The director of the Government Communications Security Bureau’s National Cyber Security Centre (NCSC) says the exploding use of the Internet of Things is making New Zealand’s businesses increasingly vulnerable to cyber-attacks.

Lisa Fong said the new guidelines, Supply Chain Cyber Security: In Safe Hands, were not spurred specifically by the recent high profile DDoS attack on the NZX or the data breach at the Reserve Bank.

“Cybersecurity vulnerability to supply chains is one of the major risks organisations face today. Compromises can have a substantial impact on an organisation’s operations as well as reputation.”

She said the new advice encourages companies of all sizes to foster better working relationships with their suppliers.

“Even for mature organisations who have sound processes around cybersecurity, supply chain risk is about looking at the cyber hygiene outside the organisation.

“The methodology is a way for cybersecurity professionals to engage their governance processes on the risks that they see, as well as to give business leaders an overview of the framework, they should expect to be in place to govern those risks.”

A prime example is the attacks on US software giant SolarWinds. After suspected Russian hackers added malicious code into SolarWinds’ systems, the company unknowingly sent out software updates to customers that included the code, which created a backdoor through which the hackers reportedly could keep tabs on SolarWinds’ customers, which included the US Department of Homeland Security.

The new NZ guidelines are not compulsory, and Fong said the first step any willing organisation must take is identifying all their suppliers to better understand the potential exposure to risk.

When everything's connected

The advice says the rise in Internet of Things (IoT) devices, remote access technology, and cloud-based IT systems has resulted in a complex supply chain where an organisation's IT department might not have full assurance of cybersecurity.

Fong said the guidelines encourage executives to be closer to and have a better grasp of the technical aspects of their organisations.

“It broadens out the responsibility beyond IT so that we see all parts of a business engaging with the supply chain so it’s not purely visibility from governance or the IT or security department in those engagements.

“If all organisations are more demanding customers, if they require in their contracting processes certain levels of assurance, reporting and monitoring, then it will become the norm."

The NCSC is clearly worried about the risks NZ businesses face by not being on top of cyber risk.

When part of the guidelines suggests placing “emphasis on positive recognition for staff who exemplify best practice: for example, by providing rewards”, it suggests NZ companies are finding it difficult to get all employees to take cyber-security seriously.