HSE Global
The value of H&S investment
A more sustainable business model is attainable if boards can improve their approach to health and safety, says HSE Global’s Phil Parkes.
Cybersecurity has moved centre stage as a governance issue. High-profile security breaches have shown a single severe attack could take down an entire business. Many directors now recognise the existential threat and it needs to be a regular board agenda item.
Yet, there is still improvement needed. Kordia’s 2025 New Zealand Business Cyber Security Report found about a third of businesses say their board still does not treat cyber security as an important risk area. The same number of respondents also indicated there was no form of risk-based reporting back to the board.
Cybersecurity requires a level of expertise. Just as boards might appoint directors with specialist finance or legal skills, we are now seeing organisations with at least one director able to oversee cybersecurity and risk management at a strategic level.
Here are the main priorities boards should consider in 2025:
Conduct a comprehensive cyber risk assessment to fully understand your organisation’s unique risks and vulnerabilities.
Many businesses have never performed a full risk assessment. That means they are effectively navigating challenges blindfolded. Often board members will have a gut feel for the risks the organisation faces. It may be based on experience elsewhere. While this can be helpful, the reality is that directors are removed from the everyday business, which means they rarely have a complete picture of front-line conditions.
And every business is different. There is no such thing as a one-size-fits-all cybersecurity risk assessment. It needs to be tailored for local and specific conditions.
Most of the time, even the executive team will only have a second-hand understanding of vulnerabilities. Remember, no matter how good an organisation’s culture is, there can still be a tendency for bad news not to be reported up the chain. All of which can leave a board with a fragmented and abstract view of risks. A full, preferably independent, risk assessment can fill in knowledge gaps while identifying priorities and areas for action.
Risks can be reputational, operational, or even involve personal safety. Yet, in almost every case you can put a financial number on the risk. This helps clarify thinking. If, say, the cost of a potential breach would be $1 million, that puts perspective on spending $50,000 to reduce the risk.
Ensure your organisation has a robust strategy that aligns with business goals and enables growth.
A cybersecurity strategy, done after a risk assessment, can then become a key business enabler. Find your business goals and tie your cybersecurity goals to them. As you do this, you will gain insight into why it matters so much.
Say you want to increase revenue by 10 per cent. To do that you will need to have a secure and flexible platform that allows your business to grow. It becomes clear there is a direct relationship between growth and security. That way you will understand why the money spent on security is an investment and not a cost burden.
Actively participate in incident response planning and regularly test your organisation’s ability to respond to and recover from cyber incidents.
Armed with a strategy, the next step is tactical. You need a plan for how to respond to incidents. While the strategic side is a task for the entire board, planning might be delegated to a small number of directors working with executives.
As a board you need to draw your lines in the sand: “Should we pay in a ransomware attack; at what point should we pay?” And so on. It is much better to be stress-free when considering these questions than to start talking about them for the first time when an attack is in progress.
Another area to consider is whether the business is making adequate back-ups of data and how quickly it can recover if there is an incident.
Promote a strong security culture by supporting regular employee security awareness training.
It is a board’s job to ensure an organisation builds a security culture. That means investing in awareness training, building defences against threats such as phishing, and ensuring employees stay up to date on emerging risks. They need to know what they should and should not do when issues arise.
There is also a resilience angle. The processes needed to get the business operating quickly again after an earthquake or a pandemic lockdown amount to the same thing. In each case, if you cannot get the business working again in days, your organisation may fail.
A board has a crucial role to play in building a cybersecurity culture. It is important to get involved in planning and releasing responses, and to be seen as taking an active interest. People are looking for leadership.
Stay informed on evolving cyber threats and regulatory requirements and provide leadership in addressing these issues.
Perhaps the hardest part for directors is keeping up with trends and understanding how events taking place elsewhere might affect the organisation. Working with a trusted cybersecurity partner can help provide context on what is taking place in the threat landscape.
For relevant insights that are applicable to New Zealand businesses, see Kordia’s annual Cyber Security Business Report. The National Cyber Security Centre also provides online resources and advisories on threats impacting cybersecurity at a national level.