Ben Kepes: The old cybersecurity lesson from the Reserve Bank breach

Reserve Bank of NZ Governor Adrian Orr. Photo / Mark Mitchell

New Zealand can rightly be proud of the fact that we have the world's most engaging central bank Governor. Adrian Orr, head honcho of the Reserve Bank, is fond of using esoteric analogues and mind-altering metaphors to illustrate the points he wants to get across. In a world where central bank governors are meant to be boring individuals spouting endless streams of numbers, having a storyteller in the role is a refreshing change.

I was thinking of Orr the other day as I heard the news, screamed loud in the headlines, that the Reserve Bank had been "hacked". Apparently, a file-sharing solution in use at the Reserve Bank (think a big organisation version of Dropbox, Google Files or Microsoft OneDrive) was accessed by someone without authorisation. At the time of writing, it has not been established who or how the breach occurred or what information was accessed.

And yet, this morning I have read the reckons of many an industry expert opining that this is likely the work of a foreign government or agency. It seems the Stasi is alive and kicking and fundamentally interested in New Zealand's monetary policy. Or maybe it was the KGB. Or the Shining Path. Or someone. Who would have thought?

At the risk of sounding like one of these aforementioned experts, I need to disclose that for the past 15 years or so I have been an industry analyst in the technology space. I've worked with vendors and customers, and have helped organisations deploy solutions such as the one breached within the Reserve Bank. I've also done work with different organisations helping ensure the safety and security of data.

In pretty much every thought piece or advisory briefing that I have written or read, there is a very clear articulation that security in the modern age is a shared responsibility. What this means in plain English is that technology vendors (the likes of Google, Microsoft and AWS) absolutely have an obligation to ensure that the software and infrastructure they use is robust and fit for purpose. Anyone who doubts vendors' ability to do this should try and get a tour of a data centre run by one of these vendors - they are more secure than a military facility with 24*7 security, massive investment in cybersecurity and total focus on robust protection of users' data.

But all of that is for naught if the other side of the shared model is ignored. And this is where I'm reminded of another buddy of mine who is also fond of an analogy or two. Christian Reilly is a UK-based technologist who cut his teeth building and maintaining the systems used as part of some of the biggest construction and engineering projects in the world - we're talking massive airports, industrial facilities and the like.

Recently Reilly Tweeted saying that;

Sometimes, the simplest security stuff is the most important.

To illustrate his point, he shared the following image:

A quirky poster makes a strong point about cyber security. Photo / Twitter

While it is likely a fictitious advertisement (or at least I hope so) it is a fantastic example of not seeing the wood for the trees. What is the point of having a safe, locks on ones' doors and other security provisions if we fail to address the human factors which impact upon security?

And this is where I come back to the recent Reserve Bank "breach". In the fullness of time, we may very well discover that the experts' prognostications were correct and it was indeed some nefarious government that hacked its way into our systems. But we might also discover that in fact it was something as simple as my old mate Reilly posted about and some low-level employee at the RB inadvertently lost their laptop which wasn't well protected or used the same password for Tinder as they use for their work access. Or perhaps, as is often the case in work situations, in an effort to bypass what is seen as user-unfriendly security practices, someone wrote their access password on a Post-It Note and stuck it to the side of their monitor where it was seen by a visitor who was quite interested in monetary policy. Who knows?

One thing is for certain, of the dozens and dozens of large-scale cyber breaches that I've looked at over the years, a huge majority have their origins in human errors. So while it is absolutely correct to investigate whether external parties were the cause of this latest breach, Orr's team should also look long and hard inside. There's no point locking the barn door after the horse has bolted.

- Ben Kepes is a Christchurch-based investor and entrepreneur.