The Government’s “Cyber Security Strategy and Action Plan” reached a key milestone last week with the release of its first Annual Report. The importance of a robust and coherent strategy grows ever more apparent, as New Zealand businesses increasingly rely on the internet for trading, administration and communication. While the Action Plan does not (and cannot) offer a perfect safety net, businesses willing to engage proactively with its proposals and initiatives are likely to find the Annual Report of some assistance in the uphill battle against cyber attacks.
This update summarises the key points from the Annual Report that are likely to be of particular relevance to New Zealand businesses. For the full report, click here.
The Government’s “Cyber Security Strategy and Action Plan” was announced in December 2015. It focuses on four main goals:
- resilience of infrastructure to cyber threats,
- improving cyber capability and understanding of cyber threats,
- addressing and responding to cyber crime, and
- enhancing international cooperation.
Summary of Annual Report
The Annual Report outlines progress in a number of areas of the Cyber Security Action Plan. These include:
- CERT: New Zealand’s CERT (Computer Emergency Response Team) will commence operations in the first half of 2017. CERT NZ will provide a central place for New Zealand entities to report cyber security incidents, and will ensure that incidents are dealt with by the most relevant organisation. The functions of CERT NZ include: (i) incident response and triage; (ii) situational awareness and information sharing; (iii) advice and outreach; (iv) international collaboration and point of contact; and (v) coordination of serious cyber incidents.
- CORTEX: GCSB continues the roll-out of its CORTEX malware protection services to organisations of national significance. CORTEX focuses on countering particularly advanced and persistent malware, often foreign-sourced, which is not adequately mitigated by standard commercially-available tools. The report notes that the project has received positive feedback from participants so far, and confirms the next step as being “the full deployment of CORTEX capabilities to National Cyber Security Centre customers”.
- GCSB pilot: The report identifies Vodafone as the winning ISP selected for GCSB’s pilot of its “Malware Free Networks” scheme. The pilot will let Vodafone use GCSB's cyber threat information and technology to mitigate cyber attacks for certain of its commercial customers who consented to take part in the pilot.
- Connect Smart: The Connect Smart partnership, which comprises over 150 businesses including banks, telecommunications and ICT companies, will re-run its “Connect Smart Week” after the successful event in October 2016. Connect Smart also ran the inaugural Cyber Security Summit in Auckland in May 2016. As “Next Steps”, the report identifies: continuing to provide a range of cyber security resources for business and Connect Smart partners; and aligning Connect Smart with the CERT NZ advice and outreach functions.
- Certification: The National Cyber Policy Office is developing a prototype package by which small businesses can obtain certification of their “cyber credentials”. The package has been tested with a sample of small businesses, and work is underway on the next steps to develop a scaled-up cyber credentials package for the New Zealand small business market.
- Standardisation: The report also identifies the need to conduct further work towards establishing a benchmark of cyber security maturity for New Zealand businesses. This would be based on business perception of cyber risks, and business experience of incident responses and risk management practices.
In his foreword, the Minister reflects positively on “a busy year,” but also cautions that “there is more to be done” – a sentiment doubtless shared by all businesses focused on the ever-changing threat to cyber security.
Please contact a member of our team for more detailed advice on cyber security and how it may affect your business.
This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.