The purpose of this report
This report is written for leaders making decisions about cyber security in medium-to-large organisations.
It outlines five key judgements about the New Zealand cyber security threat environment.
We encourage you to use it to consider how prepared your organisation is.
The report is designed to provide you context, so you can act on informed decisions.
Foreword | Whakapuakitanga
Are you prepared for a serious cyber security incident?
If your organisation was targeted by a malicious cyber actor today, would you be ready?
New Zealand’s remote location at the bottom of the world can isolate us from challenges in other regions, but when it comes to cyber activity, there’s nowhere to hide.
Over recent years, the National Cyber Security Centre (NCSC) has dealt with about one incident per day that has the potential to cause harm at the national level. Such incidents don’t just involve large corporates or big government agencies – some smaller organisations also play a crucial role in our economy and society and can be affected.
Many New Zealand businesses and organisations make the mistake of assuming they are not big enough, wealthy enough or critical enough to be a target.
As we highlight in this report, there are many reasons why your organisation may be a target.
In cyber security, we talk about the activity of threat actors arising from their capability and intent. Do they have the tools and ability to cause us harm? Do they have a reason to? Around the globe, both capability and intent are on the rise.
Capability is increasing through technological advancement. Business models such as ransomware-as-a-service - in which developers sell or rent ransomware tools and infrastructure to other cybercriminals - are well-established and have enabled a less technically skilled cohort of malicious actors to access effective tools.
In terms of intent, malicious cyber actors target New Zealand organisations for a range of reasons. Financial gain is the obvious one, but actors may also be motivated by espionage (including intellectual property theft), or the desire to cause disruption for political reasons. The current turbulent international environment is more likely to generate motivated actors.
The likelihood of threats being realised also depends on target availability and how well-defended those targets are. Malicious actors’ scope for causing harm has been enlarged as the threat surface has also expanded. New systems, technologies and practices that organisations are adopting can open new avenues for attack.
And although you may be doing your best as an organisation to keep your own security practices up to standard, you may be affected by a supplier or third party with links to your network or in custody of your data.
In summary, malicious actors could target you because of what you have, what you know, or what you stand for. You may be a stepping stone to another, more valuable organisation. You may be collateral damage. Or you might just be an easy win.
How prepared are you?
While cyber security is an important focus of the Government, most protections in New Zealand exist outside government. Individuals, private organisations, and industry are best-placed to protect data, networked devices, and infrastructure, and most effort in protecting technology and systems needs to come from the owners and operators of these.
This report is designed for leaders making strategic decisions about cyber security risks and investments in medium-to-large organisations in both the public and private sectors. However, the report has relevance for anyone seeking to protect themselves or their organisation from cyber risks. By being equipped with the right context and questions to ask, you can ensure your organisation is thinking about the risks that may affect you.
Those who have read our previous Cyber Threat Reports may notice that the format has changed this year. We hope you find value in our new approach.
Bridget White (she/her)
Deputy Director-General Cyber Security (acting)
