I’ve dealt with some very serious and expensive incidents during my career, but nothing affected me as personally as a two-hour phone call I had the week CERT NZ launched.
Someone’s business had gone under due to a weak password set by their service provider. Attackers were able to easily access the server to steal credit cards - it ended up destroying their business, and it cost the person their home.
This $400,000 incident made it clear to me that as a Computer Emergency Response Team (CERT) we need to put people at the centre of everything we do.
A CERT for all New Zealanders
In 2016, the New Zealand government established a cyber security unit to coordinate incidents and assist businesses and people to prepare for and protect against cyber attacks.
This would be a “CERT for all” organisation – one of the first in the world.
It was becoming clear that while most defensive efforts were being focused on Government systems and critical national infrastructure, cyber security was a whole-of-economy problem – and New Zealand was going to be one of the first countries in the world to have a CERT that provided support to everyone, including the public and businesses.
Many thought this was a tall order. The idea of diagnosing people’s cyber security issues over the phone was unfathomable. As a technologist with years of incident response experience, even I thought it couldn’t be done.
Putting people first in incident response
The biggest success of CERT NZ has been to break away from the techno speak and take the time to communicate in a way that is meaningful to the people who need help.
A huge part of this was understanding people’s emotional journeys. By having an insight into how people feel you can provide reassurance and support accordingly. An insight we learnt was that once someone knows what their problem is called, half of the battle is won. They can then take the necessary steps to mitigate it. Even if the situation isn’t great, there’s no uncertainty anymore. This can be empowering.
This knowledge helped us to develop our online reporting tool and library of content on our website. The aim is to help people identify their problem, and therefore create a kind of pre-triage process.
No shame in falling foul of a cyber security incident
A key phrase that’s stuck with me from dealing with people’s cyber security issues is: “I am afraid that I’ve done something wrong.” There is so much victim blaming in the Infosec culture, and it’s so unhelpful. The view of a lot of people is that the way to solve the cyber security problem is for everyone to become a cyber security expert.
Placing people at the centre turns this on its head. I'm firmly of the view that a system is not fit-for-purpose if it doesn’t protect the person using it from reasonable risks.
Starting a global trend
Many countries have now followed suit by providing cyber security support to at least small business users, and many have programmes for individuals.
Working with the team to establish and run CERT NZ has been an enormous privilege, but the journey at CERT NZ isn’t over. The team is constantly developing, learning how to better support those who come to them for help, and raising awareness generally about the importance of good cyber security practice.
Having more national CERT-type organisations around the globe is great as they, alongside the wider InfoSec community, help us and the rest of world better understand and stay resilient to cyber security threats.
CERT NZ is a key component of New Zealand’s Cyber Security Strategy, and we will continue to build upon the solid foundation Declan created, by striving to deliver our vision of a confident and secure digital New Zealand. We thank Declan for all his hard work over the past four years and we wish him well for the future.