New Zealand is a country of small businesses. 97% of enterprises – almost half a million according to MBIE data - have fewer than 20 employees but contribute more than a quarter of the country’s GDP. Almost a quarter of New Zealand small businesses have been hit by cyber crime according to Symantec’s latest SMB Cyber Security Survey with the average financial loss sitting at $16,000. Many of these small businesses will be operating on the proverbial “smell of an oily rag” with cyber security far down the list of priorities for owners focused on keeping the lights on and the cash flowing. It’s in this environment that many small businesses will find themselves operating below the ‘security poverty line’, the point below which a company cannot effectively protect itself from cyber security threats. Many small companies believe that IT security is too expensive and that they lack the knowledge on how to combat common cyber threats. At the October (ISC)2 Auckland Chapter event, 25 individuals took part in group exercises designed to identify pragmatic security investments that offer the ‘most bang for the buck’. If New Zealand business owners are seeking pragmatic and cost effective guidance focused on protecting their digital assets, they could review the outcomes of this (ISC)2 Auckland Chapter session for practical guidance. We suggest a customised scalable solution for tackling common cyber security threats like ransomware, intellectual property theft (internal and external), Business Email Compromise, phishing and malware infections.

1. Building the ‘Bob Semple Cyber
Tank’ – NZ SME Security
Group outputs from Wednesday 24th October 2018

2. “instead of sitting down and moaning we felt we ought to do something to
manufacture weapons that would help to defend our country and our people…
That tank was an honest-to-God effort to do something with the material at
our disposal when raider were at our back door”
Bob Semple, Minister of Public Works, WWII

3. Summary
New Zealand is a country of small businesses. 97% of enterprises – almost half a
million according to MBIE data - have fewer than 20 employees but contribute more
than a quarter of the country’s GDP.
Almost a quarter of New Zealand small businesses have been hit by cyber crime
according to Symantec’s latest SMB Cyber Security Survey with the average financial
loss sitting at $16,000.
Many of these small businesses will be operating on the proverbial “smell of an oily
rag” with cyber security far down the list of priorities for owners focused on keeping
the lights on and the cash flowing.
It’s in this environment that many small businesses will find themselves operating
below the ‘security poverty line’, the point below which a company cannot effectively
protect itself from cyber security threats.
Many small companies believe that IT security is too expensive and that they lack the
knowledge on how to combat common cyber threats. At the October (ISC)2 Auckland
Chapter event, 25 individuals took part in group exercises designed to identify
pragmatic security investments that offer the ‘most bang for the buck’.

4. Activity 1: Identify your preferred cyber security investments for a
typical NZ SME
Attendees split into four groups (Green, Blue, Gold and Red) and were presented with
example cyber security guidance targeted at small businesses including:
• CERT-NZ’s Ten Critical Controls 2018
https://www.cert.govt.nz/assets/Uploads/documents/CERT-NZ-Critical-Controls-2018.pdf
• CIS Controls Implementation Guide for Small-and Medium-Sized Enterprises (SMEs)
https://www.cisecurity.org/wp-content/uploads/2017/09/CIS-Controls-Guide-for-SMEs.pdf
• The ASD/ACSC Essential Eight
https://acsc.gov.au/publications/protect/Essential_Eight_Explained.pdf
• NCSC-UK’s Small Business Guide
https://www.ncsc.gov.uk/smallbusiness
• Global Cyber Alliance Solutions (DMARC, Quad9, McScrapy)
https://www.globalcyberalliance.org/what-we-do/
Other material also made available included the Cyber Essentials Scheme Questionnaire and NIST’s Small Business Information
Security: The Fundamentals

5. Activity 1:
The four groups selected the following prioritised controls. Consistent choices
across all four groups were an emphasis on:
• Backing up data and testing recovery
• Implementing DNS and email security through Quad9 and DMARC
• Multi-Factor Authentication
• Focusing on credential management and enforcing least privilege
• Three groups identified Security Awareness Training and Endpoint/Malware Protection
Green Team Blue Team Gold Team Red Team
MFA Web + Email Security (Quad9) Data Protection (CIS 13) DMARC + Quad9
Backup & Testing Backups Password Management & MFA Data Recovery Capability (CIS 10) Password Management
Patching Patching Continuous Vulnerability Mgmt (CIS 4) Backup Data/Test Data
Malware Protection Backups Enforce Least Privilege Malware Protection
Upgrade Legacy Systems Application Software Security Security Awareness Training (CIS 17) Awareness Training
Quad9 Endpoint Protection (AV, FW, etc.) Default Credentials Keeping your smartphone safe
DMARC Least Privilege MFA Change default credentials
Cyber Insurance Boundary Defence MFA
Training & Awareness Endpoint Protection
DMARC

6. Activity 2: Identify your preferred cyber security investments for the
following real world small business scenario
‘Greenfields’ 5 person tech start-up - $5K budget for security, cloud focus
This tech start-up is using mostly IaaS, PaaS, and SaaS services from the cloud - Salesforce,
Office 365, website builder software and mostly open source software (and some licensed
software), using online libraries for publishing and releasing code, working on app
development for health service providers.
They have a remote presence in the cloud with AWS, remote management, running of
servers and processes etc. All of them have laptops primarily Macs. No policies, less time to
market is always better for them. Agile workforce and everybody does everything.
They are based in Auckland, have a growing customer base in NZ and in Australia and are
thinking of talking to customers in the US and Europe in the near future by hiring a sales
and marketing person.
The 3 founders say that since we are a technology company so we don’t need IT support,
we get what we need for IT and we get it fast. Website is hosted by the start-up itself.

7. Activity 2:
The four groups selected the following prioritised controls. Consistent choices
across the groups were an emphasis on:
• Implementing DNS and email security through Quad9 and DMARC (4 groups)
• Multi-Factor Authentication and VPN security for network mobility (3 groups)
• Endpoint Protection (2 groups)
Green Team - Case Study 1 Blue Team - Case Study 1 Gold Team - Case Study 1 Red Team - Case Study 1
MFA + Cloud Secure App Development MFA MFA/ VPN
Free Security Add-on Data Security VPN Backups
Quad9 Training Endpoint Protection DMARC
DMARC Free Tools Quad9 Encryption
Insurance Risk Assessment DMARC Endpoint Protection
Firewall/Compliance Blade

8. Activity 3: Identify your preferred cyber security investments
for the following real world small business scenario
15 person SME, no budget allocated for security but could be up to $10K if made
aware and pushed hard – threats are BEC, ransomware, etc.
This well known company is based in Auckland and have a list of almost static
customers throughout NZ.
Using most of the IT services from the in-house servers. Customised ERP software
(9 years old) with a few updates, running SQL Server 2008.
They have been hit by ransomware twice and some teething IT issues but had
cyber-insurance so the CEO is not very concerned. No fulltime IT staff. Most of the
employees have laptops/desktops with some form of anti-virus software and fibre
as means to connect and phones with email.
Not many of the staff like to put passwords on their phones and they tend to use
easy passwords on their laptops as well. Very cost-conscious and not IT savvy.

9. Activity 3:
The four groups selected the following prioritised controls. Consistent choices
across the groups were an emphasis on:
• Implementing DNS and email security through Quad9 and DMARC (4 groups)
• Endpoint Protection (4 groups)
• Security Awareness Training (3 groups)
Green Team - Case Study 2 Blue Team - Case Study 2 Gold Team - Case Study 2 Red Team - Case Study 2
Quad9 & DMARC Web & Email Security Boundary Defence Awareness
Endpoint Protection Endpoint Protection DMARC Ring fence legacy systems
Backups Boundary Security Access Control - least privilege Move to cloud if can't ring
fence
MFA/Office365 Training Endpoint Protection DMARC & Quad9
Free Security Awareness Training Vuln + Risk Management Disable Unused services Endpoint protection
More Insurance (high premium) Data Protection

10. Conclusion
Common cyber security threats: ransomware, intellectual property theft (internal and external),
Business Email Compromise, phishing and malware infections.
The following inputs from the participants ran consistently through this session:
• Identify valuable data, back it up and test your ability to recover and restore.
• Defend against common attack vectors by implementing DNS and email security through the
free Quad9 and DMARC tools.
• Phishing and credential harvesting are the most common cyber security incidents recorded in
New Zealand. To defend against these threats, use Multi-Factor Authentication where you
can, secure passwords in a vault and apply least privilege to prevent escalation and traversal
through your business.
• Invest in modern endpoint protection software that provides anti-malware capabilities,
phishing prevention and firewall capabilities.
• Develop a security culture by boosting your ‘human firewall’ by offering security awareness
training tailored to staff.

11. Conclusion
We suggest a customised scalable solution for tackling common cyber security threats like
ransomware, intellectual property theft (internal and external), Business Email Compromise,
phishing and malware infections:
• Backup offsite daily (preferably in cloud) – use inexpensive solutions like Microsoft OneDrive
or Google Drive. For iPhones and Macs, use iCloud. Be ready.
• Implementing DNS and email security through the free Quad9 and DMARC tools. Be
defensive.
• Use Multi-Factor Authentication where you can, secure passwords in inexpensive (but
secure) mobile password vaults like LastPass or Dashlane. Be safe.
• Invest in modern endpoint protection software that provides anti-malware, phishing
prevention, DLP and firewall capabilities. Be cautious.
• Use free training/planning tools from ConnectSmart, Cybrary or Federal Communication
Commission. Be aware.
If New Zealand business owners are seeking pragmatic and cost effective guidance focused on
protecting their digital assets, they could review the outcomes of this ISC2 Auckland Chapter
session for practical guidance.