Local councils see Value in initial Cyber Risk Assessment, and ongoing Managed Risk Services
In 2022, Connect NZ offered local councils across Aotearoa New Zealand, a free one hour assessment of their cyber risk posture – an assessment of their current cyber risks and recommendations for what risk controls they need to have in place. Councils who took up the offer included Grey District Council, Rangitīkei District Council and Hurunui, Kaikoura and Mackenzie District Councils. Cyber risk can be an area that many New Zealand organisations, such as local councils can have little specialist expertise, or have known gaps they need to address.
Connect NZ delivers cyber security consultancy and solutions that align with today’s agile threat landscape, through using purpose built analysis, and end-to-end cyber risk management software provided by Spotica.
Working with interested local councils, Connect NZ, together with their purpose built analysis software, Spotica, produced a detailed assessment and high level recommendations to support these organisations to better understand their cyber risk exposure.
The one hour cyber risk assessment outlined:
- Current technology assets, threats and controls an organisation has in place,
- A security profile or ‘risk posture’ that will detail the coverage you have in place and where your key exposures are,
- A Cyber Vitality Report to help key decision makers in the business create a robust cyber risk plan for the future,
- The Cyber Vitality Report generates a list of business threats and actions to mitigate those threats.
More comprehensive assessments were also available, aligned to NZ Government standards and expectations of local councils. Outputs of a comprehensive assessment can identify necessary controls, a more comprehensive risk posture, and document how this can be translated into a Risk Register, prioritise threats and risks, and auto-generate policies and ensure risk controls are implemented.
A comprehensive cyber risk assessment allowed participating local councils to make informed decisions about technology investment, prioritisation of risk management, and development of policies to roll out risk controls.
The comprehensive cyber risk assessment included:
- Complete assessment of assets, threats and controls,
- Performed ‘what-if’ risk analysis,
- Configured policies,
- Detailed security posture,
- Created a Cyber Vitality Report,
- Confirmed risk posture,
- Created a risk register,
- Developed policies to enforce controls.
Connect NZ offers two options for organisations to take this next step of cyber risk management.
- Self-service – Connect NZ shows organisations how to use the digital aid so they can assess themselves and generate policies and risk controls as an organisation.
- Managed Services – Connect NZ specialists guide your team to use the tool, and support you to manage risks on a regular basis through a planned programme of work.
All three local councils in this case study chose to work closely with the Connect NZ team, and opted for the Managed Services approach.
Why choose a Managed Services approach to deliver Cyber Risk Management?
There are many reasons why an organisation may opt for a Managed Services approach to tackle an issue like Cyber Risk Management. Some of the feedback we received from the local councils we worked with included:
- Small team and limited resources,
- No dedicated Technology Security Specialist inhouse,
- Enjoy working with a dedicated specialist, that allows guidance and structure to rolling out a cyber risk management plan,
- Allows organisations to prioritise the work to get done by having an external resource leading this important programme of work,
- Very quickly got good value from the Managed Services approach,
- Knowing you’re spending money on the right risk priorities,
- Reassurance that the Spotica platform aligns with ISO27001,
- Cyber Security Insurance relies on alignment with ISO 27001 so it is important to have coverage over cyber risk breaches.
The Connect NZ Platform aligns with the well-known Security frameworks like NZISM, ISO27000 series, Data Privacy (ISO27701), NIST, COBIT and CIS Top20. This Platform aligns with the best-of-breed framework recommended by INFO-TECH.
Local councils saw enormous value in the one hour cyber risk assessment, particularly:
- Quick, painless process,
- Ability to focus on the cyber risks aspects that matter,
- Even when an initial risk score was high, the assessment detail provided a deep dive into the controls being used and the gaps the council had,
- Gave a good understanding of the current security risk posture, especially in the Microsoft 365 space,
- Gave a good understanding of the path to decrease the risk portfolio – a useful launching pad into the future,
- The review went deep enough to see future opportunity for risk management,
- Building a new digital strategy was a good time to identify the next steps needed to take as an organisation,
- The ability to document documentation can be an area where local councils can be light on.