20 Mar / 2023
The Australian Institute of Company Directors has stated an increased focus on cybersecurity as one of its priorities for the coming year. Specifically, they want to make regulatory policies clearer and make it easier for private sector Directors to comply and be held accountable if they don’t.
Given the high profile of some recent corporate data breaches - notably Optus, Canva and MediBank, it’s unsurprising that the government wants to define who’s responsible for what. But the purpose of the changes is also to educate Directors to be able to spot security red flags and confidently challenge management where necessary.
The implications for Board Directors that fail to ensure their organisation complies with the new legislation are vast, as referenced in our previous blog. As well as corporate liability, Directors now have personal liability when it comes to security.
Knowingly ignoring an incident or failing to appoint appropriate preventions is punishable with personal fines and legal action from the government and shareholders. Ignorance of the law is also not an excuse.
This checklist makes it easy for Directors and Board Members to ensure they are meeting legislative requirements:
1. Understand your Position
Your first step is to gain an understanding of the state of your organisation’s current cybersecurity strategy, team and resources. How resilient is your organisation to attack and does it already comply with regulations? Are you fully protected against known and unknown attacks that might affect your business differently than others?
Action: Conduct an audit of your current security position either internally or by using an external cybersecurity specialist provider such as Cythera.
2. Protect your Data
The government’s biggest concern is a data breach. Specifically, personal data from your clients, customers and employees. What data holdings do you have in place? Does your data retention policy align with national guidelines? Are you using Data Loss Prevention tooling?
Action: Identify where your sensitive data resides, understand who has access, and determine if you have sufficient controls in place to protect it. Cythera offers a comprehensive data risk assessment which identifies risky data across your business and provides practical steps to ensure it is protected.
3. Prevent Penetration
Once you have your security strategy in place and pinpoint your sensitive data, you are in a much better position to start protecting your business from a cyber attack. Ransomware and malware frequently arrive through unknown websites and applications, so restricting access to these with specific tooling such as web filtering is critical.
Action: Install web filtering, antivirus, and email protection software. These help prevent employees from accessing unsanctioned applications or visiting unauthorised websites whilst also protecting them from receiving malicious phishing emails. These preventative controls reduce your overall attack surface.
4. Educate Employees
Even with all the best security tech, your organisation is only as strong as its weakest link. Social engineering is still the primary method used by cybercriminals, and human-error accounts for a huge portion of successful attacks.
Action: Educate your employees by using a cyber awareness training platform that teaches them how to spot social engineering or phishing attacks.
5. Define your Response Plan
In the inevitable event of a data breach or hack, you need to know how to respond. A well-defined response plan keeps everyone on the same page and ensures your security is consistent and effective.
Action: Create a predefined playbook for incident response and automate these where possible or utilise a Managed Detection and Response service, such as Cythera MDR. It is also recommended to practise ‘cybersecurity fire drills’ within your internal and executive team in order to prepare for a cybersecurity attack. These types of drills can be hosted by external cybersecurity experts, such as the team at Cythera and are included within the MDR service.
6. Test and Retest
Maintaining an effective security strategy is not a one-time job. As a Board Member responsible for the security of your organisation, you must ensure your security is constantly evolving to match the ever-changing tactics used by criminals.
Action: Stress test your systems through an active penetration testing regimen. Regularly testing your security helps identify vulnerabilities and patch these before an attack occurs. Looking at incident data allows you to identify behavioural patterns and stay ahead of attackers.
To complement the checklist above, here are some best practices for maintaining a compliant cybersecurity strategy.
Board Members and Non-Executive Directors should:
Given the intricacies of the industry and new legislative requirements, many Board Members choose to opt for a fully managed security service.
Cythera’s security service is powered by Netskope, a leading cloud security solution that makes cutting-edge security protection available to even fully remote teams.
Combining their human-led approach to managed security, Cythera uses decades of industry experience to analyse and optimise your security strategy. Cythera’s team of leading Australian-based security analysts work with your team to understand your unique requirements and structure a security strategy and deployment plan for your business.
Protecting a distributed workforce.
COVID-19 has quickly switched many organisations to full work remote / from home policies, and IT teams are dusting off disaster recovery and bu…Read More
Malware That Lives Beyond OS Rebuild
Normally if your machine is infected with malware, you can simply reinstall Windows, and the problem is solved, right? Not with this type of mal…Read More
How to prevent digital brand theft from destroying your business
As high-profile data breaches become commonplace, the Australian Cyber Security Centre encourages CEOs and other business leaders to take a proa…Read More