@CraginS @JKWiniger Thanks for the responses: Well one of the big Four, has supposedly carried out over 183 organisations (remember 10% are larger than 250 users, and other 90% have less than 250 users or even one man and his dog. The type of tests conducted Physical Penetration Tests, Penetration Tests (ethical), vulnerability scanning, phishing tests, security awareness - social engineering tests, both physical and via communications i.e. telephone, e-mail and social media. This includes Government Agencies, commercial entities etc. The usual never patch systems syndrome exists and the typical Kiwi attitude of stick one's head in the sand is prevalent along with the words "It hasn't happened yet".
https://en.wikipedia.org/wiki/It_Hasn%27t_Happened_Yet
So Phishing is deemed to be the highest factor within the nation at present. Ransomware is definitely prevalent, and the Inland Revenue have proven via Bitcoin chasing and tracking, that some organisations are paying directly and using Cyber insurance has the backstop. Inland Revenue, or the Tax Office have a valid reason, to see who is paying the Internet tax or not etc.
There are relevant laws in place, Crimes Act, Harmful Digital Communications Act, and the Privacy Act is being revised to make it GDPR aligned. Interception of Telecommunications for ISPs etc.
Current state, is no one actually has to report an incident, unless the Privacy Commissioner gets wind of it, and goes public. Great drive towards Digital Identity, and recently adopted W3C WebAuthn as the preferred authentication approach.
Technology is the main focus, People, and Processes - is left far behind.
Hope this provides a better background?
Regards
Caute_cautim
