Managing Cyber Threats
Cyber security threats were on the rise prior to Covid-19, with high-profile cases including 339 cyber security incidents of national significance recorded by the National Cyber Security Centre in FY1[1], 38% linked to state-sponsored computer network exploitation groups, 17% detected after systems were compromised:
2019 – Ministry for Culture & Heritage
2019 – NZ Treasury
2017 – 2019 – NZ Transport Agency
However the Covid-crisis has seen an increase in threats[2] which may have several drivers[3]:
Espionage actors operating for governments with economic interests at play or increased geopolitical tensions;
Reduced spending from consumers means groups that traditionally go after credit card details need to find new income sources;
Organised crime groups likely see this as an opportunity to target organisations in desperate situations;
Most high-profile ransomware operations are run as affiliate programmes, which has triggered a growth in the number of actors and affiliates who participate in their programmes. Ransom demands (and therefore revenues) are growing, encouraging other actors to enter the market;
Opportunistic reconnaissance identifying vulnerabilities, possibly related to rapidly stood up remote working practices.
The latest target - NZX compromised for a week.
Experts in cyber security and payments consider New Zealand’s security landscape immature, and therefore very vulnerable[4].
The likelihood of threats becoming reality has also risen due to increased working from home and related risks for access to a company’s network,[5]:
Temporary workplaces and home offices set up during the time of COVID-19 related lockdowns often don't have the same level of protection as the office;
The internet connection at home is not secured to the same extent as an enterprise network, including uncontrolled and poorly informed network users;
Highly emotive information, offers and surveys which are in reality cyber-criminal activity and scamming emails;
Staff working from home don't have the option of asking colleagues across the office whether the contents of an email or identity of a sender could be trustworthy.
Organisations affected by cyber security breaches suffer significant consequences, which can include:
Reputation and customer confidence: funding, customer participation and revenue
Productivity: costs, investments
Operational disrupt: damage to economy, property, personnel and customer health and safety
Asset loss: data, digital assets
ICG has developed a cyber security audit program based on global best practice, which provides a comprehensive view of threats, their drivers and potential roadmap to security for councils, SOE’s, Departments, Ministries and related entities such as key suppliers (see illustration above for our framework).
Depending on organisation complexity the audit and reporting can be performed in as little as 4 weeks, providing organization leadership and ICT management with a clear view of threats, mitigating actions and a risk-weighted plan. Key recommendations include:
Current and future target risk and maturity profile
Security practice size/shape
Risks and opportunities for customer facing, business network and control systems
Governance opportunities
Education and training opportunities
Changes to current security footing as it relates to the environment
End user enablement policies in areas such as mobile phone use, authentication, cyber education, etc.;
Infrastructure and software planning; business continuity and disaster recovery;
Recent client feedback on ICG’s Cyber Security Audit Program from a NZ local council CIO: “I have found (ICG’s consultant) work to be outstanding.”
Contact ICG for a confidential discussion on your situation and program alignment.
Marc Potter Chris Ward
CEO Senior Cyber Security Consultant
marc.potter@internalconsulting.com chris.ward@internalconsulting.com
+64 027 4433 867 +64 021 975 323
[1] www.ncsc.govt.nz/newsroom/cyber-threat-report-for-201819-released/
[2] itbrief.co.nz/story/trend-micro-covid-19-related-malware-and-spam-on-the-rise
[3] www.pwc.co.uk/issues/crisis-and-resilience/covid-19/why-an-increase-in-cyber-incidents-during-covid19.html
[4] www.nbr.co.nz/story/hackers-target-online-shops-covid-drives-sales?utm_medium=email&utm_source=NBR%20Today
[5] securitybrief.com.au/story/cyber-criminals-continue-to-capitalise-on-covid-19
Internal Consulting Group provides unbundled advisory services to private and public organizations across Asia Pacific, North America and Europe. With an accredited professional membership base of 4,500 ICG operates a responsive high-capability model with significant value for clients.
In ICG New Zealand has completed a wide range of engagements for government and private sector clients:
Salesforce implementation including data migration and training for global enterprise on three continents
Scenario planning and enterprise strategy for large +$3b Australian heavy equipment distributor
Global brand design for NZ primary producer including design and calibration of international price-to-features matrix
NZ Country strategy for global heavy equipment OEM
Critical thinking course for 100-person leadership team of NZ listed company
Successful Australian acquisition due diligence for NZ payments company
Organisation design for Small Business Bank of one of Australia’s 4-pillars banks
Fishing quota valuation and strategy for Maori trust
Executive organisation and governance process design for major government agency
Enterprise purpose discovery for Australian charitable organisation
Management Operating System (MOS) design and implementation for major Australian/PNG gold mining & processing complex
Post merger integration of an industry-leading software company with a global payments company
Customer experience diagnostic and action plan for large NZ logistics company including pricing and territory optimization strategies
Strategy, business plan and interim sales management role for key NZ insurer – 30% year-on-year sales increase
Deal facilitation for Japan market entry with follow-on role as interim Japan CEO for global financial services company
Risk assessment of real estate development and development partner plus mitigating action plan for NZ Local Authority
International roll-out of enterprise risk framework for global financial services company
Assessment of SME and rural sector marketing and sales performance for major NZ bank