Recently Roger Temple from our Security Consulting Division presented at the Bay of Plenty Regional Council Security Interest Group – Information Security in New Zealand – do we get it and are we doing it right?
Roger highlighted the predication that the cost of cyber crime will reach US$6 Trillion globally by 2021. One of the significant issues is the rise in theft of personally identifiable information (PII) with significant breaches experienced by global organisations in the last few years. The most recent was Equifax that had 145 million records stolen, resulting in a $70 billion class action lawsuit. 2017 saw the advent of some serious vulnerabilities and ransomware such as KRACK attack, Wannacry and Petya.
New Zealand issues
The PwC Global State of Information Security survey 2016 and the PwC Global State of Information Security survey 2017 showed that New Zealand is lagging behind in the adoption of security technologies and practices. It highlighted that skilled InfoSec practitioners are thin on the ground. The surveys showed that only 20% of cyber security spending aligns to business revenue compared to 63% globally. Cyber-security agency CERT NZ reported losses of over $1.1m in its second operational quarter as a result of cyber crimes.
Roger discussed the main areas that make up InfoSec. These include:
- incident management,
- the importance of having strong management commitment,
- clearly defining InfoSec roles and responsibilities, and
- regular reporting, training and awareness programmes.
There is often a perception that InfoSec is too hard, too expensive and overall, will produce little tangible business benefits. Effective InfoSec strategies extend to a range of devices and provide:
- strong governance,
- consider who is accessing data,
- effective technical control,
- social engineering, logging and monitoring,
- supplier management, and
- incidence response.
While New Zealand is slow on the uptake of InfoSec in comparison to the rest of the world, and there is a shortage of skilled InfoSec professionals, we are improving. Challenges There are some challenges impacting organisations and their implementation of an effective InfoSec strategy. This can include lack of funding, insufficient technical capabilities or tools, and lack of InfoSec expertise and experience. Implementation of any InfoSec management requires an holistic view of business priorities as well as a risk-based approach. It needs to be an intrinsic part of doing business in a connected world. The creation of CERT NZ shows positive recognition from the government, but New Zealand needs increased funding and initiatives to move forward.