Tiaki Pakihi Māori

Protective security for Māori business and entities

Kia rite
kia ū
kia matāra

On this page

What is protective security?

In an increasingly complex world, keeping ourselves and each other safe and secure is more important than ever.

Protective security is like the pā that keeps a hapū safe.

At the heart of the pā stands the wharenui where tāngata, mātauranga, and taonga are held – people, information, and assets. There are many layers of the pā that protect the wharenui – palisades and trenches, as well as tikanga and kawa.

Protecting tāngata, mātauranga, and taonga from harm helps businesses carry out their mahi.

Just like the pā that protects the wharenui, your business should be strong, well-maintained, and able to resist attack.

 

What are the threats to my business or entity?

A threat is any source of potential harm or disruption that is a risk to your organisation and can come from a range of sources, including:

  • state-sponsored actors who undertake political and economic
  • criminal groups who may seek to control access to your systems so they can extort you for money, in exchange for returning control espionage in Aotearoa New Zealand
  • other cybercrime actors looking to scam individuals through fraudulent online activity.

Without your pā, threat actors may use your people, information, or assets to cybercrime, or conduct foreign interference and espionage which could:

  • prevent you from operating your business
  • lead to misuse or mishandling of information (either deliberately or accidentally)
  • erode the trust and confidence your community and your customers have in you
  • harm your people and lead to a loss of your people, information, or assets.

Natural threats to your business could include:

  • Cyclone
  • Drought
  • Tsunami
  • Earthquake
  • Heavy rain
  • Flood
  • Epidemic

Human threats to your business could include:

  • Threatening behaviour / violence
  • Terrorism
  • Cyber-criminal attack
  • Privacy breach
  • Foreign interference
  • Espionage
  • Criminal behaviour
  • Compromise of sensitive information

Learn more about threat and risk

What could happen?

Ransomware

What happened

An organisation operates as a local health service provider in the Bay of Plenty region. One morning, staff were unable to access their systems. A message appeared which stated their computers were infected with malware and all their data was encrypted. The actors demanded the organisation pay NZ$50,000 to unencrypt their data and restore their services. The actors also threatened to leak sensitive customer information they had stolen if the organisation does not pay the ransom.  

The organisation was able to restore their system backups prior to the malware implant. Analysis revealed the network had been compromised for two months and confirmed that customer data had been taken by the actors. The actors got into their network using a staff member’s username and password which was leaked in a public data breach.  

The organisation has since improved its cyber security measures, including through increased network monitoring and staff awareness training. Though they didn’t pay the ransom, they spent a lot of time and money to investigate and resolve the issue. This incident resulted in many customers feeling betrayed and losing trust in the organisation which was meant to safeguard their medical information.

Impact on business

Māori data is taonga and holds treasured information, including whakapapa. Personal information is an attractive target for malicious cyber actors who want to steal it or want payment to not release it publicly. Losing data from cyber incidents means you will lose sovereignty over this taonga and could lead to further targeting of those whose information is exposed. 

Cyber incidents undermine trust, especially where data is stolen or lost. According to the International Data Corporation, 80% of customers stopped supporting a business when their personal information was exposed through a breach.

Learn more about ransomware

Email compromise

What happened

An organisation is a small Iwi-owned company which works with government agencies and charities to deliver social services in Te Tai Tokerau/Northland. One day, a senior employee received an email from a supplier saying that they had not yet received payment for an overdue invoice of NZ$10,000. However, the finance team had marked this invoice as paid but one employee remembered getting an email from the supplier about a change in bank account number.

Analysis revealed that the supplier’s email account had been compromised by a malicious cyber actor. The actor tricked the finance team into paying the invoice to an account controlled by the actor, meaning the real supplier never received payment. The finance team did not follow their internal process to verify this account change by calling the supplier before paying the invoice.

The organisation has since provided more training to staff to raise awareness of business email compromise. They have strengthened their invoice payment process. They alerted the supplier to the breach of their employee’s email address. The supplier has updated their staff password rules, including enabling multi-factor authentication (MFA) for key staff, and requiring long, strong and unique passwords.

Impact on business

In 2024, the average cost per incident reported to the NCSC was $25,500.

Losing money to cyber incidents and scams has an impact on your business and means you might miss out on the chance to invest that money into growing your business for future generations.

In serious cases, cybercrime actors could take control of key assets owned by Iwi Māori which would undermine the ability for Māori to protect and govern them.

Learn more about email compromise

What do I need to protect?

Tiaki tāngata — Protecting people

Protect your people from threats that may harm them or your business

Your employees have privileged access that can put your information, assets, and other people at risk. Your employees may be targeted by people who want to cause harm to your business through them using bribery, coercion, or blackmail. Others may cause harm to your business directly out of desperation or spite.

Your people may include:

  • employees
  • contractors
  • suppliers
  • volunteers
  • other building tenants.

Tiaki mātauranga — Protecting information

Store, protect, and process your information responsibly

Every business holds valuable information, but using technology provides an opportunity for malicious cyber activity which can impact your ICT systems and your business operations. Good security gives your customers, suppliers, and investors confidence in your business, and helps you feel confident in responding to threats and minimising potential damage.

Your information may include:

  • customer records
  • personal information
  • banking credentials
  • ICT systems.

Tiaki taonga — Protecting assets

Keep your people, information, and assets safe and secure.

Your most valuable assets are the things that could not do business without and they need to be protected. Good security can foster growth and innovation. It gives your customers, suppliers, and investors confidence in your business, and helps you feel confident in responding to threats and minimising potential damage.

Your assets may include:

  • products
  • property
  • buildings
  • vehicles
  • workplace
  • home office.

Where do I start?

Make background checks part of recruitment

Good personnel security begins at recruitment. Include background checks as part of your recruitment process to make sure they are who they say they are so that you can feel confident they are someone you can trust. This includes any contractors or suppliers.

Build a security culture

Talking to employees about security builds a security culture where security incidents can be openly talked about and learned from.

Develop clear security policies that are supported by training and regular communication with employees. Make sure everyone knows how to report a security incident, and what their responsibilities are in managing and resolving security risks.

When an employee leaves your business, remove their access

Make sure they have returned any devices and tools you have provided to them and remove their access to your systems, information and assets.

Update your software and systems

Keeping your software up to date is one of the most simple and effective steps to take to ensure your environment stays secure.

Patching (ncsc.govt.nz)

Enable multi-factor or two-factor authentication

Additional verification when authenticating to sensitive accounts and can protect your business from unauthorised access.

Multi-factor Authentication (ncsc.govt.nz)

Backup your data

Even with security controls in place, incidents can still happen. Backups ensure that if any of your data is lost or stolen, you can get it back quickly and easily.

Implement and test backups (ncsc.govt.nz)

Identify your assets

Make a list of your valuable assets and where they are located. Your most valuable assets are the things that could not do business without.

Secure your assets

Discourage unauthorised access by putting physical barriers around your assets. Make sure you can see who is accessing it even when you’re not around through video or alarm systems.

Control access to your assets

Introduce control measures and monitoring systems to ensure access is only available to people who need it.

Online security assessment tool

How do I prioritise?

Conducting a threat and risk assessment will help you clarify what you are trying to protect, the threats you could face and the associated risk (which is the likelihood of a threat occurring and the impact it would have if it happened). It will also help show which controls you already have in place to manage security risks, and which ones may be missing.

Below is an overview of the steps involved when conduct your own security threat and risk assessments. You might recognise some of the themes that have been covered through earlier pātai and suggested security actions:

  1. Identify what to protect
  2. Identify the threats
  3. Assess the likelihood of the threat occurring
  4. Assess the consequences if the threat occurs
  5. Assess the inherent risk
  6. Determine levels of acceptable risk
  7. Manage the risks
  8. Assess the residual risks
  9. Monitor and evaluate

Security risk is just another dimension of managing your overall business risk. You may have a current approach you take elsewhere (for example, to operational, financial, legal, and health and safety risks) that you can adapt and apply to security.

Conduct your own risk assessment

Where can I find out more?

New Zealand’s Security Threat Environment

Foreign interference and espionage

Secure Innovation principles

Due dilligence assessments

Prevent, detect, or contain cyber attacks

Travelling overseas for work

Hosting visitors

More advice for business

Acknowledgements

E mihi ana ki te reference group i tā koutou mātauranga i āhei tātou ki te whakatutuki tēnei mahi.

Thank you to the participants of our reference group who were instrumental in the development of our protective security advice for Māori business and entities.