The hidden risk in New Zealand's digital transformation

Across Aotearoa New Zealand, digitisation has moved from strategy to standard practice. Cloud platforms, remote access, shared systems and specialist technology partners now sit at the heart of how organisations operate.

Healthcare is a clear example. Patient portals, electronic referrals, shared imaging platforms, and cloud-based clinical systems are now integral to delivering care. Similar patterns are evident across government, financial services and critical infrastructure. Digital transformation, increasingly powered by AI, is reshaping how services are delivered and improved.

That shift is positive and necessary. But it has also fundamentally altered organisational risk.

In many sectors, leadership attention and investment are rightly focused on frontline delivery. The operational systems that support those services, identity management, third-party access, network architecture and governance controls, can receive less strategic scrutiny. Over time, as connectivity expands, access spreads and responsibilities blur.

For organisations holding some of the most sensitive data the public entrusts, that imbalance matters. The question is not whether to digitise, but whether access, accountability and resilience have kept pace with the scale and speed of that digitisation.

Has digital connectivity outpaced control?

Taking the healthcare sector as an example, in a country the size of New Zealand, our providers cannot build and operate every critical system alone. Specialist vendors supply clinical software, cloud providers host infrastructure, and external partners support upgrades, integrations and day-to-day maintenance. Many systems are shared across organisations, and many teams rely on remote support from outside their walls.

This model makes sense. It enables a level of care and capability that would otherwise be unavailable. But it also means that access to an organisation's critical systems becomes more distributed and harder to control.

Over time, the number of people and organisations with access to clinical and operational systems grows steadily. A vendor may be given access to complete a project and retain it for ongoing support. A contractor account may stay active because it might be needed again. A shared login may emerge because it is easier during a busy clinical period. 

The risk is that, after years of incremental change, access arrangements become so widespread that they are difficult to see clearly, and harder still to govern.

Start with visibility 

The answer is not to reduce connectivity, but to control access with the same seriousness applied to financial controls, clinical safety, and major operational risk, and this starts with visibility. Boards and leadership teams need to be asking who has access to critical systems, including external parties, and has that access been granted deliberately or inherited by default?

National frameworks such as the Protective Security Requirements and the National Cyber Security Centre's Minimum Cyber Security Standards already emphasise asset visibility and managing third-party risk. But meeting a baseline standard is not the same as having clear, real-time control or defined accountability across a complex digital ecosystem.

Internally, access should be limited to what is needed for a specific role or purpose, and it should be reviewed regularly as contracts, staff roles and technology platforms. If something looks wrong, organisations need the ability to restrict access quickly without causing disruption to their system.

The same discipline should apply to suppliers and service partners. Expectations regarding security, monitoring and incident response should be clearly set out in contracts and procurement processes. It should not be taken for granted that a third party's internal practices align with the organisation's risk tolerance, particularly when that provider is supporting multiple clients across several environments.

When responsibilities are unclear, accountability becomes unclear, and that is exactly when gaps emerge.

Make zero trust operational 

This is the practical value behind approaches such as Zero Trust, which is the idea that access should not be assumed, and that users and providers should only be able to reach what they genuinely need.

SASE, or Secure Access Service Edge, is one way organisations are applying this more consistently across locations, users and external partners. Put simply, it helps enforce the same access policies regardless of where staff are working or which network they are using.

Improved governance ensures connectivity can drive advantage

For New Zealand businesses, the message is not to fear digitisation and third-party providers, but to ensure they have the right access and controls in place. Attackers increasingly look for the easiest route in, and that route often sits in the wider ecosystem of suppliers. When access is loosely defined or inconsistently reviewed, it opens you up to cyber risk.

But the upside is clear. When identity, access and third-party governance are treated as core operational disciplines, connectivity becomes an advantage rather than an exposure. It strengthens continuity, supports innovation, and builds the trust that modern healthcare, and modern business, depends on.