What if your biggest supplier suffered a data breach tomorrow? Under new rules emerging across the Tasman, that could become your legal problem too. The landscape of cyber risk is shifting from being just an IT issue to a core boardroom responsibility. A prime example is Australia's recently announced 2023-2030 Cyber Security Strategy, which has led to proposed new laws that will significantly change how businesses manage their cyber risks.
While this is happening across the Tasman, the principles and direction are a clear signal for what’s to come in our interconnected world. We thought it’d be helpful to break down what it means and how it resonates here in New Zealand.
What’s the Buzz About Australia’s New Cyber Strategy?
The strategy's goal is to boost Australia's national cyber resilience. It has led to proposed legislation, like the Cyber Security Legislation Amendment Bill 2024, which introduces some key requirements for businesses.
Prompt Ransomware Reporting
A major proposal is the mandatory reporting for businesses that choose to pay a ransom. This initiative aims to gather more comprehensive national-level data on threats, enabling a clearer and faster understanding of the criminal activity targeting businesses.
Strengthening Security Foundations
The strategy reinforces the need for robust security controls across networks and cloud environments. This brings foundational practices like multi-factor authentication (MFA), regular vulnerability checks, and strong data encryption into sharper focus.
Securing the 'Things': IoT Security Matters
Every connected device on your network—from security cameras and smart sensors to printers—is a potential backdoor for attackers. The new strategy emphasises that these Internet of Things (IoT) devices need regular updates and patches. It’s a small act of hygiene that closes off often-forgotten entry points.
Your Security is a Team Sport: Third-Party Accountability
Your security is only as strong as your weakest link, and often, that link is an external supplier. The strategy makes it clear that if you use external IT providers or other key vendors, you are also responsible for their security posture. It's about extending your security mindset beyond your own four walls.
Transparent Cyber Incident Reporting
There is a continued push for major cyber incidents to be reported to a national body. The goal is a coordinated national response, which helps keep everyone safer by sharing information about active threats.
What does this mean for New Zealand businesses?
While New Zealand does not have an identical set of proposed laws, we should pay close attention. In our highly connected world, cyber threats don't respect borders, and the principles of good cyber hygiene are universal.
These changes align closely with the responsibilities New Zealand businesses already have under our own Privacy Act 2020. A cyber incident that exposes personal information is a privacy breach, and mandatory reporting is already a reality here.
Ultimately, Australia's strategy is a clear signal of the direction regulation is heading, and these developments may help define a 'new standard of reasonable care when considering whether a business took appropriate steps to protect its data. Adopting these principles now isn't just about pre-emptive compliance; it's about building a more resilient and trustworthy business. The guidance from CERT NZ, such as their Critical Controls, provides a fantastic, locally-focused resource for practical steps to bolster your defences.
Questions to ask your team this week
Thinking about these trends is a good start, but action is better. Here are three non-technical questions to discuss with your leadership or IT team this week:
Ransomware: "If we were hit by a major ransomware attack tomorrow, what is our official policy on paying a ransom, and who has the authority to make that final call?"
Third-Parties: "Who are our three most critical suppliers, and what level of assurance do we have about their cybersecurity practices?"
Incident Response: "Do we have a simple, one-page plan for the first 24 hours of a major cyber incident that everyone on the leadership team has a copy of?"
How Dynamo6 can help
At Dynamo6, good security is built on clarity and practical steps, not complexity. Our approach begins with gaining a clear and honest understanding of your current security posture. Our IT Environment Security Review is designed for exactly that. It’s not an audit that just gives you a long list of problems; it’s a strategic assessment that delivers a prioritised, actionable roadmap.
This roadmap helps you strengthen your foundations in a logical way, implementing the robust controls needed to protect your network, cloud environments, and devices. It also ensures you have a solid incident response plan in place, so if the worst happens, you’re prepared to act decisively.
In short, we help you translate the principles from strategies like Australia's into a practical reality for your business.
