Critical for a reason
There’s no doubt that cybercrime is on the rise. Across the globe, stories of phishing, social engineering, ransomware, malware and more are hitting the headlines with growing frequency – and the attacks are proving costly.
In March 2021, for example, a public health organisation experienced a ransomware attack, in which an unidentified group gained access to sensitive information about patients and staff, and then distributed medical records, communications, and financial information onto the dark web. More generally, cybersecurity incidents in NZ resulted in $3 million in losses in the first quarter of 2021. With cybercriminals getting smarter and organisations embracing cloud-based workloads, these costs have the potential to skyrocket.
It’s why the New Zealand government is doubling down on its approach to security for agencies. There’s the Protective Security Requirements (PSR), a set of controls all agencies must abide by, including aligning Information Security policies with the NZISM (New Zealand Information Security Manual). The Office of the Chief Digital Officer has also released specific requirements for agencies to adopt cloud services in a secure and measurable way.
Then there’s CERT NZ, an organisation providing meaningful guidance to agencies across New Zealand. CERT NZ has developed a set of effective controls to mitigate the risk of cybersecurity incidents. These controls are based on real-world data, and give NZ government agencies – and, indeed, any organisation who cares to adopt them – a clear and robust strategy for improving their security posture.
What are the CERT NZ critical controls in 2021?
Updated annually, CERT NZ’s cybersecurity risk mitigation strategies draw upon real data and insights to “mitigate the majority of information security incidents that CERT NZ has analysed.”
In a nutshell, the critical controls include:
- Patch your software and systems – to mitigate vulnerabilities used by malicious attackers.
- Implement multi-factor authentication (MFA) and verification – to protect your agency against weak or stolen credentials.
- Provide and use a password manager – to help users, individuals, and agencies to store secrets in a secure and auditable way and prevent the use of easy to remember weak credentials.
- Configure logging and alerting – to ensure your agency has visibility over potential security events and the necessary information to perform incident response and investigation.
- Secure internet-exposed services – to harden the most readily accessible attack surface from attackers.
- Implement and test backups – to ensure your agency can recover from an incident that impacts the availability or integrity of data.
- Implement application allow listing – to block users and attackers from running applications that the organisation has not approved.
- Enforce the principle of least privilege – to ensure that users only have the access they require to perform their duties, and to limit the threat of lateral traversal if an attacker compromises a user.
- Implement network segmentation – to prevent the spread of malware and ransomware infections, and to reduce an attacker’s ability to manoeuvre inside your organisation.
- Set secure defaults for macros – to counter the threats of ransomware and phishing by restricting macros.
CERT NZ provides helpful information and implementation advice about each of these controls, as well as insights into what success looks like.
It’s important to note that not every agency may need to implement every control to the highest level of maturity. It’s a matter of weighing up costs versus risk, as well as potential for adversarial behaviour against your digital systems.
Top tips when implementing the CERT NZ Critical Controls
- Understand the level of compliance you need
An important first step for any agency seeking to bolster its cybersecurity credentials is identifying exactly what you need to be compliant with. Look at the relevant requirements and seek guidance if you’re unsure which level you should be aiming to achieve.
- Assign resources to get the job done
Even if you are engaging a third party – such as the experts here at Intergen – to help you implement the CERT NZ critical controls, it’s important to realise that it will take some effort. As a simple example, setting up MFA requires your staff to add their proof of identity to the apps and devices they use.
- Start small and build on your security credentials
While a graduated approach to achieving the critical controls may take longer, it is often an easier path. Look at what you can do at a base level – again, MFA is a great example here – and then tackle the harder strategies, like application allowlisting, down the track.
- Map out what you need from a tech standpoint
Accepting that some technical debt is inevitable when implementing the critical controls, focus on the business benefits – that is, how much you could save from a cost and reputational standpoint by avoiding cyberattacks. Several tools are tightly aligned with the critical controls, and could help you get there faster:
- Azure MFA with Conditional Access
- Microsoft Endpoint Manager
- Microsoft Defender for Identity
- Microsoft Defender for Endpoint
- Azure Security Centre
- Privileged Identity Management
- Work with an experienced partner
To fast-track the important task of implementing the CERT NZ critical controls, choose a partner who understands these technologies inside-out and can help you set them up to suit the unique needs of your organisation. As a Gold certified Microsoft Partner for Security, Intergen has extensive experience both helping agencies achieve their compliance objectives and implementing meaningful security outcomes.
To find out how we can help you implement the CERT NZ critical controls, get in touch today.