10 tips for Papua New Guinean businesses to protect against cyber risk

Papua New Guinea’s rapid digitisation is a huge success story that has transformed service delivery through mobile connectivity, cloud services, and automation.

However, cyber risks such as ransomware, business email compromise, and operational technology disruptions now pose significant cyber challenges for organisations.

Why PNG is uniquely exposed

Many organisations operate with small tech teams across remote locations, rely heavily on third parties, and face unreliable site-to-site and internet connectivity. That combination makes it easier for a single weak point like a compromised account, a misconfigured cloud service or an unpatched server to ripple quickly into operations, cash flow, and reputation.

“Cyber isn’t an IT problem anymore; it’s an operational resilience issue.”

What ‘good’ looks like in practice

Cyber risks should be treated as part of overall business risk. Here are 10 “core” cyber hygiene elements that can be a go-to best practice list for any organisation:

• Know all your assets because you can’t protect what you don’t know exists;
• Use strong access controls and multi-factor authentication (MFA) to prevent unauthorised access;
• Keep systems securely configured and hardened to reduce attack surfaces;
• Continuously patch and scan for vulnerabilities to eliminate weak points;
• Protect your data with encryption and proper data‑handling practices;
• Maintain reliable, tested backups so you can recover quickly from incidents;
• Segment your network and apply layered security to limit breach impact;
• Train staff regularly to recognise and avoid cyber threats;
• Actively monitor your environment and respond quickly to suspicious activity; and
• Manage third‑party and supply‑chain risks to prevent external vulnerabilities.

How businesses and government can prepare

Boards should set clear expectations with risk appetite for downtime, trigger points for escalation, and decision rights for shutdowns, communications, and recovery spending. Reporting should focus on a small set of practical indicators including how quickly incidents are detected and contained, how fast critical services are restored, the coverage of MFA and patching, and the number of high‑risk suppliers without current security assurances.

Government entities face even stricter requirements because essential citizen services and systems must remain operational, making it crucial to plan communication and coordination among agencies before incidents happen.

What we’re hearing in PNG boardrooms is consistent: “cyber isn’t an IT problem anymore; it’s an operational resilience issue”.

The organisations getting ahead are the ones that strengthen the basics, practice their scenarios, and make cyber part of daily decision-making.

Happymabel Ketias-Zingunzi is Advisory Director at KPMG PNG. This article was first published by KPMG PNG’s Cybersecurity Centre of Excellence.