momius - stock.adobe.com

New Zealand to run national cyber security exercise

The island-nation will test the resilience of its critical infrastructure in November 2018, bringing together multiple agencies to protect assets of national significance

This article can also be found in the Premium Editorial Download: CW ANZ: CW ANZ: Exploring blockchain

New Zealand will run its first full-scale national cyber security exercise this November – almost a year after it was first scheduled.

The delay was prompted by the country’s 2017 change of government, according to Paul Blowers, chief information security officer for New Zealand Police and the orchestrator of the exercise which has been two years in the making.

Speaking at the Gartner security and risk management summit in Sydney, Blowers stressed the importance of national security tests, citing New Zealand’s broadcasting, communications and digital media minister Clare Curran, who warned that advanced cyber threats have the potential to cause NZ$640m of harm annually to New Zealand organisations of national significance.

According to Blowers, one of the goals of the exercise is to test the Cyber resilience of New Zealand, and assess how well the multiple agencies involved with cyber security work together and communicate.

New Zealand is growing its investment in cyber security tools and services at a faster rate than Australia at present, according to Gartner.

The technology research firm said that worldwide cyber security spending will rise 12.4% this year to more than US$114bn. In Australia, growth will be a more moderate 6%, rising to 9.8% in 2019.

In New Zealand, security spending is expected to grow 9% this year to NZ$550m, followed by 9.9% in 2019.

Potential savings

Delegates at the summit were told that if they bake security into their systems early on, there are potential savings to be had.

Hadi Rahnama, head of cyber security for the Bank of Queensland, said any organisation embarking on digital transformation needs to ensure security receives proper attention from the get-go and apply a “defence in depth” strategy with multiple layers of protection and monitoring.

“When you start a digital journey, you need to consider cyber security in parallel – if you try to do it later it will cost you more and cost you more as a risk,” he said.

“We put a platform in with highly sensitive data, but could not implement secure transmission and got an exemption,” said Rahnama.

Although it would have cost A$500,000 to implement secure transmission at the start, he said it eventually cost the bank A$2m, noting that much of the money went into regression testing as a result of the delay.

Like Blowers, Rahnama is a big fan of security exercises and recommended all organisations to invest in penetration testing of their systems.

“We did our first ever exercise last year which came up with findings we could never imagine – it’s a bit costly, but you are going to get a lot of value about whether your system is secure or not. The result will be scary, but if you don’t do it someone will do it to you,” he said.

Read more about IT in New Zealand

Penetration testing is one the few security tasks that he believes should be outsourced to a third party.

However, Rahnama called for organisations to keep the most important functions in-house, such as analysing security logs where knowing the business context of whether an activity is normal or not is critical.

“We had a lot of our monitoring outsourced, but we struggled with it. It’s easier to have an in-house skill set,” he said.

In-house capability is particularly important for DevOps, where code needs to be assessed before it is deployed, but the process cannot be unnecessarily slowed, said Rahnama.

He also recommended that companies embracing DevOps have their security teams occasionally scour public source code repositories to see what developers have loaded, as there could be surprises and potential vulnerabilities.

Read more on Data breach incident management and recovery