At the recent Cyber Security Summit in Auckland, new measures including a national Computer Emergency Response Team (CERT) and a credentials scheme for business were announced. Like most new endeavours, the implementation will present a number of challenges and even more opportunities to build on these positive steps.
At the summit, Prime Minister John Key made a pre-Budget announcement confirming a $22 million investment in the CERT. Summit host, Minister for Communications, Amy Adams said the CERT would have an appointed public and private sector advisory board reporting directly to her. To enable a fast-start, the CERT will initially be housed within the Ministry of Business, Innovation & Employment. Minister Adams also confirmed that a cyber-credentials scheme would be up and running by the end of this year.
The CERT will rely on building trust with business to contribute information about their security breaches, with no mandatory reporting, and a business and public sector community capable of understanding and using this information. At the Cyber Security Summit, keynote speaker from Google, Richard Salgado, was among those who noted that while mandatory reporting occurs overseas, it isn’t necessarily more effective. Anyone with a major bank account or user of a service is likely to be made aware of a breach. As Richard says, “it is more important to ask, what are you going to do about it?”
Many SMEs rely on outsourced technology support to secure their systems and data. Of course there are also variances in contracting service providers – when you don’t know what good looks like, it isn’t always easy to know what to look for. The next initiative the Government should pursue through future budgets is to support and fund certification processes that would help inform businesses who the best technology providers are.
In New Zealand, and many other parts of the world, we tend to focus on technology, systems and hardware. But a locked-down security environment is where we tend to see the worst behaviours – people will find ways to work around this; for example, your colleague who emails documents home, or the vendor who provides content on a USB plugged straight into your hardware.
Focusing purely on technology and systems will never be fully effective – organisations must also turn their attention to their people and the processes supporting them. Human error or “wetware” is still the biggest weaknesses in any cyber security defence. Education and understanding supports good systems in place – and growing the understanding and capability of cyber security would be a great Government investment. The more leadership teams understand and support security, the better and more likely their organisations are to improve their understanding and reaction to the changing threats. If we achieve this, then the information provided by a CERT would be well used.
We also can’t rely on our physical isolation as a protective measure. That didn’t work for the flightless bird that used to exist here … and it won’t work for cyber security. New Zealand has an opportunity to not only catch up with the rest of the world but to actually become better when it comes to cyber security.