A cyber security expert is concerned New Zealand is woefully unprepared for a national cyber emergency,
The most recent National Cyber Security Centre report, for the first quarter of the year, highlighted that there were three incidents likely to impact key sensitive date or disrupt essential services in organisations of national significance.
In May, the Privacy Commissioner found that Health New Zealand and patient portal Manage My Health "failed in their responsibilities" to have adequate security controls when hundreds of thousands of medical files were stolen in a cyber attack.
Described as one of the country's biggest cybersecurity incidents, the hack obtained access to sensitive health data held by privately owned patient portal Manage My Health in December last year.
In February, another privately owned patient portal, MediMap, also identified unauthorised activity.
While in March, private healthcare provider IntraCare, which specialises in "image-guided precision medical diagnostics and interventions", had been hit by a similar breach.
Prior to these, New Zealand had not been affected by major attack (C2) on the National Cyber Security Centre's scale for more than four years.
Aura Information Security general manager Patrick Sharp told Nine to Noon there were six categories on the scale.
These range from a C6, or a minor incident, to a C1, or a national cyber emergency. A C1 is an incident causing severe disruption to a core New Zealand service, and/or affecting key sensitive data, "undermining the economic or democratic stability of New Zealand".
While a C2, or a highly significant incident, was a known or likely impact affecting key sensitive data or disruption of essential New Zealand services in organisations of national significance or the government.
Sharp said he was "very nervous, constantly nervous" about the possibility of a C1.
"We spend a lot of time thinking about how to avoid that sort of incident."
He added New Zealand was not ready for a national cyber emergency.
"I think that an impact like that would have an extraordinary impact on New Zealand.
"I mean, that is why it is the highest category, right?"
Sharp said the incidents in the first quarter of the year were the first since May 2021.
"That was the Waikato DHB breach, which some people called the worst incident in New Zealand history, so it is unusual to see that many."
He urged other businesses to learn from these, particularly following a report by the Privacy Commission and the Ministry of Health.
"They provide an extensive review of what's happened, what's gone wrong, and the lessons that we can learn."
Sharp said most businesses struggled with governance, especially when it came to making an informed decision about cyber security.
He said multi-factor authentication, in particular, was still missing in many.
While some people were also not setting it up or using weak passwords.
"We were doing some penetration testing, some ethical hacking on a business just the other day, and we found they had a whole lot of passwords, which are pretty much password 1, 2, 3."
Sharp said a survey by Kordia, which owned Aura Information Security, found only half of boards had discussed cyber security.
"It makes a huge difference when the directors are actually talking about security," he said.
"Of our survey, which is businesses over 50 seats, 50 percent of them haven't practised their incident response plans.
"I can assure you if they haven't practised that plan, they are not ready for a major incident."



