GCSB posts advice on ICT supply chain risks

GCSB posts advice on ICT supply chain risks

Advice comes in wake of high profile attacks on the Reserve Bank of NZ and the New Zealand Stock Exchange

Lisa Fong (National Cyber Security Centre)

Lisa Fong (National Cyber Security Centre)

Credit: Supplied

The Government Communications Security Bureau’s National Cyber Security Centre (NCSC) has released guidance to help executives and cyber security professionals manage ICT supply chain security risks.

NCSC director Lisa Fong said a recent spate of high-profile cyber security incidents reinforced the importance of managing cyber security across the supply chain.

“Supply chain vulnerabilities are amongst the most significant cyber threats facing organisations today," Fong said.

“Major incidents like last year’s global distributed denial of service (DDoS) campaign which significantly impacted a range of New Zealand organisations, and the compromise of file transfer software used by the Reserve Bank, reinforce the critical importance of supply chain cyber security,” she said.

The Reserve Bank of New Zealand lost confidential data as the result to a global attack on a legacy version of Accellion's file sharing software over the Christmas period. A KPMG report on the incident is expected imminently.

The NCSC’s new resource, "Supply Chain Cyber Security: In Safe Hands", is the third release in a guidance series based on analysis of 250 New Zealand organisations’ cyber security resilience. 

Previous releases focused on improving incident management and cyber security governance.

Fong said cyber security threats target organisations’ most vulnerable points.

“As organisations strengthen their own cyber security, their exposure to cyber threats in the supply chain increasingly becomes their weakest point.

“Digital interaction with supply chain elements can occur across many aspects of an organisation’s operation, not just the IT or procurement teams. 

"For example, a marketing department might use a third-party service to store a customer information database in the cloud."

The guidance outlines three phases in establishing an effective capability to manage supply chain cyber risk and improve organisational cyber resilience: identify, assess and manage.

The first, is to identify who critical suppliers are and understand which key assets and services are most vulnerable to threats in your supply chain.

Then assess vulnerabilities in the supply chain and allocate resources to increase the cyber security resilience of critical areas. 

Finally, manage supply chain risk through a programme of monitoring, cyber security performance assessment, and integration of supply chain risk into organisational risk management frameworks. 

The guidance, described as an introduction to the issue, is designed for both government and non-government organisations of varying sizes and capabilities. 

“We hope organisations will use this as a resource to support the conversation between practitioners and leaderships to better identify and manage supply chain cyber security risk,” Fong said.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags AccellionGovernment Communications Security BureauNational Cyber Security CentregcsbReserve Bank of New ZealandNCSCRBNZcyber security



Channel gathers for Nextgen New Zealand's Summer (Somewhere) Party

Channel gathers for Nextgen New Zealand's Summer (Somewhere) Party

Held in Auckland, Nextgen New Zealand's Summer (Somewhere) Party was an opportunity for celebration with a tangerine taste of summer. Nexgen's channel community seized the opportunity to catch-up with familiar faces and enjoy an in-person gathering.

Channel gathers for Nextgen New Zealand's Summer (Somewhere) Party
Show Comments