Does Your Business Meet Australian Security Legislation? A Checklist for Board Members and Executive

20 Mar / 2023

Cyber Security

Everything you need to maintain a compliant security strategy.

The Australian Institute of Company Directors has stated an increased focus on cybersecurity as one of its priorities for the coming year. Specifically, they want to make regulatory policies clearer and make it easier for private sector Directors to comply and be held accountable if they don’t.

Given the high profile of some recent corporate data breaches - notably Optus, Canva and MediBank, it’s unsurprising that the government wants to define who’s responsible for what. But the purpose of the changes is also to educate Directors to be able to spot security red flags and confidently challenge management where necessary.  

The implications for Board Directors that fail to ensure their organisation complies with the new legislation are vast, as referenced in our previous blog. As well as corporate liability, Directors now have personal liability when it comes to security.

Knowingly ignoring an incident or failing to appoint appropriate preventions is punishable with personal fines and legal action from the government and shareholders. Ignorance of the law is also not an excuse.

This checklist makes it easy for Directors and Board Members to ensure they are meeting legislative requirements:

Checklist for Board Members and Non-Executive Directors:

1. Understand your Position

Your first step is to gain an understanding of the state of your organisation’s current cybersecurity strategy, team and resources. How resilient is your organisation to attack and does it already comply with regulations? Are you fully protected against known and unknown attacks that might affect your business differently than others?

Action: Conduct an audit of your current security position either internally or by using an external cybersecurity specialist provider such as Cythera.

2. Protect your Data

The government’s biggest concern is a data breach. Specifically, personal data from your clients, customers and employees. What data holdings do you have in place? Does your data retention policy align with national guidelines? Are you using Data Loss Prevention tooling?

Action: Identify where your sensitive data resides, understand who has access, and determine if you have sufficient controls in place to protect it. Cythera offers a comprehensive data risk assessment which identifies risky data across your business and provides practical steps to ensure it is protected.

3. Prevent Penetration

Once you have your security strategy in place and pinpoint your sensitive data, you are in a much better position to start protecting your business from a cyber attack. Ransomware and malware frequently arrive through unknown websites and applications, so restricting access to these with specific tooling such as web filtering is critical.

Action: Install web filtering, antivirus, and email protection software. These help prevent employees from accessing unsanctioned applications or visiting unauthorised websites whilst also protecting them from receiving malicious phishing emails. These preventative controls reduce your overall attack surface. 

4. Educate Employees

Even with all the best security tech, your organisation is only as strong as its weakest link. Social engineering is still the primary method used by cybercriminals, and human-error accounts for a huge portion of successful attacks.

Action: Educate your employees by using a cyber awareness training platform that teaches them how to spot social engineering or phishing attacks. 

5. Define your Response Plan

In the inevitable event of a data breach or hack, you need to know how to respond. A well-defined response plan keeps everyone on the same page and ensures your security is consistent and effective.

Action: Create a predefined playbook for incident response and automate these where possible or utilise a Managed Detection and Response service, such as Cythera MDR. It is also recommended to practise ‘cybersecurity fire drills’ within your internal and executive team in order to prepare for a cybersecurity attack. These types of drills can be hosted by external cybersecurity experts, such as the team at Cythera and are included within the MDR service.

6. Test and Retest

Maintaining an effective security strategy is not a one-time job. As a Board Member responsible for the security of your organisation, you must ensure your security is constantly evolving to match the ever-changing tactics used by criminals.

Action: Stress test your systems through an active penetration testing regimen. Regularly testing your security helps identify vulnerabilities and patch these before an attack occurs. Looking at incident data allows you to identify behavioural patterns and stay ahead of attackers.

Cybersecurity Best Practises for Board Directors

To complement the checklist above, here are some best practices for maintaining a compliant cybersecurity strategy.

 Board Members and Non-Executive Directors should:

  • Understand their responsibilities and any legislation that affects the organisation;
  • Allocate appropriate budget for incident response, insurance and managed security if needed.
  • Ensure security leaders conduct regular stress tests and risk assessments;
  • Report cybersecurity incidents immediately, within the relevant time frame according to your industry;
  • Take responsibility for educating employees with a top-down approach; and
  • Ensure your security is comprehensive and effective. Recognise where capabilities fall short and, in that case, engage a security provider such as Cythera.

A Cost-Effective, Outsourced Alternative: Cythera’s Managed Security Service

Given the intricacies of the industry and new legislative requirements, many Board Members choose to opt for a fully managed security service.

Cythera’s security service is powered by Netskope, a leading cloud security solution that makes cutting-edge security protection available to even fully remote teams.

Combining their human-led approach to managed security, Cythera uses decades of industry experience to analyse and optimise your security strategy. Cythera’s team of leading Australian-based security analysts work with your team to understand your unique requirements and structure a security strategy and deployment plan for your business.

 

For more information on how Cythera guides Board Members and Executive Directors and provides cybersecurity protection for hundreds of Australian organisations, please contact us here:

Resources

You may be interested in

Common Unix Printing System (CUPS) - Critical Vulnerability

Common Unix Printing System (CUPS) - Critical VulnerabilityWhat Is VulnerableThe open-source printing system called “Common Unix Printing Syst…

Read More arrow_forward

Upcoming ISO 27001 Audit? 5 Ways to Nail It.

Undergoing an ISO 27001 audit can be a stressful time, not only do you have your day-to-day role to manage, but you also need to spend months in…

Read More arrow_forward

ISO 27001 Checklist for Upcoming Audits in 2023 and 2024

As we roll through the mid-way point of the calendar year, and hit the start of the Australian financial year, a lot of Australian businesses ar…

Read More arrow_forward