“We are an agency with a difference – we have intrusive powers and much of what we do needs to be done in secret. Our powers can only be employed with the right level of authorisation,” said the Government Communication Security Bureau (GCSB)’s director-general Andrew Hampton last week.
He spoke at the Business New Zealand CEO Forum in Auckland, where he outlined how New Zealand businesses can improve their cyber resilience. He also spoke about the GCSB’s role in keeping New Zealand safe, and how the Intelligence and Security Act 2017 (ISA) aims to protect New Zealand’s security.
“We can and do access the internet traffic of New Zealand organisations for cybersecurity purposes, to help keep them safe from cyber attacks. We do this with the consent of the organisations involved.”
Hampton says the GCSB can help New Zealand businesses become more resilient to cyber threats by identifying where to best focus cybersecurity and resilience efforts
Reflecting on the National Cyber Security Centre’s 2018 Cyber Security Resilience report, Hampton says there are four areas of good practice: Governance, investment, readiness, and supply chain. Below are excerpts from Hampton’s speech.
Governance is the oversight of cybersecurity at a board or executive level. Executives and boards play a critical role in driving cybersecurity as a priority within the organisation and ensuring the security approach aligns with business strategy.
"They are ultimately responsible for any outcomes of an incident, including the potential impact on stakeholder and customer confidence.
"We suggest the following steps to help increase maturity in this area:
Investment is necessary for any organisation to make improvements in their cybersecurity.
Not all investment returns the same value. We found that while spending has increased, investment could be more targeted. We suggest organisations could take the following steps to increase their investment maturity:
Readiness refers to preparing the organisation to detect, respond, and recover from a cybersecurity incident.
Readiness for an incident enables an organisation to reduce the overall cybersecurity risk through prompt and effective recovery. The ability to detect an intrusion and to respond promptly is the difference between a minor and a major compromise.
Organisations can increase their cybersecurity readiness by:
Supply Chain refers to maintaining oversight and awareness of the cybersecurity risks in an organisation’s supply chain.
Outsourcing can be an effective way to overcome challenges of IT investment.
However, this does not transfer the risk. Organisations must be aware of the strength of each link in their IT or security supply chain. Organisations must also ensure third party providers are delivering the business requirements for security.
In order to improve supply chain security organisations should:
Ask the right questions
Hampton says businesses should discuss the following topics with their teams: