On Wednesday 11 May I had the privilege of speaking at Business Hunter's May Business Development Forum on cyber security posture, culture, and strategy for SMB's.
The discussion and questions asked by the room were fantastic and really demonstrated a shift in the way leaders are thinking about risk management within their businesses. With real-life examples of just how easily a cyber attack can bring an organisation to its knees, the agenda of the forum shared valuable insights and practical ideas that all businesses, regardless of size, should be aware of and easily implement as required.
I'd now like to share the key points of the forum with our wider community for discussion.
What exactly is cyber security posture?
Cyber security posture refers to a business's overall defence against cyberattacks. Your cyber security posture encompasses any security policies in place, employee training programs, and security-based technology solutions. It is the collective security status of how 'cyber-aware' your employees are, your business's cyber-culture, software and hardware, services, networks, and how secure you are as a result of those tools and processes.
How can I measure my cyber security posture?
We recommend that one of the most reliable ways to measure your cyber security posture is to benchmark your current practices, systems and solutions against other businesses in your industry to identify areas of weakness, high risk and in turn opportunities for improvement. This is also where we recommend working with a trusted technology partner who has access to this level of relevant industry data, to deliver an impartial review of your business' cyber posture.
Remember - you are never going to be able to achieve an entirely risk proof cyber security posture. Unfortunately, with the rate that cybercriminals are evolving, it is more about creating the strongest cyber security posture possible, to create the highest number of roadblocks possible between cybercriminals and your business.
How can I encourage a positive cyber security culture within my business?
When it comes to cyber security, it is everyone's role (and responsibility). Much like the concept of Work Health & Safety (WHS) obligations in a business falling to each employee to ensure a safe environment, a culture of cyber safety needs to not only be led by 'the top' (from a Board and Executive level), but understood and embedded in every level of employee.
Do your employees have the knowledge they need to identify cyber threats? Do they have a simple way of reporting any cyber concerns? And if so, does your business create a culture of ownership and a safe space for employees to put their hand up if a mistake has been made?
Positive culture can be simply encouraged by making the cyber security conversation frequent, providing short and targeted training about current threats via means relevant to your business, and even incentivising participation in training and reporting of threats.
How can a cyber security strategy be created?
The responsibility of creating a cyber security strategy falls to the board and/or business leaders and owners, with partners and employees supporting it.
A good cyber security strategy should be a 50/50 split between technology and human defences, and not simply "the IT departments problem". Alarmingly, there is a multitude of reputable reports that have found that the biggest risk to your business is in fact your employees, through lack of education around cyber security expectations and threats.
Cyber insurance is now offered as an additional layer of protection for businesses for when the tech/human defences both fail and your data and systems are breached.
To create a strong cyber security strategy, engaging a specialist technology partner who can guide your business through the process will ensure that your strategic objectives and goals are alighned with industry best practice and any regulatory or industry-specific requirements.
What resources are available to SMB's to help understand cyber security best practices and obligations?
There are a number of government and non-government bodies that provide frameworks and resources to support and guide SMB's. Some of the most reputable information sources include:
- The Australian Cyber Security Centre (ACSC)
- Australian Signals Directorate (ASD)
- The Essential 8
- Diamond IT's Tech Updates
- The Business Centre's Cyber Security Culture program
As well as industry-specific compliance accreditation bodies such as:
- ISO 27001 Information Security Standard
- The Department of Education, Skills and Employment services (DESE) Information Security Management System (ISMS) Scheme
How Diamond IT can support your cyber security strategy
The Diamond IT team specialise in reviewing cyber security strategies to ensure they are fit-for-purpose, align with government recommendations, and include the necessary defences required to best protect your business from malicious threats.
Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cybersecurity and are ready to speak with you. Contact our team on 1300 307 907 today.