New Zealand organisations should consider the risk third-party data breaches pose to their own cyber security. If a data breach includes account information or user credentials, malicious cyber actors can use this data for password attacks and targeted social engineering.
If you suspect your organisation is affected by a third-party data breach, the NCSC recommends the following steps to help manage the risk.
Training and awareness
Governance
Review the Acceptable Use policy. Make sure it includes rules that prevent staff from using official IDs and login passwords as credentials for external websites. Refer to section 14.3.13 of the NZ Information Security Manual (NZISM) for more guidance.
New Zealand information security manual | Government Communications Security Bureau External Link
Security awareness training and culture
Contact staff who may be affected and explain the risk of reusing official IDs and passwords for personal use on external websites — especially if the sites have no clear work-related purpose.
Ensure all staff receive regular cyber awareness training and understand their role in keeping the organisation secure. Security awareness is part of meeting the Protective Security Requirements (PSR) and helps to protect people, information and assets. Training could include mandatory e-learning and participation in government awareness programmes.
Building security awareness | Protective Security Requirements External Link
Refer to NZISM section 9.1 and the PSR for guidance on security awareness and culture. Security culture is set from the top, and senior leadership plays a key role in creating a strong security culture.
New Zealand information security manual | Government Communications Security Bureau External Link
User access management
Third-party data breaches are often discovered and publicly announced months or years after they happen. It highlights the need for good user access management both before and after your organisation becomes aware of third-party data breaches.
Account management and offboarding
Make sure your organisation has clear processes for onboarding, offboarding and internal staff movement. Revoke system access for staff as soon as they leave. This includes access to cloud services and physical devices. Deactivate service accounts unless they are actively needed.
Account clean-ups
Regularly review the Active Directory (AD) user list against HR records. Immediately disable any AD accounts that belong to staff who have left. Review logs for any suspicious activity.
Shared accounts
Shared or generic accounts often link to critical systems and platforms. Monitor and log their use. Change the password as soon as anyone with access to the account leaves or no longer requires access.
Audit log review
At a minimum, check activity logs of any privileged affected accounts by the breach to look for unusual activity.
The PSR outlines the government’s expectations for managing personnel, physical, and information security. Specifically, the core policy PERSEC 3 explains how to manage staff departures and access removal.
Building security awareness | Protective Security Requirements External Link
Authentication
Password change
Contact all affected users and make sure they update their passwords.
Password policy
Review and update your password policy to match current industry best practices. Refer to the NZISM 16.1.31 for password policy guidance.
Recommended changes include:
- increasing minimum password lengths,
- removing mandatory periodic password changes unless there’s evidence of compromise, and
- eliminating complexity requirements in favour of longer passphrases.
Multi-factor authentication (MFA)
MFA helps prevent account takeovers and is a critical tool in mitigating malicious cyber activity. Do not exclude any users — particularly administrators — from MFA requirements.
NZISM Section 16.7.1 recommends using phishing-resistant MFA methods, such as hardware tokens or biometric authentication, especially for privileged or remote access accounts.
Third-party risk management
Supply chain risk
Review how your organisation manages third-party risk and ensure vendors with system access understand and adhere to your security policies.
This includes:
- using appropriate authentication and access controls,
- requiring third parties to notify your organisation promptly if a data breach occurs, and
- regularly reviewing third-party access and conducting security assessments.
The NCSC has published a joint cyber security advisory on threats to managed service providers (MSPs), with guidance on managing supply chain risks.
Protecting against cyber threats to managed service providers (MSPs) and their customers [link to advisory once imported from NCSC
Third-party assurance
Use a robust third-party security framework to manage the risks posed to external service providers. Refer to the NCSC Supply Chain Cyber Security: In Safe Hands guidance.