If you are a director, CEO or member of the board, there are five principles you need to know to keep your company safe. Shockingly though, many do not, and companies ranging from large private corporations to small not-for-profits could be at serious risk.
The Australian Cyber Security Centre (ACSC) reported a cyber attack every seven minutes in the 2021–22 financial year. That is compared to every eight minutes in the previous financial year.
It is clear that today, more than ever, you need to secure your network to keep your operations going, safeguard your data and, most importantly, keep your customers' private information safe.
Furthermore, it is possible that the business owner/s and/or board could be liable should a cyber attack occur. The Australian Government has set legal requirements in this regard (see: Corporations Act 2001). It is not just your ethical responsibility to safeguard your business, but your legal one too.
Cyber Security vs. Cyber Governance
Cyber security and cyber governance are two related but distinct concepts.
What is cyber security (the technology)? Cyber security refers to the practice of protecting computer systems, networks and data from unauthorised access, theft, damage or disruption. It's all about the tangible measures put in place such as setting up firewalls and antivirus software solutions like Managed Endpoint Detection and Response (EDR).
What is cyber governance (the policies, processes and procedures)? Cyber governance, on the other hand, encompasses the organisational and strategic aspects of managing cyber security within an enterprise. It involves establishing a framework and structure for managing cyber risks, ensuring compliance with regulations and industry standards and aligning cyber security with business objectives.
It's important to note that you can't really have one without the other. Both cyber security and cyber governance are crucial for maintaining a secure and resilient digital environment.
These are the five principles you need to know...
The Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) released a set of cyber security governance principles to help guide your efforts.
Principle 1: Set clear roles and responsibilities
Just as you have a fire warden, you need specific individuals who are responsible for your cyber security measures. If something does happen, the board needs to know exactly who will be on the ground dealing with it, including internal staff members and any external contractors or counsel.
You need a very clear plan for how the board will interact with management and external consultants, if a breach occurs. This will reduce the potential for time-wasting and miscommunication. Every second counts in these situations.
Top director questions
- Does the board understand cyber risks well enough to oversee and challenge?
- Who has primary responsibility for cyber security in our management team?
Principle 2: Develop, implement and evolve a comprehensive cyber strategy
Your cyber strategy should:
- Identify your organisation's key digital assets and data plus who is responsible for them.
- Identify potential weaknesses and risks including those associated with third-party suppliers.
- Plan for regular stocktakes of the data your organisation holds.
- Clearly outline steps to be taken if a cyber security incident occurs.
It can be useful to imagine your organisation's worst possible cyber security scenario and plan for that in real time. How would management and the board respond? Document that in precise detail.
Top director questions
- Who has internal responsibility for the management and protection of our key digital assets and data?
- Where, and with whom, are our key digital assets and data located?
Principle 3: Embed cyber security in existing risk management practices
The board, directors and team must build up their cyber resilience through regular training and education. Try simulation and penetration exercises.
An example of a cyber security simulation exercise is a "Red Team vs. Blue Team" exercise. In this exercise, the organisation sets up two teams: the Red Team, which represents the attackers or adversaries, and the Blue Team, which represents the defenders or the organisation's cyber security team. The exercise aims to simulate a realistic cyber attack scenario and test the organisation's ability to detect, respond to and mitigate the attack.
Top director questions
- Is cyber risk specifically identified in the organisation’s risk management framework?
- How regularly does management present to the board or risk committee on the effectiveness of cyber risk controls?
Principle 4: Promote a culture of cyber resilience
Cyber risk is an operational risk that fits within an organisation’s existing approach to risk management. It should be embedded in your regular operations and must trickle from the top down. Leaders must allocate the resources required to create a security-conscious culture. There should be regular training, clear policies and procedures made accessible, continuous education, adequate incident response planning, and continuous monitoring and improvement.
Top director questions
- Is cyber security training mandatory across the organisation and is it differentiated by area or role?
- How is the effectiveness of training measured?
Principle 5: Plan for a significant cyber security incident
The most thorough way to prepare for a cyber incident is by having a third-party expert test your system. Simulation exercises can be useful as they allow directors to familiarise themselves with the response strategy and make improvements, if necessary.
Top director questions
- Do we have a Cyber Incident Response Plan, including a comprehensive communications strategy, informed by simulation exercises and testing?
- Can we access external support if necessary to assist with a significant cyber security incident?
Download the full principles here.
How Diamond IT can support your cyber security strategy
Do you need help integrating these five principles into your daily operations? The Diamond IT team specialises in reviewing cyber security strategies to ensure they are fit-for-purpose, align with government recommendations and include the necessary defences required to best protect your business from malicious threats.
We can support you by establishing your Essential Eight maturity level and improving your overall cyber security posture.
Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cybersecurity and are ready to speak with you. Contact our team on 1300 307 907 today.