IT Brief New Zealand logo
Technology news for New Zealand's largest enterprises
Story image

Police IT disaster recovery a 'very high risk area', audit reveals

Police computer systems have been ill-prepared to cope with a disaster like a major hack.

This has been at the same time they have been pushing for more powers to gather people's data to keep in the systems.

An audit shows police did not know how much data they could afford to lose if their IT systems were hit. Read the first two pages of the audit here.

They needed a "disaster recovery" strategy to gauge "the acceptable amount of data loss NZ Police can handle after a disruption has occurred", the audit said.

The 2019 audit identified a raft of deficiencies.

It found they had not done an assessment of the major threats to their cyber resilience.

There had been "insufficient investment" in cyber resilience for years, and confusion between two teams over who was in charge of IT disaster recovery.

Police say they have been addressing these gaps - this was "in flight", they said.

'Very high risk'

The ransomware attack that crippled Waikato District Health Board has prompted questions about the public sector's ability to defend public data from online criminals.

Police held back from RNZ all but the first two pages of the 2019 audit by consultant KPMG of its information communication technology (ICT) resilience.

Police had mentioned to MPs about this audit in its latest annual review, prompting RNZ to ask for it.

Police said releasing more pages might dissuade staff from providing free and frank opinions in future; and that the first two pages fairly reflect what was in the rest of it.

The two pages show police regarded IT business continuity and disaster recovery as a "very high risk" area.

But KPMG concluded police were largely relying on staff to cope with disruptions.

Staff had proved capable and experienced so far, but this could not make up for the lack of:

  • Plans for backup and "failover" in a disaster
  • Recovery strategies
  • A business continuity plan
  • An assurance plan to test IT vendors and partners are up to scratch
  • Regular disaster recovery testing

An overall framework for addressing cyber resilience requirements was also missing.

"Without a framework there is a high likelihood that key business processes may have ICT requirements that are not clearly understood or planned for in a disruption," the report warned.

RNZ asked for details of which of these gaps have been fixed since 2019.

Police have not provided any, instead saying some had been fixed, while others had now been included in its Cyber Security Resilience Programme or CRSP that was aiming to come up with an operating model.

'Significant uplift'

Other documents paint a very mixed picture.

Police's own annual assessment of how they keep people's personal information secure says in 2016 police controls were at the second-lowest rung, and now are close to the second highest rung on a five-rung quality ladder.

At the same time, it says that all personal information is "robustly secured both physically and technically".

It shows they are updating how they handle data breaches to match privacy law changes last year.

2020 internal review says police are within reach of a big step up in data quality, helped by "reviews of problematic business and ICT processes".

But a 2020 internal review of intelligence capability says information handling "requires significant uplift", yet is hampered by the need for annual bids for enough funding just to keep the fragmented storage and other systems maintained.

At the same time there is this push for greater powers to gather data, worldwide and in this country.

A separate OIA response shows police expect to develop policies to give them more access to evidence held anywhere in the world online.

In the late 2020 briefing to the police minister, police said: "There are important cyber policy gaps that need to be addressed".

It shows police were working on a deal with Europol - the European Union's law enforcement agency - to share data more easily.

They also aim to boost data sharing within this country with the likes of Immigration, Internal Affairs that runs passports, and the Waka Kotahi, the Transport Agency that runs driver licensing.

Immigration has its own information-gathering powers, but some are secret. For instance, it is understood to use a social media scanning tool from Cobwebs Technologies, a firm set up by ex-Israeli Defence Force tech experts.

Immigration has refused to release to RNZ any business case or privacy impact assessment it has had done on the Cobwebs tool, arguing this was "likely to prejudice the maintenance of the law".

RNZ asked for details of what cyber policies are being developed to fill the "gaps", but police have not provided this.

Instead, in a statement it said: "The cyber security environment is constantly changing, and changes significantly over time.

"Our Cyber Security and Resilience Programme addresses the rate of change to the global internet environment, in terms of keeping police systems safe."

Management and governance included frequent auditing and reviewing of plans and capability, "and enhancing our response and recovery to cyber events", they said.

Under the OIA, police totally withheld an assurance review into its use of contractors and consultants.

RNZ logo
This story was originally published on and is republished with permission.
Related stories
Top stories
Story image
Managed service provider
Barracuda MSP Day 2022 highlights MSP opportunities
Barracuda Networks has released a report showing global services-related MSP revenue is set to increase by more than a third in 2022 compared to 2021.
Story image
Sysdig unveils new Kubernetes troubleshooting and cloud innovations
Sysdig has introduced two new innovations that look to help bolster cloud services and simplify Kubernetes troubleshooting.
Story image
Aligned Data Centers increases sustainability-linked loan
Aligned Data Centers has increased its sustainability-linked loan from $375 million to $1.75 billion to speed up the next phase of its strategic growth.
Story image
GapMaps Live to improve brand decisions on physical locations
GapMaps has released its latest service GapMaps Live, giving more insights and features to help brands make better decisions about physical locations.
Story image
Women in Technology
Huawei webinar emphasises the importance of women in tech
Industry findings by Coursera discussed as part of a webinar jointly organised by Huawei and Reuters Events found 6% more women enrolled in tech courses this year than in 2021.
Story image
Qualys updates Cloud Platform solution with rapid remediation
The new update is designed to enable organisations to fix asset misconfigurations, patch OS and third-party applications, and deploy custom software.
Story image
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
New vulnerabilities found in Nuspire’s Q1 2022 Threat Report
“Threat actors are quickly adjusting their tactics and these exploits tend to get industry attention, but the threat posed by older and attacks still persists."
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
Artificial Intelligence
Frost & Sullivan recognises Genesys as leader in new reports
Frost & Sullivan has recognised Genesys as a leader in the cloud contact centre market for its robust cloud and digital capabilities.
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
Silver Peak
The path to an adaptive, modern network
Managing and securing the network looks different than it did just two years ago—especially given that most of these networks are made up of multi-generations of infrastructure stitched together over time.
Story image
Nutanix study reveals financial services sector lagging with multicloud adoption
Nutanix has released new research that reveals the financial services sector is lagging behind when it comes to multicloud adoption.
Find out how a behavioural analytics-driven approach can transform security operations with the new Exabeam commissioned Forrester study.
Link image
Story image
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Digital Transformation
The Huawei APAC conference kicks off with digital transformation
More than 1500 people from across APAC have gathered for the Huawei APAC Digital Innovation Congress to explore the future of digital innovation.
Story image
Comcast to use ThreatQuotient for cybersecurity operations
Comcast, the parent company of NBC Universal and SKY Group, has chosen ThreatQ Platform and ThreatQ Investigations to meet their cybersecurity needs.
Story image
Digital Marketing
Similarweb acquires SEO and rank tracking company Rank Ranger
Digital intelligence company Similarweb, which specialises in analysing web traffic, has acquired Rank Ranger, a market leader in SEO and rank tracking.
Story image
Vodafone NZ buys remaining stake in retail joint venture
Vodafone New Zealand has purchased the remaining 50% stake in the specialist joint venture (JV) with private equity company Millennium Corp.
Story image
New Relic
New Relic launches vulnerability management platform
New Relic has introduced New Relic Vulnerability Management to help organisations find and address security risks faster and with greater precision.
Story image
SPS network now available to CrescoData eCommerce customers
CrescoData, a Pitney Bowes Company and PaaS business in the commerce space, says its customers can now connect to the SPS Commerce Retail Network.
Story image
Cybersecurity prompts upgrade for 1.3 billion electricity meters
ABI Research finds Advanced Metering Infrastructure (AMI) and cybersecurity concerns are prompting the upgrade of 1.3 billion electricity meters by 2027.
Story image
Digital Transformation
Pluralsight and Ingram Micro Cloud team up on cloud initiative
Pluralsight has teamed with Ingram Micro Cloud to build upon cloud competence and maturity internally, and externally support partners’ capabilities.
Story image
APAC organisations fail to disclose ransomware breaches
85% of organisations in APAC were breached by ransomware at least once in the past five years, but only 28% publicly disclosed the incident.
Story image
Supply chain
Jetstack promotes better security with supply chain toolkit
The web-based resource is designed to help organisations evaluate and plan the crucial steps they need to establish effective software supply chain security.
Story image
Vectra AI
Vectra’s inaugural Partner of the Year Awards revealed
APAC companies Baidam, Firmus, ShellSoft and Macnica have been recognised in Vectra AI's inaugural Partner of the Year Awards.
Story image
Trojan cyber attacks hitting SMBs harder than ever - Kaspersky
In 2022 the number of Trojan-PSW detections increased by almost a quarter compared to the same period in 2021 to reach 4,003,323.
Story image
Data backup plans inadequate, data still at risk - study
The Apricorn 2022 Global IT Security Survey revealed that while the majority organisations have data backup plans in place, data for many are at risk.
Story image
Digital Marketing
Getty Images delves into the world of NFTs with Candy Digital
Getty Images and Candy Digital, the next-generation digital collectible company, have announced a new multi-year partnership agreement.
Story image
Equinix announces milestones on sustainability commitments
Equinix has released its 2021 Sustainability Report which outlines progress, innovation and accomplishments on key ESG commitments.
Story image
Cloud Security
Aqua Security createa unified scanner for cloud native security
“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security."
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
New Relic enters multi-year partnership with Microsoft Azure
New Relic has announced a strategic partnership with Microsoft to help enterprises accelerate cloud migration and multi-cloud initiatives. 
Story image
A10 Networks finds over 15 million DDoS weapons in 2021
A10 Networks notes that in the 2H 2021 reporting period, its security research team tracked more than 15.4 million Distributed Denial-of-Service (DDoS) weapons.
Story image
Rubrik Security Cloud marks 'next frontier' in cybersecurity
"The next frontier in cybersecurity pairs the investments in infrastructure security with data security giving companies security from the point of data."
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image
Story image
Fastly acquires Glitch, enables faster developer innovation
"This acquisition brings together two of the worlds best ecosystems for application development into a single, seamless developer experience."
Story image
i-PRO releases smallest AI-based surveillance camera on the market
The new i-PRO mini network camera is now available, with a pocket-sized form factor and full AI analytics functionality.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Manhattan Associates
Shortening the click-to-customer cycle through smart technologies
Speed of delivery without accuracy is a dealbreaker for consumers. How can retailers operating in an omnichannel environment overcome the challenge of click-to-customer cycle times.
Story image
Cyber attacks
Devastating cyber attacks expected to hit energy sector
Energy executives anticipate life, property, and environment-compromising cyber attacks on the sector within the next two years.
Story image
Digital Signage
MAXHUB's Digital Signage range to bolster boardroom productivity
The new MAXHUB Digital Signage technology is purpose-built to make every kind of team meeting more effective.
Story image
Data Center
Preventing downtime costs and damage with Distributed Infrastructure Management
Distributed Infrastructure Management (DIM) can often be a lifeline for many enterprises that work with highly critical ICT infrastructure and power sources.