Our national response to cyber-crime is top-heavy

Posted on Jul 22, 2016 in IT policy, Security
Our national response to cyber-crime is top-heavy

Cyber-crime continues to become more complex and prevalent, so the New Zealand government and a small number (two) of non-profit organisations have responded with various policies, initiatives and advice.

Largely the government organisations and initiatives are focused on keeping our government agencies and infrastructure safe from threats and breaches, which keeps us safe, and the private non-profit organisations like NetSafe and The Internet Task Force are focused on helping individuals and businesses.

Within New Zealand we have a wide breadth of organisations all working towards strengthening our cyber resiliency, but this large nation-wide response is top-heavy and there is more to be done at the ground-level.

The cyber-crime response includes:

  • The New Zealand Police have a cybercrime unit, which focuses on the prevention, investigation and prosecution.
  • The Government Chief Information Officer (GCIO) is leading a cross government programme of work to provide clear expectations, guidance, advice and tools to support capability building in privacy and security.
  • NetSafe: a not-for-profit private organisation there to educate the public on cyber threats as well as monitoring and reporting on current threats and crime. NetSafe also operates The Orb (online reporting button) – a facility to report a cyber incident, threat or crime.
  • New Zealand Internet Taskforce (NZITF) is another non-profit organisation with the mission of improving “the operational robustness, integrity, and security of the internet in New Zealand” where their regular forum allows for “collaboration on matters relating to the cyber security of New Zealand.”

Within my office alone we’re witnessing a substantial increase of ransomware and other cyber threats targeting our customers. Although we have the solutions and security in place to protect them, we’re finding that if there is a breach the same criminal tactics were seen elsewhere within the industry. These criminals continue to exist because there is culture of not reporting security breaches.

I’m not suggesting that reporting cyber security threats and breaches becomes mandatory but I agree with the Director of the National Cyber Policy Office Paul Ash who said we should be developing an “intrinsic desire to report and record incidents.”

Industry group organisations need to take the lead and pool resources – put their own processes and education in place, and establish a best practice guidelines relevant to their sector.

In April I wrote on how industry must work together to address these issues, you can read the story here in SecurityBrief NZ.