those operating in the Service industry are most likely to have a defined IT security policy (56%). See figure 4. Figure 4: Q5 – Does your company have a defined IT security policy?

10

Those who have a defined IT security policy are significantly more likely to say they have a good to excellent understanding of potential cyber threats than businesses that don’t have a defined IT security policy (76% vs. 33%). See figure 5. Figure 5: Q4 – If your company was attacked by a hacker or a serious malware, such as ransom ware, does your company have policy or guidelines on what to do? Q13 - How would you rate your (company’s) overall understanding of potential cyber threats?

While half of the NZ companies in the study have defined IT security policies, there may be room for improvement in terms of what these policies actually prepare them for. When asked if their company was attacked by a hacker or a serious malware less than half (43%) said they have company policy or guidelines on what to do, 51% said they have no guidelines and 5% don’t know. Figure 6: Q5 and Q4

Figure 6 shows that even among companies who have a defined IT security policy, two in ten (20%) don’t have guidelines on what to do if their company was attacked by a hacker or serious malware. This indicates that while companies have policies defined, not all of these policies actually prepare them effectively for catastrophic events affecting business continuity. Businesses need to be aware of the available sets of standards or guidelines from the New Zealand National Cyber Policy Office (e.g. ConnectSmart Initiative, SME Toolkit). If possible, they should align themselves to international IT security policy standards such as ISO/IEC 27001. Increased awareness of these available guidelines and standards will increase the overall strength of IT security amongst NZ businesses.

11

Those who have a defined IT security policy

The 252 businesses who have a defined IT security policy were asked specific questions about enforcement, coverage and management of the policy, the results of which are detailed in this section. Policy enforcement Q6 Positively, at least 75% of IT security policies are strictly enforced. With large businesses significantly more likely than medium and small to enforce very strictly (29%, 16% and 13% respectively). Medium businesses have room for improvement, with 32% enforcing their IT Security policy only slightly. Figure 7: Q6 – How strictly is this IT security policy enforced?

12

Areas IT security policy cover Q7 There is a continuum, the bigger the business the more areas the IT security policy covers, as highlighted in figure 8 below: Figure 8: Q7 – Which areas does your IT security policy cover?

Given the ease of implementation, it is no surprise that the area included most in policies is regular updates to antivirus software (82%). The following areas scored very poorly in terms of inclusion in policies surveyed:

o Asset management (50%) o Security incident management (48%) o Human resource security (47%) o Educating staff against social engineering (38%)

This is a concern given that areas such as social engineering (e.g. spear phishing) are an alarmingly prevalent threat, but companies are not prepared for them in terms of inclusion into IT security policies.

13

Management of IT security policy Q8 A quarter of companies (25%) outsource the management of their IT security, with medium sized businesses (10 to 99 FTE’s, 35%) most likely to do so. Figure 9: Q8 – How is your IT security policy managed?

A third of companies (32%) like to personally manage their IT security policies, this is more prevalent among smaller businesses (with 1 to 9 FTE’s, 68%), business Owners (51%), and those in Secondary industry (53%) Four in ten companies (38%) depend on a dedicated person or department to maintain their IT security policy. This is particularly high for larger businesses (with 100+ FTE’s, 66%) which is understandable given the greater resource. Those in Executive, Senior Management and Middle Management positions are more likely than Owners to have the policy managed by another department/another employee, this is also because they tend to be from bigger companies, as seen in figure 2.

14

Provider of IT security services Q9 Three in ten of the businesses surveyed supply their own IT security services. Figure 10: Q9 – Who supplies your IT security services?

It is a concern that 16% of the businesses supplying their own IT security services have a poor/very poor understanding of potential cyber threats. Only 10% of these businesses stated that their company has an excellent understanding of potential cyber threats. Both small and large businesses are more likely than medium sized businesses to supply their own security services, 33% and 34% vs. 21%.

Symantec (12%), Trend Micro (7%), Telecom (7%) and Vodafone (5%), round out the top IT security providers.

22% of businesses use another provider not listed, with small and medium businesses more likely than large businesses to do so (21%, 27% vs. 10%), these ‘other’ providers are largely made up of antivirus software providers, for example AVG, ESET and AVAST. There is a surprisingly low usage of penetration testers such as Dimension Data, Aura Information Security, PriceWaterhouseCoopers, Enrst and Young, KPMG, Deloitte and Touche. Symantec is more likely to be used by those in the Service industry (14%) than those in the Primary industry (5%).

15

Importance of security elements to organisations Q10 When asked the importance of security elements to their organisation it becomes apparent that most companies are ready for ‘traditional’ threats which are not necessarily the main culprits in the current cyber security landscape. Many companies think that just because they have a virus protection or a firewall in place, their security is well covered. Figure 11: Q10 – How important to your organisation are the following security elements?

As expected virus and malware protection is viewed as very important/important by 92% of businesses. However, multi-factor authentication is seen as least important, which is a worrying trend. Viewing multi-factor authentication as least Important means that companies do not know to prevent, or even worse, care about potential authentication flaws. Companies are not aware that employees are exposed to many present-day vulnerabilities stemming from spear phishing and potential keylogging/stealing of passwords (especially when they travel and access public wifi locations, etc). Single-factor authentication with a user-name and password are the most vulnerable and hence multi-factor authentication systems are strongly encouraged in online transactions, such as internet banking. Infrastructure monitoring systems, ranked second bottom, again indicating the lack of awareness of new-generation threats against businesses. There is a definite need for education on modern cyber security threats and how to prevent them, perhaps as part of a continuous improvement plan in the IT security policy/in the annually updated ISO policy/industry policy of what to cover. Data security e.g. disk encryption policies etc are viewed as significantly more very important/ important to medium (66%) and large (75%) businesses than small businesses (45%). While large businesses (96%) are significantly more likely to view firewalls as very important/ important than small (84%) and medium (89%) businesses.

16

Spend on IT security as percentage of total business expenditure (Q11) It is interesting to note that while the majority of companies (89%) do make some investment in IT security, 11% of business are vulnerable due to lack of investment in this area. Figure 12: Q11 – What is your overall spending on security as a percentage of your total business expenditure?

Smaller companies are most at risk, 20% of those with 1-9 full time employees not investing in IT security at all. 45% of companies spend up to 2% of their business expenditure on security. This is a good entry gauge for technology and security vendors. Those in the Secondary industry are more likely to have lower spend, 58% only spending up to 2%.

17

Intention to increase IT security processes/products in next 12 months (Q12) Only four in ten companies (38%) intend to increase IT security measures in the next 12 months, while the majority (62%) say they will not be doing so. This is a worrying trend as it indicates that companies are satisfied with the current condition of their policies and may not be exploring a continuously improving mindset on IT security. Figure 13: Q12 – Are you intending to increase IT security processes or products in the next 12 months?

Smaller companies in particular do not seem to see the need to improve IT security, 76% not planning to increase IT security products or processes in the next year. This is a concern, as we know that they are potentially the most at risk, due to low current investment. This also reveals another perspective: a demand for more user-empowering, low-cost security tools as an opportunity for security companies to address this need. It is positive to see that larger businesses (with over 100 full time employees) are more open to continuous improvement in this area, 66% intending to increase IT security measures in the coming year. There are no significant differences by industry.

18

Current understanding of potential cyber threats (Q13) It is positive that most companies (79%) have at least moderate understanding of potential cyber threats. Figure 14: Q13 – How would you rate your (company’s) overall understanding of potential cyber threats?

Companies in the Service sector have the best understanding of potential cyber security threats (mean score of 3.9 out of 6 compared to only 3.3 for Primary industries). This is not surprising given the importance of business continuity in Service sector industries such as Professional, Scientific and Technical Services, Health Care, Information Media and Telecommunications, Finance and Insurance. Primary industries have a very poor understanding of cyber security threats, with significantly higher poor and very poor ratings than the Service sector. The industries in this sector include Construction, Agriculture, Forestry and Fishing, who may typically view IT systems and services as supporting tools and not feel the need to focus too much on IT security. The larger the company the greater the knowledge. Larger businesses, with over 100 full time employees, have a significantly greater understanding of potential cyber threats and smaller businesses the lowest (mean scores of 4.5 for large, 3.7 for medium and 3.4 for small businesses respectively). As might be expected, companies with a defined IT policy have a better understanding of cyber threats in general (mean of 4.2 out of 6). Businesses that strictly enforce their IT policy also have significantly higher understanding of cyber threats (mean scores of 5.2 for those who very strictly and 4.3 strictly enforce).

19

Company understanding of specific cyber threats (Q14) The cyber threats that companies feel they have the highest levels of understanding about are the more basic threats such as:

• Virus and malware • Data loss (accidental) e.g. hardware failures • Loss of IT assets (phones, laptops and tablets)

There is significantly low knowledge about APTs (Advanced Persistent Threats) across all business sizes and industries. Figure 15: Q14 – In relation to the following potential cyber threats, how would you rate your (company’s) understanding of each threat?

Businesses in the Service industry tend to have a stronger understanding about threats in general, particularly when compared to the low levels of knowledge in the Primary sector. This is not surprising given the importance of business continuity in Service sector industries such as Professional, Scientific and Technical Services, Health Care, Information Media and Telecommunications. There are no significant differences by industry in understanding of basic threats such as accidental data loss e.g. hardware failure and loss of IT assets (phones, laptops and tablets). Businesses in the Secondary industry (Manufacturing, Wholesale Trade, Transport and Storage) have significantly higher understanding of the threat of accidental data leakage, such as wrong attachments sent via email. Not surprisingly, there is a strong correlation between having a strong understanding of threats and being a company that has IT policies which are defined and enforced.

20

Perceived significance of risks (Q15) Threats perceived as the most significant risks to businesses are the more traditional virus and malware, data loss through hardware failure and loss of IT assets such as phones, laptops and tablets. A quarter of businesses (26%) are not aware of APTs (Advanced Persistent Threats). This could be due to the lack of education or simply the prevalence of buzzwords around APTs. 17% are unaware of denial of service (DoS attack). Figure 16: Q15 – And how significant do you perceive the risk to be to your organisation from each of the following cyber threats?

It is concerning that one in five companies do not see data leakage, either accidental or malicious, as a significant risk (23% and 21% respectively). A third of businesses (33%) are not concerned about cyber espionage at all. The risks and impact are perhaps unclear to them at this point in time.

21

As we saw before, those in the Service industry have a greater understanding of threats, they, along with the Secondary industry, have a higher perception of risks than those in the Primary industry, see figure 12 below (mean scores out of 4): Figure 17: Q15 - Q15 – And how significant do you perceive the risk to be to your organisation from each of the following cyber threats?

22

Whether company has adequate tools and policies in place to prevent or mitigate cyber threats (Q16) Just under half of the companies (45%) say they don’t have adequate tools and policies in place to prevent or mitigate cyber threats. Figure 18: Q16 – Do you think that your company has adequate tools and policies in place to prevent and mitigate cyber threats?

Larger companies are significantly more likely to be prepared for cyber threats (81% of companies with over 100 full time employees have adequate tools or polices in place). Interestingly, this does not differ significantly by industry sector, but indicatively (as a result of a base below 30 businesses) the following industries are less likely to have adequate tools and polices in place: Retail, Hiring and Real Estate Services (71%), Accommodation, Cafes and Resultants (61%), and Agriculture, Forestry and Fishing (59%).

23

Most urgent areas to address to prevent/mitigate cyber threats (Q17) The 224 companies who said they did not have adequate tools or policies in place were asked to rank a list of potential cyber threats to their business. It is worrying to see that when looking at the top 3 areas to address, only 13% view security incident management as an area to address Regular updates to antivirus software is seen as both the most urgent (24%) and has the highest mention in the top 3 areas to address (51%). This is despite the fact risks can come in other forms, e.g. social engineering, malicious insiders. This again highlights the need for education on modern cyber security threats and how to prevent them. It is encouraging however to see business continuity mentioned as the second most urgent area to address (13%). Figure 19: Q17a – Firstly what would be the most urgent area you think you should address to prevent and mitigate cyber threats? Q17b. What would be the second most urgent area you think you should address to prevent and mitigate cyber threats? Q17c. And what would be the third most urgent area you think you should address to prevent and mitigate cyber threats?

24

How often business IT security is threatened by cyber threats (Q18)

Over half of companies (56%) claim to be attacked at least once a year, while 20% claim to have never been attacked.

Figure 20: Q18 – How often is your business IT security threatened by cyber threats?

Within the ‘attacked’ company’s, 3 in 10 mention that they are attacked once or twice a year. This is an opportunity for companies that provide IT security to focus on in terms of business development. They are aware that security is important, and have a present openness in investing in detecting threats or have a current need. Larger businesses are more likely to have frequent attacks. It is interesting to note that 23% don’t know, this is a very high percentage indicating a general ignorance in security threats. Primary industries are significantly more likely to say they have never been attacked, 30% compared to 18% for Service industries.

25

Potential threats to organisation in next 12 months (Q19)

Increased use of mobile devices with corporate and privacy sensitive data and lack of sufficient security awareness with employees are viewed as the strongest threats to businesses in the coming 12 months. Figure 21: Q19 – How much of a threat do you feel the following are to your organisation over the next 12 months

It is of concern that required travel and (physical) presence in other countries due to business activities is not viewed as a threat by 35% of companies, particularly when we take into account earlier results that multi factor authentication was viewed as a security element of relatively low importance. Those in the Secondary industry are more likely to view required travel and (physical) presence in other countries due to business activities as a threat compared to those in the primary industry, but this is still at low levels (mean score of 1.4 vs 1.0 out of 4).

26

Appendix:

6132 Cyber Security Questionnaire 09.05.14 Colmar Brunton is conducting research with IT decision makers in companies across New Zealand on behalf of Vodafone, to capture an accurate snapshot of how aware and prepared NZ companies are for potential cyber security threats.

Your answers are completely confidential. Your views will be grouped with those of others so that individual people and their answers cannot be identified. The survey is likely to take 10 minutes to complete. S1 - Are you the main or joint IT decision maker for your business? SINGLE RESPONSE Please select one only Main Joint Not the main or joint IT decision maker

THANK AND CLOSE

S2 –Which of the following Telecommunication companies provide your business with any of the following services: mobile phone, fixed internet, mobile internet on a laptop or tablet computer wherever you are, and voice calls on a landline or fixed line phone? MULTI RESPONSE Please select all that apply Vodafone Telecom 2degrees Orcon Call Plus Gen-i Other (please specify) None of these Don’t know IF MORE THAN ONE PROVIDER SELECTED IN S2 ASK S3 S3 - And who would you say is the main telecommunications provider for your business? Vodafone Telecom 2degrees Orcon Call Plus Gen-i [Other] BRING TEXT FROM S2

27

Q1. Including yourself, how many full time employees does your organisation have? SINGLE RESPONSE Please select one only

A. 1 B. 2 to 4 C. 5 to 9 D. 10 to 19 E. 20 to 49 F. 50 to 99 G. 100+ H. Don’t know THANK AND

CLOSE I. Refused THANK AND

CLOSE CHECK QUOTAS – BASED ON S3:

Segment / Provider Vodafone Telecom Other Total 1 to 9 Small 90 90 30 210 10-99 Medium 90 90 30 210 100+ E&G 40 40 0 80 Total 220 220 60 500

Q2. In what industry does your organisation operate? – MOVE TO AFTER Q19 SINGLE RESPONSE Please read the selections carefully before selecting one only

Professional, Scientific & Technical Services e.g. legal & accounting services, marketing & business management services, scientific research, advertising, technical services, computer

services, veterinary services, market research & statistical services, other professional, scientific & technical services

Administrative & Support Services e.g. employment services, travel agency & tour arrangement services, other administrative services, building cleaning, pest control & other

support services

Rental, Hiring & Real Estate Services e.g. real estate agent, property operator and developer, motor vehicle & transport equipment rental & hiring, farm animal & bloodstock leasing, other

goods & equipment rental & hiring

Construction & Trades Services e.g. building construction, building structure services, heavy & civil engineering construction, installation trade services, site preparation services, other

construction services

Retail Trade e.g. food retailing, personal and household good retailing, motor vehicle retailing and services, fuel retailing, other retailing

Agriculture, Forestry and Fishing e.g. grain, sheep, beef, pig, dairy cattle other livestock farming, horticulture and fruit or crop growing, forestry & logging, fishing, hunting & trapping

Finance and Insurance e.g. banking, insurance & superannuation funds, services to finance and insurance (not including accounting services. See Professional, Scientific & Technical

Services)

Transport and storage e.g. road, rail, water, air and space, postal & courier services, other transport services, warehousing & storage services

Manufacturing (e.g. food, beverage and tobacco manufacturing, textile, leather, clothing, foot wear manufacturing, wood and paper product manufacturing, other manufacturing)

28

Health Care and Social Assistance e.g. hospitals and nursing homes & residential care services, medical and dental services, other health services, child care, community care

services

Wholesale Trade e.g. basic material wholesaling, machinery & equipment wholesaling, and motor vehicle wholesaling, liquor & tobacco product wholesaling, personal and household

good wholesaling, other wholesaling

Accommodation, Cafes, Restaurants e.g. accommodation, pubs, taverns, bars, cafes, restaurants

Other services e.g. personal household goods hiring, other personal services, private household employing staff, religious organizations, interest groups, automotive repair &

maintenance, machinery & equipment repair, other repair & maintenance

Arts and Recreational Services e.g. museums, parks & gardens operations, creative & performing arts, sport and recreation activities, gambling activities

Information Media & Telecommunications e.g. internet, newspaper, book, journal, software publishing, motion picture & sound recording activities, radio & TV broadcasting,

telecommunication & internet services & service providers, library & other information services

Education and Training (e.g. pre-school, school, post-school, adult, community other education)

Mining (e.g. coal, metal ore, other mining, oil and gas extraction)

Electricity, Gas, Water & Waste Services e.g. electricity/gas/water supply, sewerage, waste collection & drainage services

Public Administration & Safety e.g. Central, State, Local Government administration, justice, defense, public order, safety & regulatory services

29

Q3. Which of the classifications below best describes the role you have within your organisation? SINGLE RESPONSE Please select one only

A. Owner B. Executive C. Senior management D. Middle management E. Other

Q4. If your company was attacked by a hacker or a serious malware, such as ransom ware, does your company

have policy or guidelines on what to do? SINGLE RESPONSE Please select one only

A. Yes B. No C. Don’t know

Q5. Does your company have a defined IT security policy? SINGLE RESPONSE Please select one only

A. Yes B. No C. Don’t know / unsure

IF Q5 = YES THEN ASK Q6-8 OTHERWISE SKIP TO Q9

Q6. How strictly is this IT security policy enforced? SINGLE RESPONSE Please use the slider below to indicate your answer

A. Very strictly B. Strictly C. Slightly D. Not at all E. Don’t know / unsure

30

Q7. Which areas does your IT security policy cover? TO REDUCE RESPONDENT WEAR-OUT USE THE ‘HOVER’ TOOL. THE BOLDED TEXT BELOW SHOULD BE VISIBLE AT ALL TIMES AND THE UNBOLDED VISIBLE AT HOVER.

MULTI RESPONSE, RANDOMISE AND RETAIN ORDER FOR Q17 Some statements have a full description, to see it please hover your mouse over the statement Please select all that apply

A. Websites that can be visited B. Software that can be downloaded C. Regular updates to antivirus software on staff computing devices D. Scanning of incoming and outgoing network traffic E. Regular patching of software and systems F. Educating staff against social engineering e.g. authentication script for telephone calls

requesting information, the dangers of phishing, warnings against emergence of phishing email trends

G. Staff and visitors bringing their own devices into the company’s premises (BYOD) H. Reporting/ feedback mechanisms on potential security breaches to the relevant technical and

management teams. I. Access control – restriction of access rights to networks, systems, applications, functions and

data e.g. devices that can be attached to the network J. Physical and environmental security e.g. cards for room entry, CCTVs K. Asset management – inventory and classification of information assets e.g. laptops, mobile

devices L. Human resources security – security aspects for employees joining, leaving, moving across

departments, e.g. deletion of account for a departing staff. M. Security incident management – when an attack happens, your technical and management staff

knows what to do next e.g. mitigate attacks, forensics and investigations, media, etc N. Business continuity – protecting and ensuring quick recovery for business-critical processes O. Compliance – ensuring alignment with standards, laws and regulations P. None of the above

Q8. How is your IT security policy managed? SINGLE RESPONSE Please select one only

A. I personally manage it B. It is undertaken by another department/ another employee within the organisation. C. We outsource this to a third party vendor. D. There is no one dedicated to do this E. Don’t know

31

Q9. Who supplies your IT security services? SINGLE RESPONSE, Please select one only

A. We supply it ourselves B. Symantec C. Trend Micro D. Vodafone E. Telecom F. Gen-i G. Datacom H. Dimension Data/ Security-assessment.com I. IBM J. HP/ TippingPoint/ ArcSight K. Aura Information Security L. Arbor Networks M. Cloudflare N. Checkpoint O. EMC/ RSA P. Splunk Q. PriceWaterhouseCoopers R. Enrst and Young S. KPMG T. Deloitte and Touche U. Other (please specify) V. Don’t know

Q10. How important to your organisation are the following security elements? SINGLE RESPONSE PER SECURITY ELEMENT, SET UP AS DYNAMIC GRID, RANDOMISE SECURITY ELEMENTS

Very important Important Slightly important Not very important but we still use We don’t use at all Don’t know

Please select one only for each security element

A. Virus and malware protection B. Data security e.g. disk encryption policies, etc C. Firewalls D. Secure IT assets e.g. phones, laptops and tablets E. Multi-factor authentication e.g. use of RSA tokens to log into services and intranet F. Infrastructure monitoring systems e.g. traffic monitoring G. Protection against Denial of Service(DoS) attacks

32

Q11. What is your overall spending on security as a percentage of your total business expenditure? SINGLE RESPONSE Please select one only

A. 0% B. Up to 2% C. Up to 5% D. Up to 10% E. Over 10% F. Don’t know

Q12. Are you intending to increase IT security processes or products in the next 12 months? SINGLE RESPONSE Please select one only

A. Yes B. No

Q13. How would you rate your (company’s) overall understanding of potential cyber threats? SINGLE RESPONSE Please use the slider below to indicate your answer

A. Excellent B. Very good C. Good D. Moderate E. Poor F. Very poor G. Don’t know / unsure

Q14. In relation to the following potential cyber threats, how would you rate your (company’s) understanding of each threat?

SINGLE RESPONSE PER CYBER THREAT, SET UP AS DYNAMIC GRID, RANDOMISE AND RETAIN ORDER OF CYBER THREATS FOR Q15

Excellent Very good Good Moderate Poor Very poor Don’t know / unsure

Please select one only for each cyber threat

A. Advanced Persistent Threat (APT) B. Virus and malware C. Website defacement D. Denial of service (DoS attack) E. Data loss (malicious) e.g. ransomware encrypting the hard drives of all computers. F. Data loss (accidental) e.g. hardware failure. G. Data leakage (malicious) e.g. leakage of confidential data via email. H. Data leakage (accidental) e.g. wrong attachments sent via email. I. Loss of IT assets (phones, laptops and tablets) J. Cyber espionage

33

Q15. And how significant do you perceive the risk to be to your organisation from each of the following cyber

threats? SINGLE RESPONSE PER CYBER THREAT, SET UP AS DYNAMIC GRID, RETAIN ORDER FROM Q14

Very significant Significant Somewhat significant Not significant at all Not aware what this threat is

Please select one only for each cyber threat

A. Advanced Persistent Threat (APT) B. Virus and malware C. Website defacement D. Denial of service (DOS attack) E. Data loss (malicious) e.g. ransomware encrypting the hard drives of all computers. F. Data loss (accidental) e.g. hardware failure. G. Data leakage (malicious) e.g. leakage of confidential data via email. H. Data leakage (accidental) e.g. wrong attachments sent via email. I. Loss of IT assets (phones, laptops and tablets) J. Cyber Espionage

Q16. Do you think that your company has adequate tools and policies in place to prevent and mitigate cyber

threats? SINGLE RESPONSE Please select one only

A. Yes B. No

IF NO THEN ASK Q17a OTHERWISE GO TO Q18

34

On the following screens please can you rank / identify the top three areas you think you should urgently address to prevent and mitigate cyber threats NEW SCREEN Q17a. Firstly what would be the most urgent area you think you should address to prevent and mitigate cyber threats? USE LIST BELOW – IF NONE OF THESE SELECTED SKIP TO Q18 Q17b. What would be the second most urgent area you think you should address to prevent and mitigate cyber threats? USE LIST BELOW - IF NONE OF THESE SELECTED SKIP TO Q18, EXCLUDE OPTION FROM Q17a Q17c. And what would be the third most urgent area you think you should address to prevent and mitigate cyber threats? USE LIST BELOW - IF NONE OF THESE SELECTED SKIP TO Q18, EXCLUDE OPTIONS FROM Q17a AND Q17B

TO REDUCE RESPONDENT WEAR-OUT USE THE ‘HOVER’ TOOL. THE BOLDED TEXT BELOW SHOULD BE VISIBLE AT ALL TIMES AND THE UNBOLDED VISIBLE AT HOVER. RETAIN RANDOMISED ODER FROM Q7. SINGLE RESPONSE

Some statements have a full description, to see it please hover your mouse over the statement

A. Websites that can be visited B. Software that can be downloaded C. Regular updates to antivirus software on staff computing devices D. Scanning of incoming and outgoing network traffic E. Regular patching of software and systems F. Educating staff against social engineering e.g. authentication script for telephone calls

requesting information, the dangers of phishing, warnings against emergence of phishing email trends

G. Staff and visitors bringing their own devices into the company’s premises (BYOD) H. Reporting/ feedback mechanisms on potential security breaches to the relevant technical and

management teams. I. Access control – restriction of access rights to networks, systems, applications, functions and

data e.g. devices that can be attached to the network J. Physical and environmental security e.g. cards for room entry, CCTVs K. Asset management – inventory and classification of information assets e.g. laptops, mobile

devices L. Human resources security – security aspects for employees joining, leaving, moving across

departments, e.g. deletion of account for a departing staff. M. Security incident management – when an attack happens, your technical and management staff

knows what to do next e.g. mitigate attacks, forensics and investigations, media, etc N. Business continuity – protecting and ensuring quick recovery for business-critical processes O. Compliance – ensuring alignment with standards, laws and regulations P. None of the above

Q18. How often is your business IT security threatened by cyber threats? SINGLE RESPONSE Please use the slider below to indicate your answer

A. At least one a week B. At least one a month C. At least every couple of months D. Once or twice a year E. Never F. Don’t know

35

Q19. How much of a threat do you feel the following are to your organisation over the next 12 months? SINGLE RESPONSE PER THREAT, SET UP AS DYNAMIC GRID, RANDOMISE Please select one only for each cyber threat

1= not a-threat 2= low threat 3= average threat 4= high threat 5= very high threat 6= Don’t Know

A. Location of information and data e.g. data relocation in cloud services) B. Increased use of mobile device with corporate data and privacy sensitive data C. Lack of sufficient security awareness with employees D. Required travel and (physical) presence in other countries due to business activities E. Lack of sufficient security controls

Q20. Which area of the country are you based in? SELECT ONE ONLY

Northland 1 Auckland 2 Waikato 3 Bay of Plenty 4 Gisborne 5 Taranaki 6 Hawkes Bay 7 Manawatu / Wanganui 8 Wellington 9 Marlborough 10 Nelson 11 Canterbury 13 Otago 14 Southland 15 Don’t know 98