Last week the National Cyber Security Centre (NCSC) released their Cyber Threat Report for their financial year of 2024-25 (things that happened between 1 July 2024 & 31 June 2025).
This year's report was structured a bit differently, reflecting the change in NCSC's scope, focus and how the team there thinks about the value their reporting adds. Since they started these reports the number of services has grown, Malware Free Networks has clocked a billion disruptions (by the way Bastion’s Cassini ticked over a billion disruptions about a week later #JustSaying), and the NCSC / CERT integration is old news and fully complete.
The big change in this year’s report is the Five Judgements. As a former contributor to this report, I dread to think how many discussions there were about whether those were “assessments”, or whatever other nouns were workshopped. Structuring the report, and what the NCSC saw last year, around what it means for Kiwi organisations, is an awesome level up for the report. Good work team.
The Five Judgements are:
- State-sponsored actors are actively targeting New Zealand
- The commercialisation of cybercrime means cybercriminals have more tools
- Hacktivists are targeting New Zealand organisations as global conflicts escalate
- Threat actors are exploiting supply chains, hidden dependencies and organisational blind spots.
- Known weaknesses and unpatched vulnerabilities are providing threat actors with easy access.
I won't go through all of these, as this is a blog, not an essay but I did want to highlight the judgement about hacktivists and supply chains.
I'm really glad hacktivism was called out. Here at Bastion we see the hacktivist reactions all the time. Every time NZ stands up and supports Ukraine through aid, or announces new Russia sanctions, then DDoS waves start up again. Hacktivism and DDoS are back on the threat board and NZ isn't immune - in fact it's predictable, albeit at short notice. If your website, or DNS, is a key component of your organisation’s ability to function (pro-tip, it probably is), then you need some DDoS protection and resilience. That's just life in the 2020s sorry team.
And supply chains. Look this is hard, but it's important. My colleague Dana Windsor presented at ChCon this year on 3rd party risk and shared responsibility and she referenced the infamous Kiwicon 3 poster. Hackers don't... care if you outsourced the service. If it's the easiest way / fastest way in, they'll use it. Understanding the security posture and capabilities of the organisations who are supporting you, and to whom you are transferring trust (as in transferring your customers trust in you, to your 3rd party) is important. As Dana pointed out, no-one talks about the <insert your MSP here>. They talk about the Qantas or Jaguar/LandRover breach.
If you don't have a 3rd party risk management framework, then you should plan to put one in place. My two cents? Build one around the new NCSC Minimum Standards. If it's good enough for NCSC to hold Agencies to, it's good enough for you to use to hold your vendors to.
All in all, the NCSC annual Cyber Threat Report is a good read and it’s been awesome to see the report get better each year. If you haven't had a chance yet, then I'd suggest putting it on your summer reading list (along with the NZSIS Annual Threat Report if you haven't read that). Get a small dose of non-fiction in-between the easy reads and whodunnits you'll be devouring over the summer break.
Happy reading and happy holidays,
Creeture