Developing Cyber Security Standards and Improving Risk Management for New Zealand Councils
Hear from Carol Cottam, the Information Services & Technology Manager from Northland Regional Council on cultivating a council-wide cyber security culture and providing effective training for staff
Starting the journey towards mitigation
The threat of a cybersecurity breach is something that all institutions, whether in the public or private sectors, need to be aware of on a daily basis. To some extent the public sector is even more of a fertile ground for attack because many institutions hold large amounts of data about the people they represent, and this is especially true in the local government sector. But to mitigate the risks, Carol Cottam, the Information Services & Technology Manager at Northland Regional Council north of Auckland, says “it is often difficult to know where to start.” In fact, it is so difficult that some institutions aren’t prepared when a breach inevitably occurs.
Northland Regional Council however knew that “it is a case of ‘when’ not ‘if’, so we knew we had to do something.” They began by surveying their environment and “understanding our organisational landscape.” This included looking at their current levels of cyber maturity, such as assessing how many operations “were in the cloud or on-prem,” looking at their devices, their firewalls and malware, and their internet usage and connections.
Importantly, they also looked at “the global threats. Is New Zealand, and its government institutions, a target?” As it turns out, last year when New Zealand along with Australia began “making global statements about the origins of the COVID-19 pandemic, there were a lot more attacks on New Zealand government sites.” Being a small, remote country is also no longer an excuse. Not only is being on the internet a potential threat, but these days smartphones are also “one of our biggest risks.” People often don’t read everything, swipe too quickly and “that’s where some of our problems can start.”
To try to overcome some of these threats and potential gaps, the council began their cybersecurity mitigation journey in 2018. “It certainly doesn’t cover us in glory from a security IT perspective that we started so late.” But at least they started, and the first thing they did was to hold educational seminars for the staff, as well as “our executive and elected members.” These seminars were “low cost but high value” and built the momentum. “We then started to modernise our security software,” which included the deployment of threat detection applications and “migrating to cloud solutions and to Office 365.” We also started adding things like multi-factor authentication into the business. Things like that increase the security of our environment but makes things less convenient for people and causes tension.”
The tension between security and convenience
In general, people want to know “what’s in it for them,” but also don’t want anything to be too much of a burden. “We have to engage with people” as a way of starting some of the mitigation, but “there is always a continuum between security and convenience.” In a busy environment with people who aren’t always on board with new security measures, the best way to implement things therefore is to do so in a way “that doesn’t impact them,” or at least not too much. For instance, “when we upgraded an application or the operating environment, we tried to make it less invasive and even silent to users.” No matter what the upgrade was though, education was still critical, and that too may be inconvenient for some.
One way however to “get people’s attention is with a little security breach.” Obviously it wasn’t planned, but in 2019 there “were some near misses” and then in March 2020, “our on-prem exchange server was breached.” By the standards of breaches, it was considered very small, “but significant enough nonetheless. It took two weeks for us to diagnose the attack and recover the server. The impact was quite low, especially because all our email addresses had already been migrated to Office 365.” The breached server mainly contained “internal notifications from our legacy system,” and by the end of 2020 it was put into containment anyway. But the breach was still “quite disruptive to our business as usual operations.” It did however “help us to get some attention and support from our senior leaders and any doubters.”
Particularly following the breach, it became even clearer that the journey that the council was on was the right one, and “I think we have achieved quite a bit, mainly by being quite careful about what we choose to upgrade and the sequence we do it in.” However, COVID-19 played havoc with that sequence and was a major disruption. It also showed how important these mitigation strategies had become. Now, it was not only about convenience, but “the line between work and personal certainly became a lot messier for our staff when they started to work at home.” With endpoint security software they could monitor internet traffic “that could potentially cause a risk to, or compromise our environment.” It could also detect what people were up to, and “some were doing things during work time that they probably wouldn’t have done if they were in the office.” The tension between security and convenience continued, and new policies as well as a “roadmap of actions” were drawn up to both harden the security and manage the staff.
Throughout the whole process, the senior executive and the elected members were informed and involved. They attended educational seminars and were kept abreast of all developments. They also provided invaluable support when they saw what was going on, particularly after the breach and during the pandemic. “They didn’t want further breaches or security compromises to happen on their watch.” In fact, they became so supportive that they even increased the budget. “Arming ourselves against cybersecurity threats could be a bit of a bottomless pit in terms of expenditure. So it’s about getting that balance right.” The IT department prepared a conservative budget and the council funded most of it, which allowed them to continue on their roadmap. The budget not only included funding for upgrades, but it was also about ensuring that existing systems work as they should. “There is a significant cost to the organisation if our IT systems are down or unavailable, so we need to try and manage that and ensure it doesn’t happen.”
Part of the balance is also about “educating people around the separation of work versus personal.” The work-life balance is being increasingly blurred, and many people got used to the idea of working from home and managing their home lives at the same time, so this is something council needs to consider and manage going forward. But the next steps really are about “keeping our systems current, and making sure they stay current.” Even with the best reinforcements and technology, “you can still be attacked and can never close that door completely, but we’re doing our best to at least keep our systems and software up-to-date.” Continuous education for the IT staff as well as for the rest of the council is also important so that security measures become embedded.
Some people may still never become comfortable with the inconvenience or with multi-factor authentication or other similar processes, but that is the price they have to pay to be safe. After all, the motto of the Northland Regional Council is: “If the land is well, if the sea is well, the people will thrive. That’s something we live by and it has been the point of our journey.”