GCSB releases cyber resilience report

The Government Communications Security Bureau (GCSB) has released a benchmark assessment of cyber security resilience across New Zealand’s nationally significant organisations.

The GCSB’s National Cyber Security Centre (NCSC) surveyed 250 nationally significant organisations to establish their cyber security resilience and the potential impacts if they were compromised.

“The survey is the first of its kind in New Zealand and provides a useful benchmark for cyber security resilience across New Zealand’s nationally significant organisations,” GCSB Director-General Andrew Hampton said.

“Overall it appears that digital transformation is outpacing investment in cyber security and as a result we found a range of resilience levels.

“While most organisations are heading in the right direction, more work needs to be done to improve cyber resilience across the board.

“Organisations should be optimistic about their ability to improve their security posture where they are able to take a strategic and systematic approach to it.

“There are a lot of dedicated cyber security professionals, doing their best with limited resources.  We hope this report will help them lift the cyber security dialogue within their organisations and to drive the change that is needed,” Mr Hampton said.

Key findings include:

• 19 percent of organisations have a dedicated Chief Information Security Officer, while the remaining 81 percent either didn’t have the function, or had it is as part of a broader role.
• 73 percent of organisations increased their spending on cyber security in the past year, however this investment has not necessarily translated into increased confidence in their cyber security resilience.
• Spending has increased across all areas of cyber security but a focus on tools and vulnerability assessment has come at the cost of investment in people. As a result, 52 percent of organisations reported they had insufficient skilled staff for their security requirements.
• Levels of confidence in the ability to respond to cyber security incidents are not high, with 41 percent of organisations either mildly confident or not confident in their ability to detect an intrusion.
• 63 percent reported having a cyber security incident response plan, and of those who had a plan 33 percent had not tested that plan in the past year.
• Of those organisations who use managed service providers, 36 percent have no mechanism to confirm whether the vendor is delivering on the agreed level of security.

In addition to the unclassified report being released today, each organisation who participated in the survey has received an individualised and commercially sensitive report. These reports provide a range of actions organisations can take to help increase their resilience including:

• Establishing clear accountability for cyber security;
• Regular reporting on cyber security, including near misses, to executives and directors;
• Balancing strategic investment in assets and staff over vulnerability assessment;
• Identification of critical information assets and risks to those assets;
• Having a dedicated budget line for IT security;
• Preparing and regularly testing a cyber security incident response plan, and
• Ensuring third party vendors include specific cyber security service level agreements and the right to be audited on cyber security performance.