Key cyber security questions are answered in the following article using the combined advice of four New Zealand-based cybersecurity experts when they recently came together for the NSP Cyber Security Roundtable.

To join future roundtables and business security talks, contact events@nsp.co.nz

You can also read about emerging cyber security trends or Download the full Roundtable Cyber Security Report here.

Here are the Q&As on cyber security that are covered in this article,

• Who is responsible for managing cyber risk in an organisation?
• Who are the most commonly attacked people inside organisations?
• How do we protect our business from human-error cyber threats?
• Why would two penetration tests over two years bring up the same issues?
• Why do we have to use a third-party IT supplier who is not accredited?
• What strategies exist for catering to dispersed networks)?
• Who can New Zealand Businesses Ask About Cyber Security Issues?

What Cyber Security Questions are New Zealand Businesses asking in 2023? 

1. Who is responsible for managing cyber risk in an organisation?

Everyone in the organisation must practice due diligence and due care, but certainly, the board is ultimately accountable as they can be jailed for negligence. 

Make sure your organisation has done the right things with your partners, particularly having conversations around security posture and activating continuous scans. 

For clarity on what your organisation should be doing around its cyber security culture, call us on XXX or email through our contact form.

2. Who are the most commonly attacked people inside organisations?

To answer one of the most commonly asked cyber security questions, basically yes, there are certain people within an organisation who are automatically considered vulnerable due to their high-level privileges. These people, like the CEO and board members are common targets for phishing attacks and social engineering compromises.

Business emails compromise attacks that attempt to impersonate senior executives and or key business partners. The goal? To steal money. 

Sometimes, the hacker successfully compromises a legitimate business email account but often social engineering is the tool of choice. 

Their aim is to convincingly masquerade as a senior executive such as a CEO or CFO, to request a wire transfer to a supplier, but the account number supplied is controlled by the hacker. 

In other BEC attacks, hackers intercept emails from suppliers and substitute their own account numbers for that of the supplier’s.

3. How do we protect our business from human-error cyber threats?

Protecting the human edge is essential, so pinpoint your vulnerable people like the ‘happy clicker’ or the employee who fails the security training. Specifically, make sure they have privileged access for only what they need. 

It can also be useful to divide your staff into at least three groups:

• C-level VIPs with high privilege 
• Technical admins with elevated access 
• Everyone else

Next, understand where you’re at from a baseline point of view. Set targets for improvement and measure upon those regularly so you can systematically improve your baseline over time. 

It will help if you have:

• Visibility of what’s happening in your network by utilising continuous scanning.
• Layers of defence. Layered defence can help protect against the various stages of an attack.
• A positive cyber security culture where employees aren’t shy about reporting incidents.
• Education is a cost-effective way of improving security posture because 99% of issues enter through the human edge. 
• Top down education. Education should be relevant and meaningful for employees and match their roles and the risks they often face. 
• Use continual testing to determine employee cyber awareness. 

Plot each group’s progress over time. You can then take these numbers to the board to show improvement and areas of risk.

Want to understand people-centric cybersecurity? Download our Human Factor report dives deep into each of the three facets of user risk and explains how a people-centric defence can make users more resilient, mitigate attacks and manage privilege.

DOWNLOAD THE HUMAN FACTOR REPORT

4. Why would two penetration tests over two years bring up the same issues?

…even when our cyber security partner had ‘addressed’ the problems?

It’s one thing to address the vulnerability, but it’s another to manage the process or the systems that lead to those vulnerabilities. If you don’t address the methods and systems, you keep repeating the same mistakes.

Read: What’s the difference between penetration testing and vulnerability scanning? 

5. Why do we have to use a third-party IT supplier who is not accredited?

…even if one part of our business is ISO27001 accredited.

A key issue is that ISO 27001 is a management standard, not a security standard. It gives you a best practice management framework for implementing and maintaining security. 

So you don’t have to have an ISO27001 accreditation per se. Even if the third party is ISO27001 certified, you should still do a risk assessment with them, discussing what’s essential to stay on target with your security.

Ask them questions about what data sources could impact your organisation. If a breach would end up as headline news, then their security may be an issue for you. 

However, compliance or external certification to ISO 27001 does not mean you are secure. It means that you are managing security in line with the standard, and to the level you think is appropriate to the organisation.

6. What strategies exist for catering to dispersed networks?

…especially around data loss prevention (DLP) and insider threat protection (ITP)?

Last year, analysts recommended Secure Access Network Edge (SASE), and then Gartner moved towards Security Service Edge (SSE). Forrester later led with their Zero Trust Model. 

I think the Zero Trust model of questioning is critical, so I ask myself, do I:

• trust this person? 
• know who they are? 
• know which IP address they are coming from?

A Zero Trust Framework requires understanding who your network can talk to based on who you are and what level of authority you should have. 

There have been instances where records have been widely available to organisational members. Consequently, in one such case, employees of a financial services organisation had access to about 11 million files. This situation would not occur under the Zero Trust Model. 

The Verizon Insider Threat Report 2018 revealed that privilege misuse represented 20% of all cybersecurity incidents, consequently meaning users with access to data they don’t use, are opening the organisation up to many potential issues. 

We recommend fixing issues as they arise and also creating a long-term plan spanning three to five years. Consequently, the plan needs to align with your organisation’s security objectives.

(Note: Don’t confuse the Zero Trust Model with the Zero Trust Network (ZTNA), as surprisingly the latter is a poorly named product that publishes to specific resources, no longer providing access to the network.) 

Who can New Zealand Businesses Ask About Cyber Security Issues?

NSP are cybersecurity experts who are well versed in:

• Digital Transformation
• Awareness Testing
• Ransomware attacks and cyber attacks
• A large number of security threats and cybersecurity trends

If this article has raised questions about your business cyber security needs, in short, talk to our in-house experts at NSP: call  0508 010 101 or get in touch through our contact page. 

Who are our New Zealand Cyber Security Experts?

The cybersecurity experts who made up our roundtable panel come from several businesses based in New Zealand.

Download the Complete NSP Security Round Table Now