“Don’t click on dumb sh*t” and prioritise governance.
At the recent National Cyber Security Summit, New Zealand’s top security agencies delivered a stark message: cyber security is not just an IT issue, it’s a critical governance and people-centric challenge.
Graeme Muller, Chief Executive of NZTech, initiated the discussion by asking for the key piece of advice for organisations navigating the digital landscape. Andrew Clark, Director General and Chief Executive of the Government Communications Security Bureau (GCSB), responded with a blunt but effective mantra: “Just don’t click on dumb shit.” He emphasised the importance of basic cyber hygiene, such as two-factor authentication, and stressed the need for robust governance frameworks, urging organisations to utilise the NCSC’s cybersecurity framework.
Clark further advocated for boards and CEOs to actively engage in risk assessments and participate in table-top exercises to simulate cyberattack scenarios. This, he argued, would foster a deeper understanding of potential threats and vulnerabilities.
Andrew Hampton, Director General of the NZ Security Intelligence Service (NZSIS), echoed Clark’s sentiments, highlighting the gap between board-level anxiety and effective action. He stressed the importance of a holistic, organisation-wide approach to cybersecurity, advocating for frameworks that ensure alignment between boards, technology professionals, and security teams.
Panel Discussion from the National Cyber Security Summit 2025, with Graeme Muller, Andrew Clark & Andrew Hampton
“Having your board and your technology and security professionals all on the same page and asking ‘what are the potential threats we are facing, how have we secured our environment, how do we validate that, how have we built security into our principles, do we know who we partnered with and the risks that go with them,” Hampton stated.
The conversation underscored the critical role of people in cybersecurity. Both Andrews emphasised the importance of educating and training staff to recognise and avoid phishing attacks and other social engineering tactics. As Muller pointed out, the “don’t click on dumb sh*t” advice is fundamentally about people and their understanding of the implications of their actions.
The agencies also addressed the growing concern about attacks on critical infrastructure. Hampton highlighted that these attacks pose the most significant threat to New Zealand, given the essential services they provide. Clark added that the increasingly complex global and domestic security environments necessitate a strategic allocation of resources and stronger partnerships.
“The global environment we’re facing is probably the most challenging we’ve seen in a generation”
Andrew Clark, Director General and Chief Executive of the Government Communications Security Bureau (GCSB)
“The global environment we’re facing is probably the most challenging we’ve seen a generation,” Clark said, emphasising the need for collaboration between agencies and private sector organisations. He further noted the shift towards greater transparency and information sharing by security agencies.
The summit concluded with a call to action: organisations of all sizes must prioritise cyber security as a fundamental aspect of their operations. The key takeaways included:
- Basic Cyber Hygiene: Implement two-factor authentication and educate staff to avoid phishing attacks.
- Governance and Risk Assessment: Boards and CEOs must actively engage in understanding and mitigating cyber risks.
- People-Centric Approach: Invest in training and education to empower staff to be the first line of defense.
- Table-Top Exercises: Simulate cyberattack scenarios to test response plans and identify vulnerabilities.
- Partnerships and Information Sharing: Foster collaboration between organisations and security agencies to share threat intelligence.
- Critical Infrastructure Protection: Prioritise securing essential services to minimise the impact of potential attacks.
By adopting these principles, New Zealand organisations can strengthen their cyber defenses and contribute to a more secure digital environment.
Continue the conversation...
Digital transformation demands proactive cyber risk management, beyond mere defense. Leaders must identify and measure risks, driving future-proof solutions. The Cyber Security Risk Conference explores this evolution, aligning with themes from the National Cyber Security Summit, offering deeper insights for practitioners.
