New Zealand: Security Awareness Proficiency at Inland Revenue

 Our Information Security and Awareness Programme, known as Whakangungu Kaitiaki, supports Inland Revenue (IR) with our information security and keeps our systems and data secure. Research suggests that 90% of security breaches are due to human error. Therefore, we recognise that our people are our strongest defence against the risk of data breaches and cyber-attacks - such events can have a significant impact on the integrity of New Zealand’s tax system. Whakangungu Kaitiaki supports us to understand our vulnerabilities and improve our information security competency as an organisation, reducing the risk of breaches and cyber-attacks on IR’s systems.

Social engineering in the context of cyber security, is the psychological manipulation of people into performing actions or sharing confidential information. It is the act of tricking someone into divulging information or taking action, usually through technology. The idea behind social engineering is to take advantage of a potential victim’s natural tendencies and emotional reactions. With the human element being the most vulnerable part of any cyber defence system, falling prey to hackers and scams is considered the weakest point in IR’s defences.

A key element of our programme is a compulsory security awareness proficiency assessment to be completed by all IR people, taking approximately 15 minutes. This assessment gathers information about IR’s current knowledge across seven areas of security awareness – email security, mobile devices, incident reporting, internet use, passwords and authentication, social media and human firewalls. The findings build an overall security awareness benchmark and an ability to pinpoint weaknesses across the organisation. The results can then be used to build tailored training modules for our people to complete throughout the year.

The IR Information Security Office is also using a new online tool which provides an extensive range of cyber security and awareness training modules, such as interactive web-based training, quizzes, games, simulated phishing, and vishing attacks, to build a more secure organisation. The training modules will help everyone at IR understand what to look out for and empower all of us to do the right things.

By - John Nash, Strategic Advisor, International, Inland Revenue New Zealand