The current state of cybersecurity in New Zealand is alarming but not without hope. Firstly, it’s important to understand that cyber security is very reactive in nature. That is, it’s near impossible to be completely protected against an attacker. Rather, businesses have to adequately mitigate the risk by employing good practice and having robust protocols in place to detect and deal with an attack should it occur.
If New Zealand wants to stay relevant and competitive on the world stage, it needs to keep up with technology advances. The Government Communications Security Bureau (GCSB) is concerned that inadequacies in cyber security across sectors could put New Zealand on the back foot.
A report by the GCSB's National Cyber Security Centre (NCSC) surveyed 250 nationally significant organisations, about their resilience, and the potential impact a breach could have on the organisations and the country’s infrastructure. It suggests a change of attitude and the creation of a robust plan can steer organisations back in the right direction. The report identified four key areas where organisations should focus their effort.
Key Areas
Governance – Promoting cyber security at a senior leadership level to protect an organisation’s most important digital assets.
Investment – Investing in cyber security to minimise risk and maximise returns.
Readiness – Preparing the organisation to detect, respond, and recover from a cyber security incident.
Supply Chain – Maintaining oversight and awareness of the cyber security risks in an organisation’s supply chain.
Key Findings
19% of organisations have a chief Information Security Officer
39% of organisations provide reporting to senior management.
73% of the organisations that were interviewed increased their spending on cyber security. This however did not increase their confidence in cyber security resilience. This could be due to the fact that only 33% of those organisations identified their critical information assets.
52% of organisations indicated they don’t have sufficient staff to deal with security requirements due to increasing spending on tools, as opposed to training/hiring the right people.
63% of organisations had an incident response plan in place, with only 33% of those testing their plan in the past year.
72% of organisations use a managed service provider, of which 36% could not indicate if the level of service provided by the vendor was adequate.
41% of the organisations surveyed were not confident in their ability to detect an intrusion.
The GCSB concluded that nationally significant organisations aren’t investing enough money into cyber security to keep up with the fast-paced growth of technology. From its findings the NCSC provided individual reports to each organisation on how they can improve their cyber security resilience focusing on the aforementioned four key areas.
“It’s all about maintaining good oversight, good resources, getting the right expertise on board, and being in a state of constant readiness. It’s simple when it comes down to it; thinking ahead and being better prepared.” GCSB.