New Zealand Business Has Increased Cybersecurity Spending, Not Expertise

Uploaded on 2019-02-22 in FREE TO VIEW

State-sponsored cyber-attacks have risen 10 per cent in the last financial year, and a survey of New Zealand's most significant organisations has returned a mixed picture when it comes to resilience against such threats. All the while, total recorded cyber incidents had dropped; a statistic that had piqued the interest of the spy agencies.

As the NZ National Cyber Security Centre (NCSC) progressed the rollout of its new "Malware Free Network" capability, or the affectionately-named "son of Cortex", it was advising organisations to be aware of a "shift in the cyber threat landscape".

Director of the NCSC Lisa Fong said the rise of state-sponsored activity, cyber-attacks known to have originated within a foreign government, was "notable, certainly".

The NCSC is a branch of the external spy agency the NZ Government Communications Security Bureau (GCSB), which works directly with New Zealand's "organisations of national significance" to protect against cyber threats. It recently carried out a high-level survey of 250 nationally significant organisations, which revealed a marked increase in security spending on tools, but less so on expertise.

Only 19 per cent of those organisations had a dedicated chief information security officer and 39 per cent did not provide any cyber security reporting to senior management. A further 33 per cent had fully identified their "critical information assets".

"If an organisation is unclear about what its most critical assets are, it is difficult to be confident they are protected," the survey said.

But 73 per cent of all organisations had increased their cyber security spending in the last year. It was encouraging in terms of the awareness of risk, but the NCSC would like to see a bigger spend on personnel and training.

"There has been an increase in spending, but largely that's gone on tools. Where we see the need is investment alongside those tools, because they won't be able to analyse their systems for instance, that won't produce effective reporting to your board," said Fong.

While the NCSC would not comment on what agencies were deemed "nationally significant", it included a range of critical Government departments as well as private companies that provided national services, were economically significant, or had access to nationally sensitive information.

Fong would not be drawn on which states had been responsible for the rise in cyber-attacks in this country.

"We don't talk about specific actors unless we're prepared to publicly attribute. Part of the reason for that is that we can hold our hand to make sure we can keep detecting and remediating."

In December 2018 the GCSB took the rare step of joining its Five Eyes allies - the United States, Canada, the United Kingdom and Australia - in naming China as being behind a major global attack.

Most went unattributed, however.

"The decision to publicly attribute isn't a decision we make alone. It's a multi-agency process and of course, ministers and the Prime Minister will make that choice," said Fong.

Cyber-attacks on New Zealand companies were primarily focused on financial crime or espionage, but recent state-sponsored campaigns like Russia's disinformation attack during the US presidential election also had authorities here paying attention.

Malware Free Networks took it a step further.

"What we're trying to do is take our understanding of what we are learning through those accesses or those relationships, and make sure we can push those out to as many different nationally significant organisations as possible.

"So what we're hoping to do is work with Internet service providers - and we're mid-project - to develop a capability that will allow us to proactively detect potential incidents before they occur," Fong said.

Outsourcing of supplies, and the "Internet of Things" were two emerging areas of weakness as technology progressed.

The "Internet of Things" referred to increasing connectivity between devices that powered homes, buildings or entire networks, they effectively created a wider "surface area" for potential attacks.

The development of a 5G network also fell under that category.

"What that presents is both opportunity - you get your driverless cars, you get your medical devices, because you can rely on the quality of the internet.

"It also represents potential vulnerability."

The Government and the GCSB were working through an application from telco Spark, which wants Chinese telecommunications company Huawei to build its new 5G network in New Zealand. The application was initially rejected by the bureau, which has the power under New Zealand law to exert such vetoes when it comes to nationally-sensitive infrastructure.

Huawei's relationship with the Chinese Government, paired with a law change last year, that many western countries perceive to mean that Government could compel Chinese companies to spy, is understood to be a major driver in the GCSB's decision. Similar decisions had either already been taken, or were being considered, by other Five Eyes countries.

Stuff

You Might Also Read:

In New Zealand, Hacking Is A Serious Business:

« Could An AI Arms Race Lead To Accidental War?
Apple ‘Subscription Confirmation’ Phishing Scam »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA) offer commercial insurance services including Cyber Liability insurance.

Learning Tree International

Learning Tree International

Learning Tree's comprehensive cyber security training curriculum includes specialised IT security training and general cyber security courses for all levels of your organisation including the C-suite.

Safetica

Safetica

Safetica Technologies is a Czech software company that delivers data protection solutions for businesses of all types and sizes.

Navaio IT Security

Navaio IT Security

Navaio helps clients with IT Security related challenges with a primary focus on Identity and Access Management, Data Governance, User Awareness and Cyber Resilience Services.

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky addresses all the cybersecurity needs of industrial organizations in its Kaspersky Industrial CyberSecurity (KICS) portfolio.

Blackpoint Cyber

Blackpoint Cyber

Blackpoint’s mission is to provide effective, affordable real-time threat detection and response to organizations of all sizes around the world.

RIA in a Box

RIA in a Box

MyRIACompliance combines our team of RIA compliance experts with an online software platform to help investment advisers better manage regulatory compliance and cybersecurity responsibilities.

Infosequre

Infosequre

Infosequre builds up your security awareness culture and turns your employees into the first line of defense against cyber risks.

Intellias

Intellias

Intellias is a trusted technology partner to top-tier organizations and digital natives helping them accelerate their pace of sustainable digitalization.

DatChat

DatChat

DatChat Inc. is a blockchain, cybersecurity, and social media company that focuses on protecting privacy on our devices and also protecting our information after we have shared it with others.

Rocky Mountain Cybersecurity

Rocky Mountain Cybersecurity

Rocky Mountain Cybersecurity's mission is to provide value by dramatically improving the cybersecurity posture of our clients and business partners.

Glasstrail

Glasstrail

Glasstrail are single-minded about helping organisations gather intelligence and manage vulnerabilities in their attack surface before adversaries exploit them.

Baidam Solutions

Baidam Solutions

Baidam Solutions is a 100% Australian owned and operated First Nations information technology business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Minsait Cyber

Minsait Cyber

Minsait Cyber (formerly SIA Group) is the Indra Group's cybersecurity company, a leader in Spain and Portugal in terms of both revenue and expert talent, with more than 2,000 specialists.

Forrit

Forrit

Forrit is the secure and scalable Content Management System (CMS) built specifically for large enterprises in highly regulated sectors.