1: Cyber security roles and responsibilities

Everyone in an organisation needs to understand their role in supporting cyber security. Clearly defined roles and responsibilities are key to improving cyber security maturity.

• Clearly define and assign cyber security responsibilities.
• Give overall responsibility for cyber security to one individual.

CERT NZ offers valuable advice on cyber security responsibilities. There are other websites that provide useful information such as aboutcybersecurity.org.

2: Cyber security awareness

In addition to cyber security training, further awareness campaigns maintain employees’ ability to recognise cyber security threats and respond appropriately.

• Run campaigns to maintain employees’ awareness of the main cyber security threats using up-to-date information through a variety of channels (using examples of breaches and attacks).
• Make staff aware of:
  • what cyber security is and why it is important
  • how to detect a suspected cyber security attack
  • their responsibilities regarding cyber security within the organisation
  • their legal obligations regarding data breaches.
• Build and maintain a secure cyber security culture within the organisation. Talk about it at staff and team meetings.

There are many resources online that can help with building a positive cyber security culture in your organisation, including the advice from CERT NZ.

3: Cyber security training

Make cyber security training part of staff induction, supported by further education to ensure staff know how  to recognise cyber security threats and how to respond appropriately.

• Design and implement an interesting training package (potentially including eLearning and phishing modules). Make this training mandatory and include an assessment.
• Conduct annual training, with regular reviews of content.
• Identify cyber security knowledge and skills among teams (both in-house and outsourced teams).

TEC is working with advisory groups within the sector to provide an awareness and e-learning solution.

1: Staff onboarding and offboarding

Make sure that security is part of onboarding and offboarding of staff, focused on awareness of cyber security responsibilities, access to data and systems, and reducing the risk of a breach at the end of employment.

• Implement a cyber security induction training requirement for all new starters.
• Use a ‘least privilege’ principle when allocating systems-access for new and existing staff. (Only give the required level of access to enable staff to complete work required of them.)
• Maintain a documented and approved off-boarding process, which includes collection of assets assigned to an individual upon change or termination of their employment, and removal of all access rights.

The security awareness information on the CERT NZ website is a useful resource to guide the onboarding process.

2: Incident response process

Cyber security breaches can come in many different forms and threats evolve over time. It is important to have plans in place in the event of any incidents to ensure an efficient response.

• Put in place a Cyber security Incident Response Plan (CIRP) that includes all your stakeholders. 
• Ensure the plan covers different scenarios and is tested at least annually. 
• Consider the current situation, business impact, and security needs of the organisation and balance those against the guidance and recommendations provided by the CIRP.
• Ensure you can access response documents and can communicate in the event of a breach if work infrastructure (such as Microsoft Teams) has been compromised.

3: Operating model and processes to support and maintain implementation of Security Controls

Keeping an organisation safe from cyber threats requires robust cyber security controls. It is vital to have detailed processes for these controls to ensure correct implementation and maintenance.

• Have a clear and approved process document detailing support procedures for technology controls, reviewed and maintained annually.
• Assign and document roles and responsibilities for these controls.

4: Follow a Security Risk Management process

The threat of potential disruption to the business or to the business’s reputation by a cyber-attack is called “security risk”. Identifying and prioritising that risk is security risk management. There are four main stages in the risk management process:

1. Identify the risks.
2. Assess their likelihood and impact.
3. Use controlling and mitigating measures (procedures, technologies etc).
4. Review and evaluate the controls, and if necessary, add to or adjust them.

Keep and maintain a (basic) Security Risk Register which keeps track of risk assessments and check the register regularly.

1: Patch your software and systems

Exploiting vulnerable software is a common, and often easy, way for attackers to get into a business environment. Attackers have networks of computers (bots) scanning the internet to identify vulnerable software and automatically exploit it.

When a critical vulnerability is discovered, vendors will release updates (commonly known as “patches”) to fix it. Applying these fixes as soon as possible will reduce your risk of the software being exploited and help protect your IT environment.

To ensure devices are updated appropriately, organisations should implement a monthly updating or “patching” cycle and install updates whenever prompted to do so, even outside of the scheduled monthly cycle.

• Implement a monthly updating or “patching” cycle
• Update the operating system for servers and workstations (e.g, Windows, MacOS, Linux).
• Update productivity and office applications (e.g Adobe, Microsoft Office).
• Install updates within 14 days of release – the sooner the better.
• Install critical security updates within 7 days of release (again, the sooner the better).
• Allow web browsers to update automatically (This is the default behaviour for most browsers, such as Microsoft Edge, Google Chrome, and Firefox).

2: Use strong passwords and consider a password manager

Passwords are used for everything. They are the most common way of authenticating to a system, and we rely on them to protect sensitive information about ourselves and others. It is, however, quite common for passwords to become known to attackers through various means, with the most common causes being password re-use or using easy to remember (and easy to guess) passwords.

• Use strong & unique passwords or passphrases for every login.
• Store passwords in a secure location (Password Manager).
• Change default passwords.

A weak password can be cracked and stolen extremely easily by a determined hacker. This article from NetSec News describes just how quickly it can happen: How Long Does It Take a Hacker to Brute Force a Password in 2023 - NetSec.News

Implement a password manager for internal business use where passwords for the following types of accounts must be stored:

• Service Accounts
• Emergency (Break glass) Accounts
• Company Social Media Accounts
• Company Bank Accounts & Financial Services

CERT NZ has some very good advice for creating strong passwords on its website.

3: Require Multi-Factor Authentication (MFA) for all user and administrative accounts

Even the most indecipherable password can be cracked by a determined hacker or exposed in a privacy breach. And if an attacker successfully infiltrates an employee or admin account, they might be able to compromise your entire organisation network. Therefore MFA requires users to have more than one form of identification to access IT systems.

• Implement MFA for all systems that users to have access to:
  • Externally accessible systems & applications
  • Remote Network Access (VPN, RDS etc)
  • Administrative Access
  • Social Media
  • Financial Systems

These are our strong recommendations:

• Use an application-based MFA (such as Microsoft Authenticator) or a hardware-based token (Yubikey, Smart-Cards etc).
• Where possible, avoid using SMS-based MFA as this is outdated and less secure (However SMS-based MFA is better than no MFA).
• Investigate device-based policies, such as allowing logins from compliant devices and requiring MFA for non-compliant or personal devices.

Check out CERT NZ’s Two Steps Too Easy programme.

4: Enable and retain logging for Security Events

Security events affecting systems can cause major disruptions to your business. They include a variety of incidents that range from phishing to full Ddos attacks. All such events for servers and cloud platforms should be logged in a dedicated platform.

It is important to ensure these logs/registers are retained for a minimum of three months. It is also a good idea to store these logs centrally.

Without logs it is difficult (or even impossible) to determine when incidents happen, or to establish the full scope of what has happened, meaning it is also harder to fully recover and work to prevent the same incident from happening again. 

• There is excellent advice on configuring and setting up centralised logs on the CERT NZ website.

5: Manage the asset lifecycle

Understanding your environment’s assets (what you have in the organisation to run your systems) is a key step in securing it. You cannot protect what you do not know about. Inventories of assets help to inform the risk profile of a business by clarifying the breadth of hardware and software that is in use, and their versions. It also helps to identify assets that are no longer under warranty or no longer supported for security and feature updates.

• Create and maintain a hardware inventory, keeping track of information such as:
  • The asset name
  • Its owner and current user
  • Its status (in use, spare, decommissioned)
  • The date of purchase
  • The warranty expiry date

• Create and maintain a software inventory, keeping track of information such as:
  • Software programme names, the version in use, and their publishers
  • Their business purpose
  • Links to the provider’s website, Appstore or installer location

• Document and maintain your asset lifecyle including:
  • The acquisition and setup of new assets
  • Distribution of assets to staff
  • Maintenance of assets
  • Secure decommissioning of assets

There is a wide variety of software available to help with asset lifecycle management, but a simple spreadsheet can be a good start

6: Implement and test backups

Backing up your systems entails making an up-to-date copy of the data that has been created and saved. With a backed up copy stored safely you are able to quickly restore your information in the event that it is lost or damaged, whether or not the loss is the result of a cyber attack or some other issue.

It is important to backup stored information separately from its storage within computer systems in the organisation. However, it is equally important to ensure the right information is backed up. Organisations should implement processes for backups and recovery, and test them to ensure the data can be restored if and when necessary.

• Implement processes for backups and recovery
• Ensure correct information is being backed up.
• Test to ensure systems and information can be restored in the expected timeframe.
• Keep a copy of the backups stored off-site, separate from the organisation’s day-to-day work systems.

7: Implement application control

Application control helps to protect devices against malware and ransomware attacks by restricting what software is allowed to run on a device. Allowing only pre-approved applications to run is one of the most effective means of protecting against malware.

Organisations should have firm restrictions on what applications can be installed on devices.

• Build a baseline of required applications.
• Establish a process to enable requests for new applications.
• Use application control functionality (many device-management solutions have application control built in).

8: Deploy and maintain Endpoint Protection Software

Endpoint protection protects devices from malicious software and activity. Older “Anti-Malware” or “Anti-Virus” software will often only protect from malicious software, while newer EDR (Endpoint Detection and Response) services go beyond that and look at the behaviour and activity on a device to also prevent malicious use of legitimate software.

Endpoint protection software offers a centralised management system that allows security administrators to monitor vulnerabilities across all “endpoints” in the system – computers, mobile devices, servers and other connected devices. This monitoring enables them to investigate issues and protect the system.

An example of endpoint protection software is Windows Defender, which is buit into all Windows devices. However, even with Windows Defender, it is important to use a centrally-controlled solution.

There are different solutions available, and most can protect Windows, Mac, and Linux systems.