Daniel McIvor: Good morning. A very warm welcome. My name’s Dan McIvor. I’m the GM of Fujifilm CodeBlue. It’s a pleasure to welcome you all to this exclusive director’s webinar where we’ll tackle one of the most pressing challenges facing businesses today. Cyber security risk management. We hope you can all take away useful insights that are both strategic and practical.
Cyber threats are evolving fast, and as leaders, we’re not just speculators. Spectators, we’re decision makers shaping the resilience of our organisations. We organized this in person event in May in Auckland and received incredible feedback from our customers. And so we’ve decided to host this as a webinar so we can share the key insights with our customers nationwide.
We hope that these meaningful discussions around protecting our organisations against cyber threats don’t end today, but we continue these discussions on how we can safeguard our valuable data against cyber threats. Please post your questions anytime during the panel using the q and a function located on the top of the panel.
We will answer your questions during the live Q and A at 9:40 AM and wrap this webinar up at 10:00 AM sharp. We’re incredibly fortunate to have an exceptional lineup of experts with us here today, so I’d like to warmly welcome Dame Dr. Karen Poutasi. Dame Karen Poutasi is a seasoned leader with a distinguished career in public service.
She currently serves as a director at RHCNZ, new Zealand’s premier private radiology provider and is a chairperson for Kāpuhipuhi Wellington Uni-Professional.
Previously Dame Karen was the director, general of Health and Chief Executive of the New Zealand Qualifications Authority. Dame Karen has contributed extensively to the health sector as the commissioner at Waikato District Health Board as a board member and later chairperson of Health New Zealand. Dame Karen also chaired Taumata Arowai the water services regulator during the same period.
Next up, I’d like to send a very warm welcome to Murray Strong. Murray is a highly experienced chair, director and board member having served on 23 boards with 18 as chairmen. His extensive governance portfolio spans companies, crown entities, large infrastructure projects, digital transformation initiatives, and statutory interventions.
Murray has held continuous chairing roles since 2001, serving on subcommittees, including finance, audit, and risk capital, investment and transformation, demonstrating his commitment to robust leadership and governance.
Also would like to send a very warm welcome to Gordon Armstrong. Gordon is the CEO of Auckland Eye, the leading eyecare specialist group in New Zealand.
Gordon’s expertise includes organisational transformation, strategic vision, implementation, acquisitions, and establishing joint ventures and diversified services. He has held the CEO roles in private healthcare for 17 years and leading a discussion.
Sitting here to the right of me is Mathew Jose of CodeBlue. A seasoned cybersecurity expert who’s seen firsthand how organisations can turn risk into resilience. Mathew is an accomplished information security professional with over 15 years of experience in various IT reps. As the Chief Information Security Officer at CodeBlue New Zealand, Mathew focuses on governance risk management, compliance, GRC and security operations.
He is dedicated to developing innovative cybersecurity products and services that simplify complex security concepts and enable businesses big and small to thrive. Welcome to our event today, and I’m going to pass over to Mathew.
Mathew Jose: Thank you Dan, and welcome all to the panel. And we, what we are actually going to do is we are going to pop the questions up so that you can actually view what the question that I’m going to be asking on the screen.
And let’s get into the first one. So we all know that, cybersecurity is a fundamental business issue rather than it, so my question to the whole panel here is how should boards ensure that cyber resilience is actually embedded to the organisation’s overall strategy and risk management framework without impeding innovation?
Murray W. Strong: Good morning, Mathew. Perhaps I’ll start off with that one for you. And just step back from it a little bit. It seems to me that organisations have little or no visibility. On the quantum and turnover of their and their client’s data that’s already being discussed and traded on the internet.
So in terms of making sure that there’s an opportunity for that to, for cyber risk and security to be effectively embedded into overall strategy, the response needs to be the development and the contracting of a capability to monitor and hunt the bad actors that are having a crack around the outside of your organisations if not already inside of it.
And I think if we were to think of about in terms of health and safety prior to that legislation being enacted, we knew that we should keep people safe and at work and alive. And once compulsion arrives through legislation with penalties for breaches, organisations change their behaviour.
So at a strategic level, if we think of cyber in terms of health and safety for data and dollars, we then broaden our approach and embed that in our strategy.
Dame Dr Karen Poutasi: I’ll climb in there. You’ll find that we do this, we hand from one to the other quite readily. But my comment in this space would be that we forget that cybersecurity is a major business issue at our peril. It’s not an IT issue, it’s a business issue. And later on I’ll get to talk about the infamous Waikato DHB cyber incident.
And that for me was just a, look, you can be fine today and tomorrow you can have an issue. And that means preparations imperative if you don’t figure on what happens if you lose all your systems. So just for a moment, all of those of you on the line, think about if you just lost all your IT connectivity, what would that do to your business?
And that tells you just how important this is. To the management of your business, it is a business issue and you forget it at your peril. And we’ll come to the, I think the how do you protect without impeding innovation because you have to be able to do both but forget it at your peril would be my message.
Gordon Armstrong: Thank you, Karen, and good morning everyone. I’m just really echoing Karen and Murray’s comments, but I think it’s important to note that most SMEs in New Zealand don’t have a huge amount of sophistication or knowledge around cybersecurity. That’s not a, that’s not a criticism, it’s just a practical reality.
So it’s about thinking where you can access the knowledge that you need or the skills that you need to be able to embed this into your business as it, it is a business issue. It’s not a, it’s not a health, not just something you can leave up to the IT department. So if you have an IT department, that’s a good place to start.
If you have a business provider in the IT space, that’s a good place to start. If you are lucky enough to have it on your board already, but you do need to seek it out because without that knowledge, it makes it very difficult to be prepared.
Mathew Jose: Oh, thank you for that. Murray, you’ll be pleased to know that I’ve actually borrowed one of your lines, which is cybersecurity is data and dollars as how health, health and safety is for the organisation.
Jumping onto the next one, so we all know that, cybersecurity threat structure really complex. What practical steps can directors take to build cyber competency and how can they ensure that they receive clear and comprehensive reporting that is enabled effective oversight in their role as directors?
Again, I’ll actually open it up for the entire panel.
Gordon Armstrong: I might jump in here from the executive perspective and leave Karen and Murray to talk about from the director side of things. But what’s really important is to make sure there’s appropriate reporting to the board. Now the frequency of that is important. If you do it every month, it can tend to become another tick box on the board agenda that people can simply skip through without thinking about it too much.
What I find useful is to have our IT people present every quarter. And what’s particularly good at sharpening the focus is a report detailing the number of attacks that have been thwarted towards our organisation over the last three months. That brings it very sharply into focus for directors. This is not a conceptual problem.
This is a real problem that’s happening every day and making sure that there’s some clear information for directors to enable them to understand the scale of the threat. And the surface area of attack that we are looking at. So and so that’s quite keen. And the other thing really, as far as embedding is making sure that boards do go through simulations.
So as Karen pointed out before, what would it be like if you suddenly lost all your IT connectivity? And the important thing to do is to simulate that and run training scenarios so people actually have the ability to understand what that looks like and what practical steps can be taken.
Dame Dr Karen Poutasi: I’m looking to see if Murray’s going to climb in immediately, but in that case you go first.
I’ll go first. I couldn’t agree more, Gordon. The challenge really is how do you not become blase? You’ll expect me to say that all the way through. How do you not take it for granted? How do you ensure that as a board or senior management, you actually do have it gripped up?
Because it’s always easy to say, oh, we’ll put that on the next agenda, or, oh, that’s tomorrow’s problem, but believe you me, it can be today’s problem. And when we get into the regulatory angle, we’ll come back to what’s expected of you. But what you would expect of yourselves is, as Gordon says, to have a good plan that is tested.
And what you would expect as a board is to see that regular reporting. And coming back to the, to, I’m going to nudge into the regulatory a little bit. One of the regulatory pieces actually says the board shall appoint a responsible officer. Now, that’s not a one that is a mandatory for us at this particular point in time, but when you think of that board, senior management chief executive, it’s that close.
You should know. If not, appoint the senior officer responsible and then ensure that you get adequate reporting. That does tell you what your strategy is. How’s it going? As Gordon said, how’s it being monitored? And what’s, what are people doing about what’s monitored? Some of you may know there’s a story that goes yes, we’ve seen intrusions we’ve monitored them and nothing’s been done.
So you clocked up the intrusions. Nothing happened, we think but nothing was done to give you the assurance that no, that following up has occurred. So you definitely, as a board want to see that this follow up on your monitoring, and then we’ll come back to other risk pieces for you, because at the end of the day, you can do a sufficient amount to give you confidence.
But remember. That you’re going to have to trade off flexibility with confidence, and that’s why you can never be a hundred percent sure. So it requires a high degree of I was going to say intelligence. It does that certainly. So you gotta be smart on this, but agility is the word I was looking for.
You’ve got to be agile knowing that your systems are never going to be foolproof. They can be really good, but they’re not foolproof, so you have to stay on the ball. Yeah.
Murray W. Strong: I think, excuse me, that sort of leans quite easily into another focus for boards and making sure that the reporting is effective for me.
Boards need to expand their definition and understanding of cyber risk and security and be very clear on their risk appetite at various threat and breach levels that will then determine the nature and the extent of the reporting that you wanted to see from your executives. And to understand a response and useful practical steps.
It pays first to understand what you’re facing. So you’ve got some information that’s coming up from the executive around attack surface area and attempted breaches or successful breaches. And then you have your risk profile and appetite sitting on the other side. So you’re trying to balance those, and while not wanting to present a dystopian view of the world, there are some pretty serious issues at play here.
The market is becoming incredibly more sophisticated. Cyber criminals aren’t typically faced little teenagers sitting in a dark room, not showering for days, drinking Red Bull. They are using, efficient and effective generative AI engines and it just think of it as set and forget.
So it’s very easy for them just to let those machines learn quickly. And then the human interaction piece comes when they start to talk money. So understanding your risk appetite, managing that against the way that you are having information around breach reported is a critical element in terms of making sure that the board have the right material upon which to make trade offs and investment decisions.
Dame Dr Karen Poutasi: And if I could just round that up by linking it to our first question, which is about, this is a business issue. Fundamental to managing these practical steps is understanding your business. Because if you don’t understand the interconnections in your business, you’re not going to understand the vulnerability points.
So it all comes back to this is a business issue.
Mathew Jose: Thank you, Karen. My next question again. I’ll I know that you guys are actually all chiming in, so feel free to actually chime in again. We all follow regulations when it actually comes to regulations what our cousins across the ditch follow.
So what measures should sensitive sectors like financial or healthcare adopt to stay ahead of compliance requirements or expectations?
Dame Dr Karen Poutasi: Murray, I think this is really yours to start.
Murray W. Strong: Yeah, and I think from a legal perspective, we’re starting to see class actions appearing in the Australian market with large data breach issues. And there’s nothing to suggest that we won’t be seeing that sort of behavior here. Whilst Gordon and KP can speak specifically to healthcare and FinTech, I think if we take a view of the legal risk that brings into sharp relief very quickly.
Some things for directors to be rightly concerned about. We are having a few more litigation class actual litigation funders appear in the New Zealand market. And whilst the regulatory framework is. Evolving in New Zealand it’s probably not quite as sophisticated as it can be, but the broad sweep within the company’s act is clear in relation to undertaking your fiduciary duties as a director.
So making sure that you’ve got some real clarity around that is important. And at the very least, if you are purporting to have secure safe data and you are protecting people’s individual information, at the very least that we remedies under the Fair Trading Act. So it’s becoming increasingly fraught that environment.
So you need to be able to provide evidence of what you’ve been doing around the board table.
Dame Dr Karen Poutasi: I’ll come in there just to augment. Murray and Gordon will want to follow up. ’cause particularly in health, you’ve got privacy standards that are absolutely imperative at the same time as. Significant interconnectedness, which produces risk. But I love the if you’re looking for at the moment, an absolute thou shalt there isn’t, it’s over to you.
To use reasonable security safeguards. I’m looking at the, that’s the health information privacy Code Companies Act as Murray says, reasonable and proper steps. FMA expectations and indeed reserve bank step standards, maintaining the operational resilience of technological systems. So you see it comes back to what we’ve been talking about, which is board senior management responsibility.
And in a way I think that’s sometimes more onerous than being absolutely particular on thou shalt do A, B, C, D. This is, you have to use, you have to use reasonable steps and be responsible is another word that comes up in, in our legislation, which leaves it over to you. But you’ve got to be able to point to that if, as Murray says, you get into a class action or something else.
But in any event, your customers will want you to be able to show that you’ve used reasonable initiatives and that you are responsible with people’s data and with your business continuity, which is where FMA comes in. But Gordon, do you want to talk further on health and.
Gordon Armstrong: Yeah. Thank you Karen.
And I think obviously when it comes to privacy of data, people’s healthcare data is probably one of the highest that you can imagine. Now, once again, from the executive perspective, we don’t have appropriate regulation in New Zealand at the moment, but there’s enough out there, right from New Zealand and as Murray and Karen have talked about the Fair Trading Act and other legislation of the Companies Act we should, we can anticipate what we should be doing, and we shouldn’t just be aiming for compliance.
We should be aiming for the very best potential or possible posture that we have, making sure that we’ve got appropriate policies in place. So making sure the board can have confidence that management is across these things and is thinking about these things and has appropriate policies and appropriate mitigations in place.
As I say, it’s not just about doing the minimum, it’s about making sure that your information is protected to the utmost and some practical steps such as if you have a data breach, who are you going to report to? Who are the people that you should be telling? So there’s going to be your business partners.
As Karen said, healthcare is very interconnected. You’re going to be connected to the public system, potentially you’re going to be connected to other providers, you’re going to be connected to other data portals, but also making sure that you report to the appropriate government agencies if there’s been a data breach, because the consequences for not doing those things are quite profound as well.
So just saying there’s no legislation, so I guess we don’t have to worry about. It really isn’t an excuse. The management has to make sure that the board are forewarned and forearmed and that you’ve had a really good look at what legislation is sitting across the ditch and what the existing legislation in New Zealand that could potentially be used for penalties if you get it wrong.
Mathew Jose: Thank you for that. My next question is actually about accountability for cyber resilience. And I’m going to look at you, Murray, because it’s actually about the boards and president rather than you. So how do you think can frameworks, assets boards in fulfilling the govern governance responsibilities without becoming very operational?
Murray W. Strong: Thanks, Mathew. And look, I think it ties in a couple of themes that are starting to become apparent as this conversation has progressed. It is an enter enterprise wide responsibility. And, the ability for people to breach. Is really quite simple. And if I give you one of the most simple examples we ran an exercise a while ago to see how quickly we could get into an organisation.
Somebody left a data stick sitting on the table in the reception of an organisation, and within 30 minutes a staff member had plugged that in to work out whose it was. And essentially the organisation’s cybersecurity systems were breached. So there’s a bunch of really easy things that are able to be done in terms of recognising how those frameworks can assist boards.
Again, I’ll come back to my earlier comment around making sure that there’s a very clear understanding around risk appetite. Because that will enable you to make some decisions around investment in particular areas or disinvestment in others, because we limit, we live in a resource scarce or resource limited environment.
But I think the other thing that we need to be cognizant of around accountability, and I’ve seen this in a couple of instances, is if you are going to go through the process of identifying what your attack surface area looks like and the number of breaches that might have occurred, and how much of your information has already been discussed and traded on the clear, deep or dark web, and you receive reports on that at an executive level, and this is in no way anything other than observation.
There are often one of two reactions. The first is thanks for bringing that to our attention. How can you assist us in addressing it and reinforcing our cyber defences? And the second is thanks for that report. You’ve made me look bad. Now go away. Obviously there’s some reactions in between – it’s a continuum,
I think there’s clearly an opportunity. Yeah,
So when you think about those frameworks. You need to make sure that you can have it.
You have clear visibility from, overarching confidence and assurance reporting with a cascade down into an operational level. So that if there is something that, that needs to be investigated further or reviewed or discussed around the board table, then you have the ability to access that information quickly.
But most boards won’t want to spend too much time down in the detail. They’re going to be more involved in considering the strategic implications of cybersecurity and risk. And that’s about the relationship between the executive and the board being functional, sensible and mature. And as we, as the cyber risk and security market changes, the maturity around those relationships at an executive and board level needs to change with it.
Gordon Armstrong: I might jump in, if you don’t mind. I think this is probably my favourite question in here. And going back to Murray’s example of the USB left around, I think the responsibility for cybersecurity ultimately sits, or there’s a responsibility for everyone in the organisation because ultimately, regardless of how good your security posture is, it’s the human element that’s going to trip you up.
That will be how a breach is likely to occur, certainly in the current environment. Now, the accountability certainly sits with the executive and board. So practically, if. If everyone’s got a responsibility, what does that look like? Because if everyone’s got the responsibility, no one’s got the responsibility.
And that’s about making sure that there is good education and good policies internally that are well communicated to the team to say what exactly are you supposed to do around cybersecurity? What should you be doing? What are the risks that we are looking out for? So it’s the executive and board responsibility to make sure that’s available at all levels of the organisation because it, it is the human element that is, is the weak link.
I’m aware of an example, an organisation that I won’t name, where we had a very good cybersecurity posture, but quite recently their IT department discovered on the internal intranet a spreadsheet that had an entire team’s logons and passwords on it because it made it easier for them to switch between PCs.
So obviously that was a massive risk and someone could have left the organisation and taken all of those passwords with them and sold them to the highest bidder. So it’s always going to be the human element that you need to look out for and make sure that people are aware of what those. Risks look like.
So it’s, it is a large part about training. It is a large part about letting people know that there is a responsibility for what they do on every day. But there’s also a quite a pragmatic approach, and it comes back to both Karen and Murray have talked about balancing the risk. If you make your cybersecurity processes and protocols and policies so onerous that it becomes difficult for people to be compliant, they simply won’t be compliant and you’ll be worse off than what you started.
So you do have to have a clear understanding of what the risks are that you’re trying to mitigate, a clear understanding of your internal operational processes and when you are putting things in place that are too onerous, but also an understanding for people of what those risks looks like as well.
Because if the only people that understand risk is executive and the board. No one else in the organisation is either going to care or know enough about it to do something. So it’s about education. It’s about balancing that risk and being very pragmatic when you apply those sorts of policies and protocols that it’s not going to trip people up operationally because if it does, they simply won’t do it.
Dame Dr Karen Poutasi: I’ll chime in there, Gordon, I thought you’d make that point on culture. You know it’s culture for breakfast, isn’t it? Culture is king. And feeds in nicely with what we’ve talked about with the board and management. You simply do have to have a risk aware culture and it has to be everybody’s business.
But as Gordon said you also need to have your clear point of responsibility. And I go back to my when I was ferreting through the regulations that exist. The board shall appoint someone who is responsible. I quite like that ’cause I personally hadn’t realised it was anywhere in anybody’s New Zealand legislation as it were.
And I think because that makes you very aware as a board or as a senior management, if you’re, if you are doing it as to who you’re making accountable and then referring back to them. In the sense of their setup of board agendas and so on and so forth. So I think that’s important. Perhaps the one thing we haven’t said which goes back to the core of your business, is that system design really matters.
And in areas such as health where things have tended to evolve, but there are other areas as well where they are less shall we say, discreet. Then you will find that system design has perhaps slipped to the back rather than to the fore of your thinking on the risk for cybersecurity.
So by that I’m talking about. We talked about segmentation, the benefit of segmenting your system so that you’re protected, but then if you’re somewhere where connections matter, you’ve got to allow, as Gordon says, for connectivity. Otherwise, people simply won’t use your multifactor authentication and your access controls.
That we’ve talked about, monitoring those sorts of things sitting in your system are something that we should be asking whoever’s responsible, do you understand how the system’s configured and what controls you have in there, as well as the reporting. So that’s just something to add to your armament in the sense of what you should be asking for.
Thanks.
Mathew Jose: Thank you, Dame Karen. And my next question is obviously to you because you actually presided over the WDHP incident response. So in the event of a major cyber incident what should boards expect to actually unfold within the first 24 hours? And in your opinion, do you think that prior broad engagement can actually shape the effectiveness of how an organisation is going to respond?
Dame Dr Karen Poutasi: Thank you for that question. Yes. And up there those of you online will see the in InfoSec report on the Waikato incident. It is very well written, this report, and you might expect me not to be complimentary about reports on what happened. But this is a very good report and it’s easy read.
Perhaps it’s not bedtime reading, but it’s an easy read. So I do recommend it to you. The critical piece is, that’s unfair. A critical piece of the puzzle is your first 24 hours. What is likely to happen at that stage is you are likely to find out that a threat actor has been in your system for a few days or maybe a few weeks.
For us, I think it was eight days prior to our awareness that we had a cyber event. The threat actor had been in our system now for and inserting malware. So when the, when you become aware as a governor, there are a couple of things that you need to be asking, first of all, or you need to ask of yourself as well.
First of all is remain calm under all circumstances. It’s a major event. You are likely to feel the world has fallen and it has in a certain way, but calmness is imperative if the team are going to get it right. So from a governance point of view, this is where you start to implement your incident response plan which you have of course just recently tested.
So I think we emphasise that your response not only needs to be planned but it needs to be tested. And you need to be very clear about the role of boards and the role of management. And who is going to do what now. You should expect if you are the chair that somebody’s done something to control the event.
So in Waikato, everything was unplugged. The team just unplugged everything, literally. That was dramatic and it was ultimately the right thing to do. Now you’ll find in the report that there’s a message there which says, incidents are lived forward, but best understood backwards. So when I say it was the right thing to do I first, when I first heard said, what You’ve detached everything, literally everything, yes, that was the right thing to do, said the IT guys and they were right.
So the first thing for you as governors is to understand what has happened, immediate action should have been taken to contain the event. Okay? That will be on your incident response. Then it’s a matter of where how you respond and contain that. And then how ultimately you recover, you won’t get into recovery or you’re very unlikely to within the first 24 hours.
Then as we’ve already said, you’ve got an authorising environment, so matter who you are. You will have shareholders, stakeholders, government, regulatory entities, privacy commissioner if you are in health financial markets if you are in the FinTech. So you have to have a clear script to be able to brief your key stakeholders.
Having a clear script is basically a non-sequitur when you’re in this sort of situation, but you have to be in control of what is an uncontrollable situation immediately, and you won’t secure the confidence of your stakeholders unless you are very clear about what are the implications. What you are doing about them.
And there can’t be any doubt about that, albeit you have to allow for a range of possibilities. So you see the challenge my advice is to have one person who’s speaking to the media and use that one person the whole time. And Waikato, we use the chief executive. That way the media are getting consistent messages and they’re reconciling what happened yesterday with what’s going to happen tomorrow, et cetera.
That doesn’t mean to say that the chief executive is the one who is in touch with ministers or GCSB or anyone else in your authorising environment. You can be doing that as chair, but do make sure that you’ve got a clear script. And then it’s a matter of working forward from there. Assuming that I’ve said, assuming that you’ve and I won’t go on, but assuming you’ve got a clear incident and te and clear and tested incident response plan, then you will know whether you’ve got a subset of the board which you can work with or whether you need to work with the whole board.
I suggest there should be a very small subset of board ’cause that allows for flexibility. The other thing that you will be clear about is how and when various events need to occur. And by that I mean I sincerely hope that you’ve got offline backup because if you haven’t got that segmentation and you’re dealing with patient data, et cetera, or even business data, you really are starting behind the eight ball.
But assuming that you have backup offline and we did it Waikato you can use that to restore. Yourself going forward, but you have to be very careful that you don’t reintroduce into your backup contamination from your original event. So this is what makes it complicated. So that would be my advice.
First, 24 hours. Make sure that you’ve got a grip on it and that you’re able to give good information. Always allow the possibility that it’s going to evolve. But you can’t go into the media and say, we don’t know what’s going on. Which is probably the actual situation in the first 24 hours. But you do know that you’ve secured the situation and that you have a plan for going forward and that you know that.
So you can put that into the media and you can also, as I say, make sure your stakeholders are well briefed. I’ll stop there because I know my colleagues will be able to add to it.
Murray W. Strong: Look, I’ve only got a couple of other things to add to that. KP I think it’s. And it’s, it just comes off the back of your incident response plan.
And having an incident response simulation with board and executive is mission critical to best dealing with that first 24 hours. Whether where the hot points are, you can test the way that you want to respond to something. And by way of example, whether it’s a civil defence practice run that we see Nima running across the country or at my time at, in New Zealand, we had a two day simulation for what was going to happen if bird flu hit, hit the world in a bad way, and borders were closed.
So what do we do with aircraft that are in the air? And the same can be applied to cyber risk and security. So I think the board simulation with executive is a really important part of how you can prepare yourself for that first 24 hours. Gordon.
Gordon Armstrong: Yeah, thanks Murray. Yeah, once again, just reinforce the requirement for a, for an incident response plan and one that’s current.
So if you put it together two years ago and haven’t looked at it since it’s not current anymore. So you can’t just tick that box. And secondly, training and simulations and particularly testing. So we had an incident three years ago where we had a significant server failure with a cloud provider under me.
Hasten wasn’t CodeBlue who we no longer use because their backup failed and then their second backup failed and we were out without anything for two days. And then despite having a contract with another service provider to provide support, they simply didn’t show up. And unfortunately, the first time we discovered this was in a real event.
So you can’t just assume what you’ve got in place is going to work. You do need to test it. You do need to have proper failover tests and drills where your provider or your backups are actually tested because you don’t want to find out there’s a flaw when it’s a real event going on.
Dame Dr Karen Poutasi: Thank you. Yeah.
Just to wrap that, I’m going to reinforce that point about your supplier network. ‘Cause it can happen both ways. If you, as we did at Waikato, pull the plug on everything then that’s going to affect your suppliers or those who are connected to you in your system. And the other side of it is Gordon says is if your suppliers fail what is your backup?
So just reinforcing that it’s a systematic response that you have to plan for.
Mathew Jose: Cool. Thank you for that. We are going into the live q and a, so just bear with me while I just bring up the questions.
Dame Dr Karen Poutasi: While you’re doing that, Mathew, I’ll chime in to, to cover a, another piece that we perhaps we haven’t talked about. And that’s and it’s part of your planning, but we haven’t talked about having systematic rules on device connection. Obviously you don’t pick up a USB and plug it in but who may be connected to your network.
And this is particularly if you’re thinking of health networks with people bringing in machinery, inverted commas from externally and plugging it in. How do you determine who may connect and what are those rules about device connection, which is something quite basic and should always be part of your plan.
Mathew Jose: Cool. So we do have a couple of questions. If you have any questions pre please feel free to actually pop into the q and a, which you will actually find on the top of the bar. So there is actually a question. Interconnections and vulnerabilities have been touched on a number of times.
In your experience one, are the most common business systems open to attacks or vulnerabilities?
Dame Dr Karen Poutasi: All and everything!
Gordon Armstrong: Yeah. It’s probably the ones you use the most, because they’re the ones that are going to be getting the highest volume. Email’s a favourite. Phishing attacks are obviously becoming more and more sophisticated. Once again, comes back to the point of having to test and do fishing drills with your staff and catching people that get it wrong and giving them education or drills, but yeah.
There is such a plethora of different systems that people use. It’s really the ones that are the most common, and anything that connects to the internet are probably where your vulnerabilities are going to lie.
Murray W. Strong: I think to add to that, if there’s a, if there’s a default position that boards are guilty of landing on, it’s only receiving reports on what’s happening inside the firewall.
So being able to understand what’s going on outside that defence system is critical because that false sense of security doesn’t provide anybody with any real confidence. I think the other thing to add to Gordon’s point is a lot of organisations have legacy systems that are just sitting there in the background that somebody who, left the organisation five years ago had, and people have forgotten that it’s actually there.
So those things that sit dormant are also a risk. If I was to be suggesting how best to go about that I’d get a, I’d contract a, an expert hacker to come in and test the vulnerability and the potential business impact of system interoperability, even VPNs and application program interfaces.
Those are the bits where there are cracks that can appear. So it’s worthy of an investment to sense check and test that interoperability and where those access points might be.
Dame Dr Karen Poutasi: I was going to compliment that with it. Remote access is one of the issues. But Murray’s sparked a thought that we haven’t covered.
It’s obvious, but investment is necessary in order to get you, and I hate to say this, but it’s going to cost in order to get the protection that you need. That is a worthy investment. I hope. You will have come to the conclusion of given what we’ve been saying, but you, a lot of you, you may not, but in any event, in health, there are a lot of legacy systems.
And these are, can be vulnerable because you can get to the point with a legacy system where it won’t even accept the latest patches. Now, I might say that wasn’t the issue at Waikato. But beware of legacy systems that in fact can’t be patched and are problematic. And you’re not going to be, you’re not going to be able to fix ’em all with one fell swoop but get a priority order for fixing them and watch and monitor that as a board to ensure that you are progressively increasing your resilience.
Perhaps that’s something else we haven’t said. And I won’t go on about it, but you won’t, when you look at this, you’ll say, we have issues that we need to address, and hopefully you’re onto those. They, you should address them progressively, and you should see a progressive increase in your security posture.
And if you’re not seeing that, then you’ve got a problem because the external world is getting more and more aggressive in the sense of intrusions. So your your defences need to be consistently improving.
Gordon Armstrong: Just to round that out, I just want to reiterate the importance of red team penetration testing.
And probably coming back to the original question, you’re not really going to know where your vulnerabilities lie until you get someone to test them thoroughly. And it’s a great way to punch a complacency where you think you’ve got everything sorted out and you’ve got a great security posture.
Getting someone who knows what they’re doing to try and break into your system is a very good way to identify where your vulnerabilities really lie. And as Karen pointed out it, it’s not cheap, but the cost of not doing it is really what you need to talk to your board about as an executive when you’re coming to them with a budget to do these things is to contemplate what the cost to your business will be.
If they do provide a, someone does a successful attack on you, locks up your data, ransomwares you, destroys your data backups. This is the kind of consequence you’re facing. So the investment is required and it is justified.
Mathew Jose: Cool. Thank you. Next question is actually about, are there resources available that collates available information regarding risk relating to legislative finalities so that it can be summarised for a board presentation?
Murray W. Strong: So the an, the answer is yes. And one of the, one of the most efficient and effective ways to do that is to use generative ai. So if you were, for example, to use notebook lm with links to the company’s act any FMA requirements, any GCSB guidelines and regulatory suggestions, any sort of sector specific information that’s available, notebook will provide that to you in relatively short order.
The key then is to sense check that with your legal advisors. To make sure that what is coming through that sort of filtering process is relevant within the current understanding of the legal frameworks. So yes, there are resources available and I think even you can use that as an opportunity to display to your boards the power of that information and if it can do it that quickly.
In a live scenario around regulatory compliance, it suggests that it can do it equally quickly in terms of threat actors behaving badly against your organisations.
Dame Dr Karen Poutasi: I just augment that Murray with which is, I guess implicit in, in what you’ve said, that there are very well-known reputable frameworks nationally and internationally that you can use
Murray W. Strong: Absolutely.
Dame Dr Karen Poutasi: To be able to point to that you are doing a reasonable and responsible or taking a reasonable and responsible approach to your cybersecurity. And those will provide you with some assurance, no, they will provide you with good assurance if you’re following them, that you have got your bases covered.
Gordon Armstrong: Yeah, just to lean into Murray’s comments. Thank you, Karen. I think the rise in the acceleration of AI is both one of the greatest assets businesses have around all parts of business, but particularly around security posture. It’s also the greatest threat we have because the malign actors will be using this and are using this already.
And we’ll talk probably more about this in closing statements. But yeah, probably the answer to that question is you go to chat GPT as a starter and then as Murray said, get your legal team to have a look at it and make sure that you’ve captured everything. But yeah, we will definitely talk more about AI today.
Mathew Jose: Cool. Thank you. The next question is are certain organisations more likely to be targeted by cyber attacks than others? What factors motivate attackers when choosing their targets, particularly in terms of potential gains?
Dame Dr Karen Poutasi: I’ll pick up on the potential gains thing by, while my colleagues are thinking of a substantive answer to that question. ‘Cause I would go back to all and every really but Waikato was subject to a ransom request government posture is that we do not pay ransom at any stage.
For this is for government agencies. Of course, the corporate world has to make its own decisions in that regard. But it was a ransomware attack and it took them four days, I think, to pull through the request for ransom. And that’s a business, as I say, for governments, it’s not, or for our government we do not pay ransom for corporate.
It’s a business decision to make. So I’ll stop there and hand over to my colleagues. I think you’re right, Karen, in your comments that this is really everyone. Certainly it’s less about hackers doing this for reputation now. It’s a business. So ransomware attacks, cyber attacks are a business.
Gordon Armstrong: There are plenty of organisations in Eastern Europe and parts of Asia that will sell you ransomware capability tailored to your requirements to attack anyone you want. And it’s a numbers game. So large organisations are clearly attractive because they potentially might have deeper pockets for ransoms, but on the other hand, they’re likely to have more sophisticated cybersecurity.
So with the rise in AI solutions, you can simply sit and forget as a malign actor, and it will attack anyone and everyone looking for a vulnerability. So maybe you pick up half a dozen smaller entities rather than one large one, and you’re still making money as a cyber attack outfit.
So I think. I think it’s a good question, but the risk in it is that we assume that because we are small and we are below the parapet that we won’t be targeted. I think you have to assume that you will be targeted, that everyone will be targeted and they’ll be targeted with the same level of sophistication as a large organisation.
Murray W. Strong: And really only two, two brief things to add to that. There are abilities for people who want to get into being a bad actor in the cyberspace. There are online fraud tutorials about how to do it. So when you think about the ease. Of getting into that type of activity. It’s not difficult. It’s a low bar of entry. And there is a very easy purchase ability for people on the web for physical card exposures, copies of passports and two factor authentication bypass programs.
They can all be purchased on the dark web. So with the ability to access the tools virtually by, a few keystrokes we have to be serious about the fact that it’s going to be everybody who is a potential target. On the other, on the on, on the other side of that, large organisations sometimes they get too big and I’ve seen in a couple of instances where because they think they are that big and therefore so vulnerable that it’s too late, that they actually don’t do anything which is fine until it isn’t.
So there’s a bunch of maturity and sophistication that needs to be bought to how we think about these things. Thanks, Mathew.
Mathew Jose: Thank you, Murray.
Dame Dr Karen Poutasi: The other thing, Mathew, just before you roll on with the next one that we haven’t quite said yet, and maybe I should have in the sense of day one when we’re talking about an attack.
But you can, there is a, just as we’re painting a picture of a high degree of vulnerability and why you must pay attention, there is always help to be had. So don’t hesitate once you’ve got a grip on where you’re at and protected the immediate don’t be afraid to ask for help. So I’ll just leave it there.
Mathew Jose: Cool. Thank you Dame Karen. Just quickly before I go into my last question, before the q and a, there is actually two questions, which is actually around the same themes, which is what processes or questions should you ask software providers to actually gain comfort that their systems are safe for us to use?
So it’s actually talking about, third parties or suppliers, how do you?
Murray W. Strong: I guess that goes to Gordon’s point, right? Earlier on, around the failure of service providers when he needed the most. And it’s a little bit like any contracting relationship. As the whole principle or prime holder of the contract, the expectation is that whoever the contracted party is, that they and their suppliers or subtrades or subcontractors will also have the necessary.
Systems and processes in place to deal with these sorts of issues. So setting that up as a contractual expectation early in any relationship is something that your legal guys should be thinking about.
Mathew Jose: Cool. So to wrap up the panel again, what is the one piece of advice you’ll actually keep the audience of the webinar to build resilience and protection protect the organisation from cybersecurity threats. So I’ll open it up to the panel.
Gordon Armstrong: I might kick this one off and probably just harking back to the last question we had about how do you guarantee that your external providers have got the appropriate level of security?
‘Cause of course once you connect to them, you’re as exposed to any flaws that they have in their system. And I think my big piece of advice is lean into ai. People will be already in their business processes, but think about how you use it for cybersecurity. The bad actors will certainly be using ai, having some sort of automated response or managed response inside your firewall that if something does get through, whether it’s because of a breach in your security, whether it’s a breach in external provider security, you have a backstop, you have something that is adaptive and learns and recognises things that are amiss and is able to respond to that.
I think anyone who isn’t using cybersecurity AI solutions within the next six to 12 months is probably putting themselves almost. Almost catastrophically at risk because the rise in this and the acceleration of the sophistication of attacks that we will see means that you need to you don’t bring a knife to a gunfight.
The bad guys will have AI solutions. You need to make sure you’ve got them as well.
Murray W. Strong: And look my, but in terms of a wrap I go right back to my earlier comments in opening Sun Zu in the Art of War said that if you know the enemy and know yourself, you need not fear the outcome of a hundred battles. And there’s a lot of shooting in the dark that goes on in this space.
So if you have the ability. To contract the capability to monitor and hunt the bad actors across the thousands of clear, deep and dark web sources for references to your organisation and your business. At least then you are beginning to quantify the extent of the challenge that you face. So having people like the guys at CodeBlue doing this work for you to give you the visibility into the quantum and turnover of your data that’s already being discussed and traded is an exceptionally solid foundation to start from.
Dame Dr Karen Poutasi: And my wrap would be pay attention. Don’t let it slip. Don’t make it tomorrow’s problem. It’s today’s problem. Use all the advice you’ve got to hand and take good advice. Use good people to assist you, but pay attention. Do not let it slip.
Mathew Jose: Cool. Thank you Dame Karen, and Murray and Gordon for being on the panel.
I’m going to pass it back to Dan.
Daniel McIvor: Yeah.
Thank you Mathew. And just to echo Mathew’s thank you to Murray, Karen and Gordon for your time this morning. How can CodeBlue help a sort of recent Institute of Directors survey that said nearly half of our boards are not getting cybersecurity reporting.
So that’s a real problem if you’re actually managing the risk at a governance level. CodeBlue has developed a service called Risk Aware. Which comprises of three parts a risk assessment, which is ongoing. And it’s based on a platform which you actually have access to as an organisation.
Just cyber is not an IT problem. You can’t fully outsource cyber risk to a third party. So our pro our offering risk aware is based on a platform that we both share. Your organisation accesses it, we access it, it helps you align to an international framework, NIST, and you can assign actions to improve your security posture, both internally and to your third parties.
We believe we’ve got it at a really exciting price point for the New Zealand market. It’s a small monthly cost and the annual cost is about half of what we are seeing at competitors offer this for a one-off exercise. So you get the ongoing platform and ongoing engagement of a cyber consultant for about half of what we’re seeing at delivered for a one-off cost.
You can add a couple of add-ons to this service, external tech surface monitoring, where we’re actually concerned monitoring your environment as if we’re a bad actor and across the internet and seeing if you’ve got any vulnerabilities. And we’re also monitoring the dark. We’ve been clear web to see.
There has been a breach and have you, any of your precious data has been put on the dark web. We are going to ask you today to provide us some feedback so we can improve on the webinar and get better. For our next one. Five of you will win a free light assessment where we will give you access to our platform for 30 days and you’ll get a consultation through one of our cyber consultants so you can get a real taste for what this product can deliver.
So again, please leave your feedback to be in the draw to be one of those lucky five businesses that that get to try risk aware now.
I just want to thank Murray, Karen and Gordon once again and to all of our customers who have joined us online today for our webinar. The joint discussion we had today has made one thing clear. Cybersecurity isn’t just an IT problem, it’s a business risk. It demands leadership action. We’re seeing a real challenge here in New Zealand right now where businesses don’t understand how to measure cyber risk specific to their business.
They’re not reporting on that risk at a board layer. So we’re not having conversations at the board table, and as a consequence, we’re not freeing up the funding it needs to truly protect the organisation. This is a real problem for directors for our audience here today who are not an existing CodeBlue customer.
We are part of the Fujifilm Business Innovation New Zealand family, and a leading managed service provider that’s been servicing the New Zealand small medium sector since 2004. As part of our services, we help organisations take control of their cybersecurity with structured, proactive strategies.
And that’s why we’ve developed Risk Aware, a service designed to give businesses real visibility into cyber risks and provide a clear, actionable roadmap for strengthening security and meeting compliance requirements. We’d really love to hear your feedback today, so please scan the QR code, leave your feedback, and you might be one of the Lucky five organisations to get a taste of what Risk Aware can deliver for you and your organisation.
Thank you very much and feel free to chat to any of your CodeBlue colleagues. If you’ve got any further questions please reach out to your account manager and we’d love to have a further discussion about what we can do to help. Wishing you all a fantastic day here. Thank you very much.
Yeah, thank you all much. Thanks everyone. Thank you. Cheers.
