GCSB outlines cyber resilience tips for NZ businesses
"We are an agency with a difference – we have intrusive powers and much of what we do needs to be done in secret. Our powers can only be employed with the right level of authorisation," said the Government Communication Security Bureau (GCSB)'s director-general Andrew Hampton last week.
He spoke at the Business New Zealand CEO Forum in Auckland, where he outlined how New Zealand businesses can improve their cyber resilience. He also spoke about the GCSB's role in keeping New Zealand safe, and how the Intelligence and Security Act 2017 (ISA) aims to protect New Zealand's security.
"We can and do access the internet traffic of New Zealand organisations for cybersecurity purposes, to help keep them safe from cyber attacks. We do this with the consent of the organisations involved.
Hampton says the GCSB can help New Zealand businesses become more resilient to cyber threats by identifying where to best focus cybersecurity and resilience efforts
Reflecting on the National Cyber Security Centre's 2018 Cyber Security Resilience report, Hampton says there are four areas of good practice: Governance, investment, readiness, and supply chain. Below are excerpts from Hampton's speech.
Governance is the oversight of cybersecurity at a board or executive level. Executives and boards play a critical role in driving cybersecurity as a priority within the organisation and ensuring the security approach aligns with business strategy.
"They are ultimately responsible for any outcomes of an incident, including the potential impact on stakeholder and customer confidence.
"We suggest the following steps to help increase maturity in this area:
- Identify the person, or people, who are accountable for cybersecurity in your organisation;
- Ensure your organisation's leadership receives regular reporting on security issues from your IT team or service provider, and
- Make cybersecurity reporting easier to consume. For example, report cybersecurity 'near misses' in the same way as you might report Health and Safety issues.
Investment is necessary for any organisation to make improvements in their cybersecurity.
Not all investment returns the same value. We found that while spending has increased, investment could be more targeted. We suggest organisations could take the following steps to increase their investment maturity:
- Identify the information assets that are most critical to your business and assess the risks posed to these assets,
- Seek agreement at a governance level on the organisation's risk appetite;
- Balance strategic, longer term investments in the development of assets and staff over "one off" costs for vulnerability assessment snapshots; and
- Create a separate budget line to effectively manage and track IT security spending.
Readiness refers to preparing the organisation to detect, respond, and recover from a cybersecurity incident.
Readiness for an incident enables an organisation to reduce the overall cybersecurity risk through prompt and effective recovery. The ability to detect an intrusion and to respond promptly is the difference between a minor and a major compromise.
Organisations can increase their cybersecurity readiness by:
- Acquiring the tools or services that enable detection of incidents.
- Prepare a cybersecurity incident response plan and test the response plan on a regular basis.
Supply Chain refers to maintaining oversight and awareness of the cybersecurity risks in an organisation's supply chain.
Outsourcing can be an effective way to overcome challenges of IT investment.
However, this does not transfer the risk. Organisations must be aware of the strength of each link in their IT or security supply chain. Organisations must also ensure third party providers are delivering the business requirements for security.
In order to improve supply chain security organisations should:
- Include cybersecurity as a consideration when assessing new vendors. Include regular security reporting as part of the contract and, where possible, build specific security clauses into Service Level Agreements, and,
- Ensure you have the right to audit your vendor's performance periodically to validate the agreed level of security is being provided.
Ask the right questions
Hampton says businesses should discuss the following topics with their teams:
- Information assets: What are our most important information assets? How are we protecting these assets? Are we managing the risk to an acceptable level in accordance with our business objectives and do we have a security framework in place?
- Impact: What would be the impact of a cyber-attack? What are the cybersecurity risks to the organisation? What is the potential cost of a cyber-attack and the damage to our brand?
- Vulnerabilities: What vulnerabilities exist in our systems? Do we have inventories of all of our IT systems? Are we following best-practice advice and do we conduct regular audits and security risk assessments?
- Response: What is our communication strategy for dealing with a cyber incident? What are our disclosure requirements for cyber incidents and what is our incident response plan?