Three major cyber security breaches reported already this yr
Nine To Noon
A cyber security knowledgeable is worried New Zealand is woefully unprepared for a nationwide cyber emergency,
The most up-to-date National Cyber Security Centre report, for the primary quarter of the yr, highlighted that there have been three incidents more likely to affect key delicate date or disrupt important companies in organisations of nationwide significance.
In May, the Privacy Commissioner found that Health New Zealand and affected person portal Manage My Health “failed in their responsibilities” to have sufficient security controls when hundreds of thousands of medical files were stolen in a cyber attack.
Described as one of many nation’s greatest cybersecurity incidents, the hack obtained access to sensitive health data held by privately owned affected person portal Manage My Health in December final yr.
In February, one other privately owned affected person portal, MediMap, additionally identified unauthorised activity.
While in March, personal healthcare supplier IntraCare, which specialises in “image-guided precision medical diagnostics and interventions”, had been hit by a similar breach.
Prior to those, New Zealand had not been affected by major assault (C2) on the National Cyber Security Centre’s scale for greater than 4 years.
Aura Information Security basic supervisor Patrick Sharp instructed Nine to Noon there have been six classes on the size.
These vary from a C6, or a minor incident, to a C1, or a nationwide cyber emergency. A C1 is an incident inflicting extreme disruption to a core New Zealand service, and/or affecting key delicate information, “undermining the economic or democratic stability of New Zealand”.
While a C2, or a extremely vital incident, was a identified or possible affect affecting key delicate information or disruption of important New Zealand companies in organisations of nationwide significance or the federal government.
Sharp stated he was “very nervous, constantly nervous” about the potential of a C1.
“We spend a lot of time thinking about how to avoid that sort of incident.”
He added New Zealand was not prepared for a nationwide cyber emergency.
“I think that an impact like that would have an extraordinary impact on New Zealand.
“I imply, that’s the reason it’s the highest class, proper?”
Sharp said the incidents in the first quarter of the year were the first since May 2021.
“That was the Waikato DHB breach, which some folks referred to as the worst incident in New Zealand historical past, so it’s uncommon to see that many.”
He urged other businesses to learn from these, particularly following a report by the Privacy Commission and the Ministry of Health.
“They present an intensive evaluation of what is occurred, what’s gone fallacious, and the teachings that we will be taught.”
Sharp said most businesses struggled with governance, especially when it came to making an informed decision about cyber security.
He said multi-factor authentication, in particular, was still missing in many.
While some people were also not setting it up or using weak passwords.
“We had been performing some penetration testing, some moral hacking on a enterprise simply the opposite day, and we discovered they’d a complete lot of passwords, that are just about password 1, 2, 3.”
Sharp said a survey by Kordia, which owned Aura Information Security, found only half of boards had discussed cyber security.
“It makes an enormous distinction when the administrators are literally speaking about security,” he stated.
“Of our survey, which is companies over 50 seats, 50 p.c of them have not practised their incident response plans.
“I can assure you if they haven’t practised that plan, they are not ready for a major incident.”