The Government Communications Security Bureau (GCSB) says digital transformation is outpacing investment in cyber security among New Zealand's nationally significant organisations. It is calling on them lift their internal cyber security dialogue to drive the necessary changes.
The findings come from a survey of 250 nationally significant organisations by the GCSB’s National Cyber Security Centre (NCSC) to establish their level cyber security resilience and the potential impacts if they were compromised.
It found 73 per cent of organisations had increased their spending on cyber security in the past year, but said this investment had not necessarily translated into increased confidence in their cyber security resilience.
Nineteen per cent of organisations had a dedicated chief information security officer, while the remaining 81 per cent either did not, or had it is as part of a broader role.
Of those organisations that used managed service providers, 36 percent had no mechanism to confirm whether the vendor was delivering on the agreed level of security.
"Spending has increased across all areas of cyber security but a focus on tools and vulnerability assessment has come at the cost of investment in people. As a result, 52 percent of organisations reported they had insufficient skilled staff for their security requirements," GCSB said.
"Levels of confidence in the ability to respond to cyber security incidents are not high, with 41 percent of organisations either mildly confident or not confident in their ability to detect an intrusion," GCSB said.
"Sixty three percent reported having a cyber security incident response plan, and of those who had a plan 33 percent had not tested that plan in the past year."
The report Thinking ahead. Being prepared. Cyber security resilience of New Zealand’s nationally Significant Organisations 2017-2018 identifies four key focus areas in which New Zealand organisations could improve, and provides practical steps organisations can take to strengthen their cyber security posture and resilience:
- Governance – Promoting cyber security at a senior leadership level to protect an organisation’s most important digital assets.
- Investment – Investing in cyber security to minimise risk and maximise returns.
- Readiness – Preparing the organisation to detect, respond, and recover from a cyber security incident.
- Supply Chain – Maintaining oversight and awareness of the
Cyber security risks in an organisation’s supply chain.
In addition to the unclassified report each organisation that participated in the survey has received an individual confidential report that provides a range of actions it could take to help increase its resilience.
Boards get cyber security wake-up call
The Institute of Directors in partnership with cyber security consultancy, Aura Information Security has produced a cyber security guide, Reporting Cybersecurity to Boards, aimed at helping organisations combat cyber risk.
Institute of Directors chief executive Kirsten Patterson said cyber security had been on the agenda of boards for some time, "But directors are telling us that they are not getting sufficient information about cyber risks and incidents, or the actions they have and should be taking to address these.”
She said the new guide "sets out principles on reporting to boards, key questions to help identify and develop metrics, and sample dashboards."