Regular readers will be a little tired of hearing us talk about cyber-risk and the threat of hackers.
You’ll forgive us a little because we see the impact when events happen, and we spend our days protecting our clients to keep them safe.
But we’re just a tiny cog in a huge infrastructure to keep you secure.
The government has increasingly stepped up throuhg their agencies and brought all their cyber-teams together in the National Cyber Security Centre (NCSC). This includes CertNZ, New Zealand’s Computer Emergency Response Team.
They are key to this story because they’ve recently developed a set of critical controls designed to help organizations prevent, detect, and contain cyber threats effectively.
CertNZ is a key organization dedicated to enhancing New Zealand’s cyber security resilience. It operates under the National Cyber Security Centre (NCSC) and provides trusted cyber advice and authoritative information to businesses, organizations, and individuals. CertNZ tracks the cyber threat landscape in New Zealand and offers practical guidance on how to structure and manage cyber security investments and respond to incidents of national significance.
The CertNZ 10 Critical Controls
CertNZ has identified ten critical controls that organizations can implement to bolster their cyber security posture. These controls are designed to align closely with the NCSC Cyber Security Framework and provide a comprehensive approach to managing cyber risks.
Most of this will be familiar for regular readers, and for KARE Foundation customers. But it is reassuring to hear the same requirements from someone else!
1. Patch Your Software and Systems: Keeping software and systems up to date is crucial in mitigating vulnerabilities. Regular patching reduces the risk of exploitation by attackers and strengthens overall system security.
2. Implement Multi-Factor Authentication (MFA) & Verification: MFA adds an extra layer of security by requiring multiple forms of verification before granting access. This control is essential for preventing unauthorized access caused by weak or compromised credentials.
3. Provide and Use a Password Manager: Strong, unique passwords are vital for securing accounts. Password managers help create and manage complex passwords, reducing the risk of password-related breaches.
4. Centralized Logging: Implementing a centralized logging system provides full visibility of activity across all endpoints. Detailed logs help identify and respond to security incidents more effectively.
5. Security Awareness Building: Human behaviour plays a significant role in cyber security. Regular security awareness training ensures that staff are familiar with common threats and know how to respond to security incidents.
6. Asset Lifecycle Management: Tracking software and hardware from purchase to decommissioning helps maintain an accurate view of the environment. Regular maintenance and updates prevent vulnerabilities in outdated assets.
7. Implement and Test Backups: Reliable backups are critical for restoring data after cyber incidents. Regularly testing backups ensures that data can be recovered quickly and effectively.
8. Implement Application Control: Restricting the execution of specific software and files on systems helps prevent unauthorized applications from running. This control is essential for reducing the risk of malware infections.
9. Enforce the Principle of Least Privilege: Granting users only the minimum access needed to perform their job reduces the risk of accidental or intentional security incidents. Role-based access control and just-in-time access further enhance security.
10. Implement Network Segmentation: Breaking the network into smaller segments with access controls limits the movement of attackers and protects critical systems and data.
UPCOMING WEBINAR: What are the NZ Government recommendations for SME Business cyber-security?
How does your business match up?
CertNZ has been rolled into the new National Cyber Security Centre. They’ve released the 10 Critical Controls and a Cyber-Security Framework?
What do they mean and how does your business compare?
Aligning with the NCSC Cyber Security Framework
The CertNZ critical controls are built within the context of the NCSC Cyber Security Framework. This framework provides a systematic approach to managing cyber risks and improving overall security posture. By aligning with this framework, organizations can ensure a cohesive and strategic approach to cyber security.
Implementing the CertNZ critical controls is a proactive step towards enhancing cyber security. These practical measures help organizations prevent, detect, and contain cyber threats, ultimately safeguarding sensitive information and maintaining operational integrity. By adopting these controls and aligning with the NCSC Cyber Security Framework, businesses can build a robust defense against the ever-evolving cyber threat landscape.
The key messages is that the level of security that used to be practical a few years ago is hopelessly inadequate today. We need to do more, with new tools and practices, and while these have a cost, it is a great deal less than the cost of being hacked,
The good news is the Kinetics KARE Foundations plan is built around these controls and we’re keen to make sure every client understands their protections relative to this framework.
.