The mandatory Protective Security Requirements for New Zealand government agencies is introducing additional rigour and governance to protect citizen data. The commercial sector could benefit by following the public sector’s lead set by this framework, says Greg Thomas, Director of Innovation and Strategy, Unisys New Zealand.
Data security is a mainstream issue for New Zealanders: since 2006 the top two areas of security concern for New Zealanders identified in the Unisys Security Index are unauthorised access to personal information and other people obtaining/using credit card details1.
Moreover, fifty-one percent of Kiwis expect a breach of their personal data held by government within the next 12 months2. This low level of trust is likely to be driven by the knowledge that the government holds a lot of detailed data about its citizens that would be attractive to criminal data thieves, and the fact that several high profile breaches at New Zealand government agencies, both accidental and malicious, have been reported in the media in the last few years.
The move to eGovt channels to deliver services to New Zealanders, the increasing connectivity between agencies to share data, and the acceptance of internet-connected mobile devices and apps in the workplace offer many benefits, but have also created new data vulnerabilities that must be managed.
As a result, government agencies are an increasingly attractive to “hactivists” wishing to create havoc to make a political or social statement, criminals seeking to demand ransom payments or steal valuable data, and of course there’s the simple issue of human error by employees.
And the issue is increasing: the New Zealand National Cyber Security Centre reports that in the 12 months to 31 December 2014 there were 147 incidents recorded. In just the first six months of 2015 they recorded 132 incidents (79 of which were reported by government agencies) and expect this to exceed 200 by the end of 20153.
The good news is that the New Zealand government has formalised a policy framework known as the Protective Security Requirements (PSR) that outline the Government’s expectations for managing personnel, physical and information security. The PSR is designed to help agencies:
- identify their individual levels of security risk tolerance
- achieve the mandatory requirements for protective security expected by government
- develop an appropriate security culture to securely and effectively meet their business goals.
The PSR clearly sets out what agencies must and should consider to ensure they are managing security effectively. This includes the mandatory appointment of a member of senior management as the Chief Security Officer (CSO), responsible for the agency protective security policy and oversight of protective security practices.
All agencies must conduct a risk assessment and develop their own set of protective security policies, plans and protocols to meet their specific business needs.
Commercial organisations would do well to take the government’s lead and adopt the same stringent approach.
Unisys recommends this requires a top to bottom, holistic approach to security:
Step 1: Classify data – Not all data is the same, the level of sensitivity varies. Different levels of classification of data can be grouped together by the level of confidence needed to ensure that it is secure. Then apply security measures based on this classification of data.
Step 2: Educate – address the human element, responsible for accidental breaches, by educating employees about cybersecurity threats and the specific actions they are responsible for taking (or forsaking) to thwart such attacks. It’s also important for them to understand the implications of not doing so. Back this up with technology to make it harder to accidently breach data (see Step 4).
Step 3: Assess and evaluate - Conduct cyber vulnerability assessments of all systems and procedures, not just those that fall under the jurisdiction of the IT department. In particular, ensure aging systems are updated with the latest security patches, passwords are hard to guess, access controls are adequate and that cybersecurity technologies are agile enough to respond to evolving regulatory requirements and threats.
Step 4: Trust no one - Treat your own internal environment as “hostile”. Grant access to critical systems based on approved applications, functions and roles – not just a user ID and password. Use cloaking technologies to render critical assets invisible to unauthorised individuals and high level encryption to make it unreadable even if it is accessed.
Article by Greg Thomas, Director of Innovation and Strategy, Unisys New Zealand. He has more than 30 years’ experience in the IT industry covering various facets including operations, system admin and presales across a variety of technologies. Greg is a customer advocate focussing on the outcomes customers require, rather than just the technology or services that enable it.
1 Unisys Security Index 2014 - http://www.unisys.co.nz/news/News%20Release/The-Majority-of-New-Zealanders-Are-Equally-Concerned-About-Accidental-Data-Breaches-and-Breaches-Caused-by-Malicious-Attacks-Unisys-Security-Index-Finds
2 Unisys Security Insights research 2015 - http://www.unisys.com/ms/unisys-security-insights/new-zealand
3 National Cyber Security Centre: Speech to the Technology and Privacy Forum by Una Jagose, the Acting Director of the Government Communications Security Bure - http://www.gcsb.govt.nz/news/news/speaking-notes-for-speech-to-the-technology-and-privacy-forum-by-una-jagose-acting-director-government-communications-security-bureau/