There’s plenty of evidence to support security frameworks as a central tenet of management and governance, and in New Zealand the Institute of Directors has published a Cyber-risk Practice Guide that includes framework adoption as one of its five principles.
The subject is taking time to absorb and understand, probably due to the fact that we are quite relaxed in New Zealand and have a trusting nature. However, there are also many statistics about New Zealand being under attack.
The Symantec Internet Software Threat Report 2016 revealed 108 attacks per day last year from ransomware, a 160 per cent increase on 2014.
On average, fifty-one distributed denial-of-service (or DDoS) attacks are investigated per day by one of New Zealand’s largest telecommunication companies* and The New Zealand Cyber Security Strategy 2015 estimated that cybercrime cost New Zealand almost $257m in the previous year**.
Despite this, 62 per cent of New Zealand’s businesses are considered not ready for cyber attacks***.
A big part of the problem is that information security is still considered an IT issue when it should be about people.
Many businesses think that buying a firewall will be enough to protect them, but unfortunately ransomware can bypass these and an attack can be let in, usually unintentionally.
For most businesses, information is one of the most important assets, constantly transferred and managed on multiple devices in different locations. A firewall is unable to provide total protection in this complex environment, so a widely understood, structured framework is vital.
According to our CISO Joerg Buss a security framework is: “a series of documented, agreed and understood policies and processes that define how information is managed in a business, to lower risk and vulnerability.” It is very clearly a people based approach, not an IT one.
So how do you go about adopting a security framework?
During his time with the German Government back in 1999, Joerg created the following process to implement an Information Security Framework into a business (BSI Standard 100-2 page 11):
In order to achieve an appropriate level of security, a systematic approach is required to design the security process. The security process is comprised of the following phases:
Accepting of responsibility by the management
Designing and planning the security process
Creation of the policy for information security
Establishment of a suitable organisational structure for information security management
Provision of financial resources, personnel, and the necessary time
Integration of all employees in the security process
Creation of a security concept
Implementation of the security concept
Maintenance of information security during live operations and implementation of a continuous improvement process
Over the past year Joerg has been putting this into practice in New Zealand, running an information security program with one of our key clients, which has included the identification, implementation and management of a security framework for their business.
The acceptance and interest from internal staff and the business’s key suppliers has been a significant success, and ensures that the business is set up to succeed securely in the future. We will be sharing more of their journey in a future case study.
* Hon. Amy Adams, Minister for Communications, Ministerial Address to 2016 Cyber Security Summit, May 2016.
** New Zealand’s Cyber Security Strategy 2015.
*** Cyber Risk Practice Guide, Institute of Directors, 2015.