Buzzing about information security at OWASP New Zealand Day 2020

Buzzing about information security at OWASP New Zealand Day 2020

OWASP New Zealand Day 2020

Don’t let the acronym put you off – we weren’t subjected to any nasty stings at the Open Web Application Security Project (OWASP) New Zealand Day. But we certainly learned plenty about the misconceptions, challenges and harsh realities of information security in New Zealand. 

Consisting of a two-day training course and a one-day conference, OWASP New Zealand Day 2020 was held in late February at The University of Auckland School of Business. Members from the Patients First team travelled to Auckland to get up close and personal with the cybersecurity community. Our people need continuous exposure to and engagement with the conversations, knowledge and guidance about a topic that is crucial to our work in the New Zealand health sector. We are interested in strengthening our internal capabilities so that we can share our learnings with the rest of the sector and provide guidance and support when it comes to cybersecurity.

For example, we heard about some common fallacies that organisations in New Zealand aren’t big enough to be at risk of hacking, or the data they hold isn’t worth stealing, or, most concerning, that security measures are too expensive to put in place. These misconceptions are simply not true, and the longer they are believed to be true the greater the risk to those organisations.

Conference attendees in a lecture theatre

We also heard from Petra Smith, Aura Information Security, about the shocking things that can happen when technology goes wrong and ends up harming people. She posed the question, “How can we be confident that we’re keeping people safe when they face threats that are literally unimaginable?” She stressed the importance of threat modelling and analysing the worst things that could possibly happen.

Chris Cormack, Catalyst IT, provided some te reo Māori words to describe information security concepts. Mūrere means “to hack” or “hacker” (mūrere – be clever, intruding), and hītinihanga means phishing (hī – to fish; tinihanga – deceive, trick). How do you record the results of whakamātautau ngoto, penetration testing, in your organisation? Do you have a rēhita tūraru, a risk register, in your organisation?

Our trip to Auckland ended on an entertaining note when we attempted to learn a card game called “Backdoor & Breaches”. It’s an incident response card game that aims to “help you conduct incident response tabletop exercises and learn attack tactics, tools, and methods.” We look forward to playing a few rounds with you soon!

This free event is well worth attending. It’s relevant to people at all levels – from developers who need to apply sound security practices to their work, to those in managerial roles who need to be aware of the risks of technology.

After all, cyber and information security are everyone’s responsibility.