Andrew Hampton, who took on the role of GCSB director-general in 2016, has had a variety of jobs across the public sector — he spent much of his career in the justice sector — but his job now is the one he has found the most interesting and challenging.
It was one that was very focused on the wider world and that world was a ‘‘pretty interesting place at the moment’’, Mr Hampton said during a visit to Dunedin this week.
His engagements in the city included talking to the Otago Southland branch of the Institute of Directors about cyber security resilience and effective governance.
As the complexity of such incidents increased, all organisations were likely, at some point, to have to deal with malicious cyber activity. Yet they were in quite different places in their ability to even detect, let alone respond or recover from such activity, Mr Hampton said.
While the GCSB had a role in responding to incidents, one of the most important things it could do was help organisations protect themselves and it had a real focus on helping them improve their own resilience.
Capability needed to be developed to detect such activity and a plan prepared outlining what to do in the event of a compromise, and that needed to be reviewed regularly. It was not just about how the immediate aftermath was dealt with but about the recovery as well, he said.
While some organisations saw the topic as an issue for their IT team to look after, the responsibility for improving cyber security governance sat at the highest level in an organisation, and it was something that needed to be top priority for those governors. A practical guide had been prepared for boards and executive teams about what they needed to do.
In 2018, the National Cyber Security Centre — part of the GCSB — surveyed 250 organisations in the public and private sector — from large Government departments to exporters of niche products — to get an assessment of their approach to cyber security. What it found was a ‘‘work in progress’’, he said.
While 73% of the organisations surveyed increased their spending on cyber security in the past year, the survey suggested that investment had not translated into an increased confidence in their cyber security resilience.
Only 19% of the organisations had a dedicated chief information security officer and only one-third had identified what their most important information assets were. It was also found that reporting to boards around cyber security was quite ‘‘ad hoc’’, Mr Hampton said.
Of the organisations surveyed, 72% used some type of managed service provider but 36% of those had no mechanisms in place to confirm whether their vendor was delivering on the agreed level of IT security. Also, 41% of organisations remained less than confident of their ability to detect an intrusion.
While there was definitely an increase in awareness around cyber security, it was now at the point of how to turn awareness into actual action; it could not just be handed over to the IT team ‘‘and say sort this out’’, he said.
Acknowledging it was a challenge for smaller organisations, it came back to asking basic questions, including the importance of knowing what your most important information was.
Part of the solution was technology, part was planning and part was people, and there could be basic things, such as strong passwords, to stop being a soft target.
He likened it to criminals driving around the streets looking at which houses they wanted to ‘‘do over’’. If the front door was open, then they were likely to ‘‘have a go’’ but if the door was locked, then most would go past.
In the past, New Zealand had some justification in saying that it was a long way from everyone else and that would help keep it safe from most threats. But the Christchurch mosque attack a year ago showed it was not immune to terror attacks.
With the general election in New Zealand this year, the GCSB was working with the Electoral Commission to help protect its systems, and also with MPs, candidates and political parties to give advice on how to keep safe online.
Mr Hampton gave a lecture to the University of Otago’s political science department, where he spoke about national security and the work the bureau did, what was seen in terms of cyber threats and the process the Government went through when it wanted to attribute malicious cyber events to a particular actor.