The public sector is now leading the way in New Zealand cyber security - and private sector companies could learn some lessons, says cyber security expert Philip Whitmore.
"If you look at cyber security now in the public sector, it's probably better than in the private sector," KPMG partner Whitmore says. "There's still a long way to go, but things are heading in the right direction."
Cyber security has been a major government focus in recent years because of increasing cyber-attacks globally, national and international ramifications from a spate of incidents and a major review of security in the public sector. It will soon bear fruit - government agencies will report for the first time next month on new Protective Security Requirements.
In 2011, a major incident saw an Accident Compensation Corporation (ACC) employee send an internal email with an attached spreadsheet containing personal details of thousands of ACC clients. Included inadvertently in the address list was one of the claimants, who publicly blew the whistle.
It came amid other high-profile public service information breaches - notably the 2012 WINZ kiosk breach incident in which members of the public were able to access beneficiaries' private information. The ACC case sparked a review by the Government Chief Information Officer which concluded "security and privacy process are under-developed in many agencies."
Whitmore says: "New Zealand and the public sector was still a bit naïve then about how effective security was."
Those incidents and subsequent review led to public service organisations having a stronger focus on security, including having senior people with clear security responsibilities.
The private sector, Whitmore says, contains many organisations less effective than the government: "Many private sector boards don't have someone with strong IT skills. Cyber security has all these buzzwords and terminologies people don't understand; it still becomes a black box to most. Boards need to be able to translate IT talk into business talk."
But they have the opportunity to learn from the public sector.
"A lot of the tools the public sector has developed to support it becoming more robust have been made available to the private sector. I'd suggest the private sector should take the opportunity to pick up some of those tools and see how beneficial they are to their own organisations."
The public sector's significant changes include making responsibilities clearer, establishing new standards and reporting frameworks, plus greater emphasis on building security into business and operational processes rather than treating it as an add-on.
Whitmore says a key aim of the public sector has been greater efficiency and effectiveness in interacting with New Zealanders through IT: "That has a lot of upside. But if the technology and processes aren't robust from a security perspective, it will undermine efforts and the benefits won't be realised.
"People will be reluctant to communicate online with state agencies and share information if they can't trust the security of their information."
The importance of security extends beyond New Zealand's borders: "If New Zealand government systems aren't secure, it may impact our ability to interact on a global basis. If our state systems aren't robust, that ability could easily be undermined and make trade and internal cooperation more difficult. Just like business, international affairs are based on trust; security is an enabler of trust."
He sees the release of the Government's Cyber Security Strategy at the end of last year as positive. It demonstrates the government's commitment to ensuring New Zealand is secure and prosperous online, including public-private collaboration and improving the cyber-capability of private and public sector organisations.
Whitmore says in the public sector pre-2012, it was assumed information security was an IT issue IT people could deal with. There was no clear visibility on risks and how they were being addressed.
"That visibility exists now. Most of the risks we see aren't a result of people or of technology but of organisations not understanding their risk."
Organisations have to establish their risk appetite: "Ask, 'is it worth living with this or do we need to spend money?' Throwing money at security by itself won't result in a better situation. If you're applying resources limited in terms of time and money at the areas that matter the most, that will have the most benefit."
Read more from KPMG here