Tune in to Paul Spain and Tom Roberts, the team lead for threat and incident response at Cert New Zealand NCSC. Tom highlights the increasing complexity of cybersecurity threats in New Zealand and an in-depth look at cybersecurity challenges and the government’s involvement in New Zealand’s cybersecurity landscape. The discussion covers:
- The importance of reporting cybersecurity incidents
- CertNZ and the National Cybersecurity Centre in protecting the country’s cyber resilience
- Emphasis on evidence-based decisions and reporting for policymakers and cybersecurity ecosystem
- Raising awareness and contributing to New Zealand’s cyber resilience
- Pacific resilience and engagement in two-way information sharing
- Importance of person-to-person connections in cybersecurity
Special thanks to our show partners: One NZ, 2degrees, Spark NZ, HP, and Gorilla Technology.
Episode Transcript (computer-generated)
Paul Spain:
Hey, folks. Greetings and welcome along to the New Zealand tech podcast. I’m your host, Paul Spain, and today we have Tom Roberts, threat and incident response team, lead at CERT, New Zealand, joining us. Welcome to the show.
Tom Roberts:
Sure, Paul, thanks for having me. It’s fantastic to be here and fantastic to talk to you.
Paul Spain:
Yeah, I agree. This is good. Long time coming. Great. You know, really, really good to be able to, you know, hear from you and really to delve into today a little bit about the role of CERT here in New Zealand, the National Cybersecurity Centre. Learn a little bit about the merger that’s sort of taken place recently, but also really, really delving into what’s happening in the sort of cyber security threat landscape in New Zealand and the role that the government is playing here to help us as New Zealanders and. And those within New Zealand organizations to stay, hopefully more on the right side of the fence than the wrong one. So, yeah, really fantastic to have you on the show.
Paul Spain:
Thank you to our show. Partners to One NZ, 2degrees, Spark, HP and Gorrilla Technology for their support of the New Zealand Tech Podcast. So, yeah, let’s jump in, maybe tell us a little bit about your background and your current role.
Tom Roberts:
Yeah, so I’m the team lead for threat and incident response here at CERT, New Zealand NCSC now, and I’ve been doing that for about the past year, interfacing, you know, with business individuals, that sort of side thing. It’s weird. I didn’t always know that I was going to get into cyber security. It’s sort of something that I sort of wandered into off the back of leaving the military. And I was in electronic warfare since I was an 18 year old in the New Zealand army. So, yeah, and then I. Obviously there’s a lot of parallel there. Instead of necessary waveforms and transforming waveforms into digital and then sort of doing all that side of the house, it is very much digital now, although there’s a lot of intersection between the two.
Tom Roberts:
And, yes, here at CERT, we focus on business and individuals, really helping them try to build cybersecurity, resilience. Resilience is pretty important and my team is a bit like the ambulance at the bottom of the cliff. And hopefully we can get people back on track, get them to where they need to be cyberwise after they’ve had an incident.
Paul Spain:
Look, some folks might be curious about your, you know, what you mentioned in the army there, the sort of electronic warfare. What can you share about that? What does that mean? What does that look like? As much as you have security clearance to discuss it.
Tom Roberts:
It’s funny. It’s funny. Cause, like, when I was in high school and I was sort of looking around, I was like, what do I want to do? And I said, I want to be a medicinal, and I want to help people medicine and be a helicopter medic. And I thought that’d be fantastic. So I went to the recruiting office, and then they said, oh, yeah, you can do that, but if you want to get in straight away. And me being sort of this kid leaving high school, I need some money. So they were like, oh, well, you can change. You can change once you’re in.
Tom Roberts:
And then. So I went in, I didn’t know what I was signing up for. And then I said, yes, sure, I’ll do this electronic warfare thing. And then I sort of blink. And then eight years later, eight years full of pinch me moments, it all sort of disappeared. And it was absolutely fantastic. So I suppose what it is, is electronic warfare is detecting electromagnetic signals in the vast sort of spectrum that it is and then finding them and doing that sort of thing. So it was fantastic.
Tom Roberts:
Absolutely amazing. And great bunch of characters. Absolutely great bunch of characters that are there.
Paul Spain:
So what would be an example of something that you would come across in that work?
Tom Roberts:
There’s all sorts of things. Absolutely all sorts of things. As you can imagine, the radio spectrum is used for nearly everything these days. FM in your car and all that sort of thing. So the role of electronic warfare is to intercept enemy communications in a tactical battle space environment and then provide options to the commander on the field to see, hey, actually, maybe you don’t want to send your troops over there. Maybe you do. And give decision makers that sort of information advantage. Yeah, it was very cool.
Tom Roberts:
Very cool work. But, yes, as you can imagine, it’s a tight knit group of people. Very tight knit group of people and very highly technically focused, working in some extreme sort of circumstances. I remember having to put your pack on and just go ten ks through very thick bush to try and set up a good location. Because often where you get, as you’ve seen, sort of radio antennas on the sides of hills and on hills, they’re not necessarily the best place to go. So they’ll drop us at the bottom and then we’d walk our way up. Good for your legs. Good for your legs.
Tom Roberts:
Maybe not so much for your back, but good for your legs.
Paul Spain:
And so you’re involved in international deployments on this sort of front.
Tom Roberts:
Yeah, we’re fortunate to go all sorts of places, as you can imagine. Being a soldier and all that sort of things, you do sort of go all over the world and very fortunate for that. Yeah.
Paul Spain:
Oh, thanks for, thanks for that background. CERTainly sets the scene a little bit. And so, you know, what brought you into. Into CERT in this role?
Tom Roberts:
At the time I was at MBie Ministry for Business Innovation and Employment and CERT NZ, while it was in MBIE, has like fantastic reputation. And then I saw an opportunity open there and I was in the flood and cyclone data space and performance reporting for MB’s involvement with Cyclone Gabrielle. Sort of learning about how we can help businesses and individuals recover from a flood. And then so the natural sort of convergence of two worlds when the opportunity opened, so made the leap across, did thorough investigations and, you know, certainly had a really good reputation and then also I sort of knew the direction that it’s heading and, you know, the outcomes of the CSAC report, sorry, cybersecurity adviser advisory committees report into where our cybersecurity agencies should be going. And so I thought that’s a fantastic sort of mission and a fantastic sort of way that I know that I could make a difference bringing sort of a bit of a business lens learned from NBIE as well as a bit of a sort of cyber national security lens from time and defence. And so that’s the convergence has been and CERT’s fantastic. Like that really is a great culture here of people that really do just want to help businesses and individuals and then you strike people on their worst days at times and the CERT whnau are fantastic at helping people through. So, yeah, it’s a really, really convergence now.
Paul Spain:
Obviously there’s been a bit of, you know, change taking place, you know, cert from being a separate entity now merging with the National Cybersecurity center, which is part of the GCSB. So you’re tied in there with the spooks. Walk us through this merger a little bit. What does that mean for you? What does that mean for those of us that be looking to government from a cybersecurity perspective?
Tom Roberts:
Yeah, great question. I suppose we have to cast our eye back to last year, end of start of last year, when the national security strategy came out and it identified a bunch of these sort of twelve key issues and then the report that came out as well, the CSAC report, which made a bunch of recommendations and then through to now. So thematically it means that Kiwis are going to be getting a much better service delivery. Previously there’s been quite a lot of overlap and for good and for bad. But when you’ve got two agencies sort of vying to cover the same area, it doesn’t necessarily always create harmony. Right at the end of the day, we need to be victim centric and we really want the best outcomes for Kiwis, whether that’s national security outcomes or whether that’s a person doesn’t lose their life savings through a phishing attack. So what this has enabled government to do is bring together a bunch of different functions and really sort of lean forward and go through into the sort of the next step of our lead cybersecurity agency. It’s been good, it’s been fantastic, it’s been a great journey, lots of learnings and sort of.
Tom Roberts:
I’ve always sort of found it interesting as someone that sort of had a foot in both camps for a while, seeing the sort of individual business mind coming into this national security sort of behemoth, but then also seeing these people that are in the national security side, fantastically smart people now having to look at business and individuals and go, actually, this applies to our work as well. And that’s been fantastic. It is still an ongoing process, but what’s happening at the moment is essentially the alignment of functions, incident response and incident response, very similar in both agencies. So we’re sort of just creating a really fantastic sort of all of economy, business, individual, national security focused incident response team and being there at the start of something new. I’ve got no greater sort of privilege to be able to do that. CERTainly being surrounded by smart people working on hard tasks is really cool.
Paul Spain:
Right. So, I mean, how big is the team across this cybersecurity side of things? Is that something you can talk to?
Tom Roberts:
Yeah, so we don’t release those sort of figures. Any sort of indication on size also gives us an indication on capability. And we have to be conscious now that we are in a complex strategic environment and so we don’t want to be giving too much away. But look, what I will say is that we’re well set up to protect New Zealand business, individual and national security risks. And the people part of that play an important part. But also the alignment of technology, the alignment of baseline service delivery is going to mean that we’ll be able to do that in a much better way.
Paul Spain:
Yeah. So there’s some levels of efficiency that really come from the merger, right?
Tom Roberts:
Oh, huge, yeah, yeah, huge.
Paul Spain:
Yep. So maybe talk to the picture of, you know, what should, you know, what should people be expecting now from, you know, in terms of sort of general offerings and in terms of sort of capabilities that are coming from this, I guess, you know, new iteration of CERT and the National Cybersecurity center together.
Tom Roberts:
Yeah, I know at the time there was, there was quite a lot of dialogue online and quite a lot of, you know, we’re going to lose the individuals. You know, the individuals are going to lose out. The business is going to lose out. But no, that’s certainly not what’s happening. It’s businesses and individuals should be able to see that. You know, we’re going to have strengths that is like a system wide level strength, being able to help people. I think, like, a really good example of this is the teams own your online website. The fact that we can translate sort of really technical information that have derived from, like, you know, national security sort of settings and that sort of world, and we can get to distill that.
Tom Roberts:
And so they’re so what for the individual and business, I think that’s a, that’s a great outcome. Already we’ve seen that, like, there’s a quiz online at the moment on your online where people can basically do ten questions and then gives them a checklist of stuff that they need to do, you know, two fa. We love two fa, you know, making sure that businesses are keeping logs, for example, and these lessons, I mean, the basic cyber security lessons. But it’s also like we get to take a really wide sort of threat view. Say, actually the threats are much of a muchness. It’s much of a, you know, they’re very similar. And often an individual will potentially be targeted by people that will or organizations that will target much larger entities. So being able to equip everyone with the same sort of advice and then where there’s a need going to bespoke needs on sort of individual cases, that sort of service offering will be really good.
Tom Roberts:
I know that there’s a lot of excitement and work at the moment that like, oh, hey, we can, you know, we get to sort of talk about our successes a wee bit more and, you know, like, you know, when you said we’re sort of tied in with the spokes, like, you’ve got these people that are really passionate about cyber security and CERT gives a vector for that to come out. And that’s what I’m excited for as well, and that’s what others are excited for. So in the main, hopefully there’s not much change. You don’t see a huge amount of change, and that’s good behind the scenes, it really is like individuals, businesses feeding information back up to the national security setting and then.
Paul Spain:
And what are the sort of resources that people should be looking for? Because I think CERT has been working away for some time in terms of reporting back and I guess alerting Kiwis to what the biggest threats have been varying sort of statistics. Obviously you can’t see, you know, see everything because not everything gets, gets reported. But there’s a fair bit of visibility there. But also good, you know, good resources telling folks, you know, what, what they should be, you know, considering both at that sort of individual, sort of personal level and also, you know, for organizations of, you know, of varying kinds. Yeah. What are those sort of resources that people need to be aware of that you make available?
Tom Roberts:
Yeah, so. Absolutely. Great question. So we have the New Zealand information security manual which every sCIso listening will be well aware of, I hope. I don’t think you’d be as well versed to say, listening to your favorite Taylor Swift song, but I hope that there’s a level of knowledge on that. So we get to now take a sort of the baseline knowledge of say, the fantastic research that’s gone on to the IIC. And I know people see it and they go, this is a lot of text. And you’re right, it is a lot of text and it is quite dry.
Tom Roberts:
So it should be in many respects. I personally like reading it. And now we get to say, oh cool, what does a small business actually want? Well, they want to make sure that their stuff’s working. They want to make sure that their employees are getting paid. And then the individuals get to learn from lessons that sort of cross the entire spectrum and go, well, actually, I just want to know that my Facebook’s secure. I want to know that I’m not going to be phished or I want to protect my savings. And it’s these small lessons that we can tie like a golden thread across the New Zealand cyber security ecosystem. And I think there’s a bunch of resources there.
Tom Roberts:
The quizzes that I mentioned before, not quizzes so much as I suppose it’s sort of gives you a list of things that you can do better, but there’s also greater statistics and greater measurement of our cybersecurity ecosystem. Part of the problem is, and this was outlined in the CSAC report or part one of the initial issues where actually we don’t sort of have a fulsome picture of what’s happening in New Zealand. So being able to provide cybersecurity professionals actually spear phishing. Spear phishing is complex, especially when people have information about CEO’s and then you get into transferring money, pretending to be an authoritative figure and stuff. We’ve seen that across the Tasman, being able to know authoritatively across the whole system that these are the lessons that we’ve been learning and then putting them into digestible resources. A fantastic thing that’s happening down and I don’t want to throw the team under the bus, but an incident response plan, a simplified incident response plan and it’s looking fantastic. It’s looking really good and it’s dear to my heart. That’s going to be something that we can get businesses to do.
Tom Roberts:
And then leveraging our fantastic friends still at MB. MB have a lot of people passionate about business there. So yeah, it’s shaping up to real good. And the resources, eventually there’s still the two brands and we’re sort of working through the motions on what those brands look like. But the advice is top notch and hopefully the alerts and stuff like that coming out to tech experts, individuals, SME’s is even going to get even more better and coherent. It used to be there was a small, you know, there was a small race between the agencies who could get out the authoritative advice the fastest. I think, you know, I think CERT was probably the fastest.
Paul Spain:
But of course I would tend to encourage people to be signed up, not just for ones from New Zealand. Right. Because, you know, and that, and that must keep you on your, on your toes as well. You know, there are obviously other governments doing, you know, doing, you know, somewhat similar work and I’m sure interactions sort of going on there, you know, there’s, there’s not really too much downside to having that extra visibility unless, you know, unless folks are getting to a point where there’s too much noise, obviously there’s a, there’s a balance on that. But yeah, I would say, you know, for myself, I’m certainly watching not just what’s coming through from New Zealand too. Right.
Tom Roberts:
Well, and that’s the thing because like most of our, most of our infrastructure and sort of cyber sort of activity is offshore. Microsoft products, Apple products, Amazon, these big brands, Google, Microsoft. Not to leave anyone out, of course, and not to say that anyone has hire issues, but signing up to them is really good. Our partners are fantastic. They always love having a Kiwi in the room and they always love having a Kiwi to chat with. And I think having their advice come through has been really good as well.
Paul Spain:
And yeah, look, for anyone who’s not getting your alerts, they pretty much just jump straight to the CERTNZ website. And you can sign up right there to be getting your email alerts, right?
Tom Roberts:
Yeah, absolutely. And you’re not going to get spammed. I will emphasise that the things that we put out are exceptionally New Zealand relevant. Like we have a high degree of confidence that it is in New Zealand or the vulnerability, whatever it is. The issue that we’re alluding on is in New Zealand that it’s going to have high impact because, you know, like, you sort of get notifications from your favorite apps. You don’t want to be being spammed every day. Please, please take action. Police take action.
Tom Roberts:
Because, you know, people, people stop paying attention.
Paul Spain:
And of course, the nature of alerts is if, let’s say there’s a particular firewall vendor that’s been hit with a major vulnerability and there’s a need to give people an alert on that or a nudge. Of course, that’s not necessarily always relevant to everyone, but the fact that there’s not loads and loads of these things coming through, I think it does seem to work out of, you know, pretty well. And, yeah, when it gets to that level where, you know, it’s considered appropriate to let people know, then it’s usually pretty important at that stage.
Tom Roberts:
Yeah. Like if we. That’s not saying we don’t look at a lot. If there was something that we’re like, oh, this is, you know, primarily targeting, you know, a big name business, we’ll reach out to them directly. Or even if we just know that, you know, this is a sector that might particularly be vulnerable, we’ll just either reach out directly or through our social media channels. It’s an avenue, but yeah, we do reach out, pick up the phone. I think most people will enjoy a phone call, actually. I saw a survey that’s come out, though.
Tom Roberts:
Was it on Reddit that the newer generations don’t necessarily like having a phone call, so maybe we flick them a text first before we give him a call. But, yeah, that information certainly does get popped out.
Paul Spain:
Yeah. Yeah. Now, is there anything people should be aware of that’s kind of coming up? Anything new before we sort of jump into the sort of current threat landscape?
Tom Roberts:
Yeah, I suppose the only major. I love the current threat landscape. Well, I don’t love it, but it’s fun to talk about that. The cyber Smart week is happening on the 21st of the 27 October. It’s been getting bigger and bigger every year and it’s a fantastic vehicle to hopefully shift the needle on people’s cybersecurity behavior. And so if you’re a business and individual. Just keep an eye out for it. Yeah, we’re hoping that this year’s gonna be even bigger than last.
Tom Roberts:
Last year we had record participation covering millions of people, our overseas partners, who are like, you know, good job, Kiwis. So, yeah, keep an eye out for that. So, yeah, 2020 first to the 27th, I think, of October. Yes. Cyber landscape, though. Cyber threat, landscape getting complex. I tell you what, you must be seeing quite a bit.
Paul Spain:
Yeah, look, there’s a lot of activity going on. Look, I think it depends where you sit, what you see, and which is, I think, probably why listeners are really interested in particularly hearing from you, Tom, because you’ll get a visibility that is quite unique. And I guess when I look at the work that I’m involved in with my team at guerrilla technology, we’re spending, you know, all our effort is largely around making sure that our clients are never on, never on the receiving end. But of course, the reality is there are always people on the receiving end. And I guess learning about and hearing about what those sort of situations are helps folks like us and others around the country to make sure that their efforts are going in the right sort of areas.
Tom Roberts:
Yeah, I think being able to sort of increase the conversation around the whole thing is really important as well. And I said it in the top, but that’s why I think we’re going to have a benefit of merging the agencies or now that we are merged. It used to be that the threat was overseas and a million miles away, but now it’s sitting in your pocket. And so the threat landscape should really be viewed from that. It should be viewed from what’s the most accessible vector for a adversary, big or small, to be able to get information or resource from you, your company or your family. And that’s quite a heavy thought, not to sort of scare everyone, but genuinely what we’re seeing now is a lot of complexity. Threats making their way to New Zealand, spearfishing, living off the land, devices, botnets, all these sorts of things are becoming increasingly common in New Zealand. And that’s just coming from security researchers coming to us and saying, hey, this is what we’ve found and things.
Tom Roberts:
And then the reports coming through, fishing, a different sort of fishing, which is people getting a paypal sort of, or a payment type fish. And then about two days later, someone will call up pretending to be from, you know, your favourite bank and then say, hey, we’re from such and such security team. We know that you’ve just been fished. We’re here to help. Which is exceptionally dangerous and it’s taking a lot of money out of the pockets of hard working kiwis and out of our economy. There’s also ransomware, data breaches. They seem to be the big ones. Individuals don’t need to necessarily be concerned about data breaches unless they’ve been confirmed in one.
Tom Roberts:
Yeah, it’s really complex. It’s getting exceptionally complex. It is slightly worrying. Fortunately, we do have the smartest people in the world on the job and we’ve got fantastic people like yourself, Paul, and a lot of the other security companies that are engaged in the ecosystem, engaged in the industry, saying, hey, this is what we’re seeing and it’s for the betterment of all of us. And, yeah, so I suppose that’s sort of a top line about the security threat landscape.
Paul Spain:
Yeah, yeah, that’s helpful. And, yeah, you talked around the living off the land attacks. You know, what can you. What can you share with us on those and what you’re actually. What you’re actually seeing out there?
Tom Roberts:
Yeah, I think that the best reference that I happily point anyone to is a product we co sealed. I forget when it was. Sorry, but published by CISA in the US, and they did a fantastic report about living off the land devices. And essentially vulnerabilities will be exploited. You won’t know that the adversary or actor or whatever has access into your network or access into wherever they want to be. And then they’ve just sort of sit there, which is scary. You won’t see any literal movement so much. You know, logs.
Tom Roberts:
People almost always take their logs out more than they do their recycling, unfortunately. But, you know, you won’t see much. And then sometime there will be a sort of an action, whatever it is. It could be. It could be a data leak, it could be ransomware, it could be anything. And then I. You’re sort of scratching your head, wondering where it came from. And then that take, you know, as part of the incident response cycle, makes it a bit harder to respond because how can you contain something if you don’t know how it got in? And, you know, essentially you’re looking at quite costly rebuilds and, you know, and all these.
Tom Roberts:
All these sort of other remediations that you then have to take, take action on. I think an individual, you know, sitting on the couch or, you know, going to play sport for the weekend, whatever it is, doesn’t necessarily need to worry about living off the land devices or living off the land intrusions. But certainly our businesses should be acutely aware of this. It’s trends we’re seeing overseas and certainly New Zealand, as I said earlier, it used to be that we were separated by seas, but now they’re in our pocket. That should be. Businesses need to be aware of this and sort of ready to combat this.
Paul Spain:
Yeah. I mean, anything you can share in terms of, you know, how long these adversaries are kind of, you know, sitting there before, before actions are taken, that’s.
Tom Roberts:
You know, that, that’s quite hard to pinpoint. And to be honest, it depends on what the, you know, the adversary is wanting to do and, you know, whether that be a crime syndicate or whoever, it really is up to them, unfortunately. I mean, if you’re tracking logs and you’re doing log analysis, easier to find. Not foolproof, but certainly easier to find. Yes, that’s a great question, though. Yeah.
Paul Spain:
So there’s obviously, there’s always a bunch of challenges out there for organizations and individuals to be thinking about and to be aware of. And you’ve talked to some of those. Is there anything that’s sort of more unique or different that’s going on in New Zealand at the moment, maybe compared to where we were in the past or even compared to kind of other countries that stand out or even more broadly across, sort of across the Pacific that is particularly different? Or are we seeing that what’s happening in New Zealand? Zealand is very similar to what’s happening in the rest of the world?
Tom Roberts:
That’s a really fantastic question. The New Zealand sort of cyber ecosystem is quite small compared to other nations. And then you look across the Pacific as well, and that’s even smaller. And so, generally speaking, there’s a few percentage points here, a few percentage points there. We’re very much in that sort of global sort of wave, what we see happening in Australia, much like everything else, it seems a few months later you’ll start seeing a small spot in New Zealand, typically caveat. Caveat. Caveat. And likewise, what happens in New Zealand and then a few months later sort of happens in the Pacific as well.
Paul Spain:
Yeah. Because one thing weve talked about in the past is the sort of the big budgets that government are pouring into in other markets, particularly Australia, compared to New Zealand. And, yeah, it does seem as though Australia is a bigger target than New Zealand on some of these things. And, yeah, in terms of exactly why that is and so on, I guess you could go in and kind of debate it, but there does seem to be this reality that we kind of, everybody kind of is susceptible to similar things, but there are also some differences with a smaller market like New Zealand, that, as you said, sort of we see some trends happening in Australia, then New Zealand will usually follow in terms of the targeting and then maybe pacific islands after that. Is there sort of something genuinely sort of different just to do with the scale and political things that you see? Maybe Australia gets targeted sort of slightly differently or slightly ahead of New Zealand.
Tom Roberts:
I’d say the veracity over in Australia is a lot higher. I’d say in New Zealand, our economy is built on small median enterprise, a lot higher. Proportionately so in that respect, the target of actors can be slightly different. We’ve got a bit more of a spread out economy and, you know, in terms of, like, just geographically and, you know, we’re not so concentrated in our cities. So that means that, you know, the vectors might be slightly different. New Zealand does typically, you know, sort podcasts with Dan from Cyber CX and, you know, he’s been spot on. New Zealand is a trusting society. So you find that, you know, we’re more susceptible for those sort of social engineering type and style of attacks, especially the one that I sort of mentioned earlier.
Paul Spain:
When someone gets you on the phone, it kind of all just seems so, so real and people seem easily able to be taken. Taken for a bit of a ride in those situations.
Tom Roberts:
Yeah. How horrible is that? As well, you know, exploiting Kiwi’s trust. Exploiting trust. It’s a foundational tenant which I think, you know, New Zealand has to be proud of. And, you know, it’s a great thing that Kiwis are trustworthy and to see that people are willing to do that is certainly not great. And then say likewise for our Pacific whnau as well. Similar. Similar sort of thing.
Tom Roberts:
Very trusting. Very like, you know, in government and institutions, it typically is, you know, ranked a wee bit higher than what our brothers across the ditch are sort of up to. But, yeah, you raise a really good point there. And so that is where we should be a wee bit more alert at the sort of lower level stuff because it’s an easier vector. And, you know, with australian companies and stuff like that, they can usually package stuff up really nicely. So if you’re signing on to a massive company that’s servicing a couple of big multinationals, several thousand small businesses, the cybersecurity offerings there might be a wee bit more complete, whereas here, the cybersecurity offerings, you might have to shop around a wee bit to get similar or comparable. Sorry, not comparable, but similar scale.
Paul Spain:
Yeah, it’s quite, I think, a challenge for New Zealand that you have so many smaller organizations. And, you know, when you look at it, usually culture needs to come from the top. Right? And so you’ve got a small business and you’ve got a business owner, managing director, leadership team. They’ve got so many things to be thinking about. And, you know, cyber isn’t necessarily the top of the list, especially in the current economy where, you know, it’s just trying to work out well how we’re going to pay the bills this month and, and so on, you know, and, yeah, there’s obviously, you know, some challenges there in the current sort of situation with, with some folks getting, getting laid off and so on. So, you know, where cyber security comes, you know, comes through is often maybe further down the list than, you know, what, what those of us who are, you know, living and breathing this stuff every day would, you know, would like to think that it should be any, you know, any thoughts on how we can do better on that.
Tom Roberts:
You know, if you’re employing 20 people, the biggest thing that you all sort of concerned about is are they going to get paid? You know, are we able to support those families? Are we, you know, these people, you know, some will have mortgages, you know, there’s rent power, you know, and also the fact that we need to be more agile. We need a, you know, turbulent economic times. We need to be innovating faster, we need to be getting more revenue through so we can pay our employees. CERTainly spoken to small business owners who are terrified of things. And then there’s the cyber security, you know, so look, absolutely understand, I’d love to say it’s the number one priority or it should be the number one priority, but that’s just, that’s just nothing. Reality. So, you know, we’ve tried to take that mindset here at certain NCSE, and so, you know, making cybersecurity easy is paramount to what we’re doing. Low cost solutions.
Tom Roberts:
So if it’s, I suppose if there’s a listener out there that’s like, I’m concerned about cybersecurity. I don’t want to spend a huge amount of money. You know, there’s small things that you can do. Culture, like you alluded to before, Paul, from the top leadership around cyber security, culture is really important. When you’re a kid, you were told, don’t take lollies from a person in a van. Now we have to change that messaging and wee bit, don’t click on a link from someone that said that your postal delivery isn’t there, changing how we’re phrasing stuff changing our lessons that we’re imparting to our employees. Small things, two fa, may be expensive, two factor authentication on things, but at least, you know, to mitigate the biggest threats, certainly on your accounts where money’s transferred, even some old fashioned, you know, I look back to my old days in electronic warfare and we had a passphrase that meant something only to us. So if something was to be transferred or if someone’s approaching in the dark and you didn’t know who they were, you’d say a passphrase and only you knew it.
Tom Roberts:
That’s a cyber security measure that any business can do if they think that something’s going on. But yeah, no, you’re right. I think picking the low hanging fruit is still picking fruit and so encouraging people to pick low hanging fruit, change up people’s passwords regularly. It would be different for different sectors and, you know, obviously different. We recommend it like twelve monthly or unless it’s, unless if you’re like in one of those sort of high risk areas, administrators and stuff like that should at least, at least be, you know, twelve monthly. But yeah, no simple small stuff. Pick the low hanging fruit. Pick the low hanging fruit, especially the ones that’s reaching across from, you know, you’re walking along the footpath and there’s some low hanging fruit and you’re like, that nectarine looks good, pick that one because someone’s done the hard work growing it and we’ve done the hard work growing it.
Tom Roberts:
So feel free to come by and pick our sort of fruit. As bad of an analogy as that is.
Paul Spain:
Yeah. And, you know, yeah. So for folks that are involved, you know, managing, running, you know, the technology and organizations, you know, there’ll be things you’re aware of but it’s good just to go and do a refresh. And so that’s under critical controls on the, on the CERTenz website and, yeah, just, just a good reminder to go and have a look at those, those things. And look, no organization is going to be perfect on, you know, on, on every metric. I was chatting with someone reasonably sort of senior within, you know, one of the, one of the big hyper scale sort of cloud providers and technology, you know, companies, you know, few days ago and, you know, we’re just chatting through these things are reality. It doesn’t matter how big your budgets are and so on, you know, there’s always things to learn and there’s always, you know, improvements that can be, that can be made and, you know, we all just need to be heading in the right direction on these things. And, yeah, if you’ve got some really big gaps, then get onto it.
Paul Spain:
Get onto it, you know, quick. And of course, it’s, it’s, it’s not just the sort of financial aspect. It’s always a balance of ease of use and convenience for your users versus sort of security. And of course, if you, you know, you push too hard in different areas, then you’re going to get pushback from folks and it’s kind of knowing what are the things that you accept to push back on and what are the things you say, well, no, this is the basics. Right. And that critical controls list is, you know, is a good example of that, where we talk about things like multi factor authentication, you know, password managers and the like, it’s, you know, those things, you know, not everyone necessarily wants to do them, but you kind of have to go down that, go down that track.
Tom Roberts:
Especially any person that’s done sort of. Cyber security will appreciate. Getting people to use security once it’s been embedded is hard. It’s way harder to get people to use stuff than it is putting it on the system. You say you need to use a password manager. Most people won’t use it except until after they’ve had an incident. We’ve done some research and we’ve found that when people have had an incident, typically they’re a lot more compliant. Making it real for staff as well is a huge one.
Tom Roberts:
You can run exercises. I’m a huge fan of exercises. It’s even a small one. I think I saw one where I think it was either Massey or Auckland University sent out phishing, the classic. Sending out a phishing email and seeing who clicks on it. Other workplaces through that as well. That’s a good test, especially because it’s controlled environments and, you know, there’s no sort of. You’ve got the data rights and all that sort of stuff, so.
Paul Spain:
Yeah, yeah, you just have to get it right when you do that. There was one organization that the test they were sending out told staff that they were all getting a bonus and just to click through to get the info. And of course, it didn’t go down very well when staff found out this was just a phishing fishing test. And we’re just, you know, just checking how. Where you are and no, you’re not getting the bonus that was mentioned in the email. So, you know, there’s always some lessons.
Tom Roberts:
Maybe your morning tea in seven. Actually, we’ve had quite a few of them because we’ve got the fishing disruption service, which is our fantastic, you know, which is our service where we get a ton of indicators of fishing, indicators of compromise. Last year, in the last financial year. This is hot news because we haven’t published it yet. But 55,000 indicators we processed last year and that could be malicious ones or non malicious, like just the totals back to 5000. Either way, it’s a high confidence fee. We get a bunch of those sort of fake phishing emails come through and it’s funny to see the ones that you’re like, oh, no, I’d actually probably, I’d click on that. It was that believable, some of them.
Tom Roberts:
So, I mean, it’s stuff like that. It’s really good to do for your stuff. Probably not the pay rise. Probably not the pay rise.
Paul Spain:
Yeah. All right. We’ll remember that. Everyone listening, pick what you’re going to send out your phishing tests with. And yeah, if it’s too good to be true, make sure you’re not sending it representing your organization.
Tom Roberts:
You won’t get any phishing emails from sir, you know, pretending or sending them out testing you. I promise you that. So because we’ve had a case recently and we’ve put it up on our website where people were being called. People were some, somewhere people were spoofing to be searched in Z, calling people, trying to get them to download malware or ransomware, you know, that basically coerced into a site where that’s possible. Absolutely nasty. Absolutely nasty. So, yeah, just, yeah, for your audience as well. We won’t do that sort of thing.
Paul Spain:
But, yeah, I’m sure there will still be some work going to make it look as though they’re certain. Now, the Pacific islands, I’ve sort of seen some of the social media posts and different bits and pieces that that’s highlighted a connection between certain z and some of the Pacific islands. And this seems to me like a great initiative to be working together. Just in the same way, I’m sure that there’s varying collaborations with the larger countries that CERT and NCSe do. What can you share with us about that?
Tom Roberts:
Yeah, this is something that I’m incredibly proud that CERT does. I think it’s so easy to say Pacific. The family, the whnaU, we’re in this boat together. We’re actually doing stuff about it. We’re really trying to raise Pacific resilience. And not only that is the information is two ways usually, or, you know, traditionally the approaches. But I think Frank, I was listening to Frank Bonirama, I think, when he came to Victoria University the International Institute of International affairs or something like that gets politicians in and speak. And he said, you know, we’re with this.
Tom Roberts:
We’re doing this together and not specifically about cyber, but foreign affairs. He spoke to that. We’re doing this together and that’s the approach that Cers is doing in the Pacific and it’s something that as a nation we should be exceptionally proud of. We’re learning about new ways that they’ve seen that we can talk to business, talk to individuals, secure our critical infrastructure, secure our sort of economic wellbeing. I mean, likewise, we’ve got a bit more scale. We can say, hey, this is probably the most efficient way that you want to respond to incidents. This is what you should be focusing on in terms of your industry areas, et cetera, et cetera. Our Pacific team’s fantastic and a lot of engagement and it’s two ways as well, which is unique.
Tom Roberts:
It’s a New Zealand way of doing things and I think we should be exceptionally proud of the work there, especially around when it comes to events coming up in the Pacific and things like that. That’s sort of where we get a bit more tempo going on because, you know, a win for the Pacific is a win for New Zealand and I hope, hope it’s likewise back. A win for New Zealand is a win for the Pacific, certainly as we innovate our technologies and things like that, too. No, it’s a great call. I’m glad that you saw the socials, glad that you saw.
Paul Spain:
Yeah, and look interesting to recognize even sort of, I’m not saying New Zealand versus Australia and the UK and so on, but there’s that element where sometimes as smaller entities, we can be a little bit more agile than bigger ones. And I saw that in the Pacific. I was looking up CERT Tonga launched July 2016. CERTNZ didn’t actually come online until the following year. So I just, you know, I just had to call that out because that’s, you know, that’s really awesome. And it, you know, just speaks to that opportunity, you know, that’s there. You know, as smaller nations, you know, sometimes we can, we can innovate and be ahead of the crowd. New Zealand’s, you know, done the.
Paul Spain:
Done, I guess done that, you know, versus say, or comparing with Australia and aerospace with, you know, what we’ve been doing with sort of launching rockets from New Zealand. And look, I think if we can be ahead of other parts of the world from a cyber perspective and we can lead the way here in New Zealand, across the Pacific, then hey, that’s got to be good for everyone.
Tom Roberts:
I’ll tell you what. And every time we sort of meet with the Tongans, it does come up and a friend and a friendly banter way as only family can do. And, yeah, and the approach that we take here, New Zealand Inc. To use that sort of government bureaucratic terminology, New Zealand Inc. Is people to people, you know, Hitangita, that’s exceptionally important. And I think that’s how we get by. And certainly, like, the team go over to whatever Pacific partner and yeah, sure, there’s a lot of focus around the tech and the cyber and stuff like that, but ultimately it’s a person at the end of the keyboard or it’s a person sort of at the end of the mouse. So I think that’s where we’ve had a lot of fantastic gains and we trust them so much and, yeah, and hopefully, hopefully we can have more wins together.
Tom Roberts:
And certainly the lead cybersecurity agency allows us to do more of those good ones now that we’ve got the resources and our team has sort of got rocket fuel ready to go. So that’s good.
Paul Spain:
What can you share around the way that you collaborate with through global connections and so on? Is there anything sort of public that you can, you can say without giving away too much?
Tom Roberts:
Yeah, yeah, absolutely. So, look, we’ve got tons and tons of different networks. First is a fantastic network that we’re a part of. And so through sort of partner forums like that, through the IPEC, through Paxon, there’s a bunch of just different ones. Paxon specifically related to the Pacific. And then there’s our european partners and certs in Europe, south american. It really is. We get to leverage our Kiwi, we can do attitude and then basically follow the sun model of threats.
Tom Roberts:
Fantastic for New Zealand. The fact that we can actually do that, that partners are so willing to share their learnings, their failings. You really know what someone’s worth when they’re openly willing to share their failings with you. And don’t get me wrong, it’s not this company or whatever did really badly here, or we’re sorry, but it’s never a blame game or anything like that. But it is like, hey, this is the lessons that we’ve learned and that’s done at all level, at all different levels. You’ve obviously got some of the bigger national security ones, but then you’ve also got the ones that are purely just focused around cyber security and mutual defence and mutual strength and mutual resilience. Pacs on is a fantastic one for us in that space. You’ve got all sorts of partners in there.
Tom Roberts:
That’s a really, like, that’s a melting pot of fantastic cyber security for Pacific.
Paul Spain:
Brilliant. Now, before we, before we finish up, you know, you’ve given a fair bit of advice, sort of, you know, during the episode, is there any sort of, you know, closing advice that you’d like to share, you know, with the New Zealand tech podcast audience and I guess, you know, by extension, sort of to, you know, to others around the country and, you know, I know often sort of advice that comes through to our listeners then, you know, then spreads out whether that’s within, you know, amongst, you know, family and friends or, or whether that’s, you know, across a wide range of, of organizations, you know, commercial entities and government entities and so on. You know, any, any closing things to.
Tom Roberts:
And I have to be brief because I could talk about this ours, but look, I think, I think people really, it needs to really sink in. It really needs to sink in. Our adversaries used to be oceans away and now they’re in our pocket. That really needs to sink in. And by identifying the threat by, you know, acknowledging that there is a, it’s a big, big threat in various forms across economy, across our cybersecurity ecosystem, we really just need to acknowledge that actually we have stuff worth protecting and we need to be protecting it. So for businesses, logs. Absolutely. Keep your logs.
Tom Roberts:
Extend it out, put it on a hug, whatever it is. Keep your logs and do your backups regularly. Keep him separated. If an incident does happen, that will be the thing. That will be the thing. I think there was a case to use, an example from BP where they had some server, I forgot exactly what it was, but they had some server that was isolated at the time of a massive attack across BP. They flew somewhere down into the middle of Africa and picked it up and they were able to reboot their entire network. We’re kicking the actor off and all that sort of thing.
Tom Roberts:
I can’t emphasise that enough. For businesses, large or small, it’s a quick and easy win. It’s low hanging fruit and it will protect you or help you recover from adversaries or threats in general. For the home user, think before you click. Real low level. But most of the time we’re seeing things through social engineering sort of avenues, whether that’s fishing, spear phishing, you know, ultimately it requires some user interaction to click. It’s, you know, for Joe blogs, it’s not often that someone’s breaking through into their devices, it’s that they have to click on something or there has to be some engagement. So, yeah, just really emphasize that, you know, you know, it’s not oceans of weights in your pocket and doing stuff to help protect you.
Tom Roberts:
Just small bits, just small every. It’s like sort of brushing your teeth. If you brush your teeth every night and every morning, eventually you build up enough defence. Cyber security is very much the same thing. And I suppose lastly would be sort of like my last meal here before, you know, going to the gallows. But report and people are. What would I report? We can’t inform decision makers off no information. And decision makers and policy makers need evidence base to make decisions and to help the New Zealand cybersecurity ecosystem.
Tom Roberts:
So however you want to through to certain Z or NCSE or, you know, whatever a new lead cybersecurity agency looks like, I’d highly recommend that everyone just reports can be after the fact can be say, hey, I was hit with a. You know, it just could be an email to our info at CErt inbox, you know, hey, I’ve been hit with something. That’s fine. It’s adding to the chorus of voices to help amplify that cyber security is important. So, yeah, a few things, a few key takeaways.
Paul Spain:
Yeah, that’s really good. And I think the reporting one is important because, yeah, the numbers, often you kind of look at them at a national level, you think, oh, this is quite low, that the chance of being hit must be pretty low. But I think that’s because we don’t see the reality. It’s the iceberg type thing. There’s a little bit that’s visible through the current reporting, but there’s a lot more that we don’t necessarily hear about that’s helpful. And I guess whenever I read those numbers, I always think, okay, well, it’s way more than that, but it’s good that we’re getting some. That we’re getting some visibility through the reportings.
Tom Roberts:
It’s like most people would have had a New Zealand post text, no doubt, in the last few days. So, you know, and it wasn’t from New Zealand Post. Yeah, New Zealand posts are fantastic and help. They’re doing a lot in the space as well. They are doing a lot to help influence the spike. But, you know, that was a big thing that has gone out recently. Last year was immigration. People calling out, pretending to be immigration and then people getting fished.
Tom Roberts:
But we report smaller numbers. But you’re absolutely right.
Paul Spain:
Yeah. Well, thanks very much, Tom. Great to have you on the New Zealand Tech Podcast. Of course, a big thank you to our show partners as well. Gorrilla technology, HP, Spark, 2degrees and One NZ. And, you know, we’ll really be interested in keeping in touch and, you know, and hearing in the future, but, yeah, great to tap in and, you know, to hear a bunch of insights today, Tom. So, yeah, thank you for your time and all the great work that the National Cybersecurity center and CERTNZ do for us. And, you know, long, long may New Zealand, you know, stay.
Paul Spain:
Stay strong or keep increasing our strength when it comes, you know, being protected cyber wise and. Yeah, but we appreciate the work that you do on that front.
Tom Roberts:
Thanks, boy. Yeah. And thanks to your listeners as well that it’s an important part of our cyber resilience. Exceptionally important part. So thanks to both yourself for raising awareness and to your listeners as well as being part of that ecosystem for New Zealand’s defence.
Paul Spain:
Good stuff.