A recent survey by the ACSC found that that 62% of SMEs had experienced a cyber incident. In Australia the average cost of cybercrime is $29 billion, and this is set to rise.
It’s more important than ever for business leaders to take action and adopt a pro-active stance to protect their assets and interests.
Here are the most important things you should be keeping an eye on to ensure that your business is cyber ready.
1. Information security policies
Your policies and procedures are the backbone of your business’ governance. They make up the “blueprint” of your operations and proceedings. Having robust and relevant information security policies is critical as they outline your objectives and ways to achieve them. Moreover, they are the reference point the SLT can use to identify whether the company’s cyber security posture is adequate and tailored to the business needs. Different businesses have different needs and might face different risks therefore the governance framework needs to be customised and adjusted to your particular profile.
2. HR procedures
Information security starts and ends with humans. Your HR procedures should properly screen future employees as well as provide adequate cyber security training. 40% of incidents are the result of human error which stems predominantly from lack of awareness. Ask your employees if they feel comfortable identifying a malicious email and create a benchmark to monitor staff awareness. Cyber-attacks evolve and change continuously, and your staff’s preparedness should reflect that. Furthermore, your induction processes should clearly outline to the employee their responsibilities around information security
3. Employee contracts
Employee contacts should contain confidentiality clauses that can prevent a staff member from disclosing sensitive information to unauthorised parties. These clauses should carry protections around your Intellectual Property and ideally they should survive termination of the employment.
4. IT Support
Whether your IT is in-house or you use an external provider it’s important to have a good understanding of how your IT is functioning. Ensure that proper controls are in place and the IT staff regularly review your user activity and email activity. 90% of cyber incidents start with an email so it’s important that nefarious emails are blocked and don’t reach the end user. Consider reviewing your network integrity and conduct vulnerability scans on an annual basis.
5. Legal obligations
This has become an increasingly challenging issue for SMEs and Enterprises alike. The legal framework in Australia includes provisions for cyber security responsibilities. In July 2021, parliament discussions were held with the aim of enforcing personal liability for Directors and CEOs for a cyber security incident. Moreover, most businesses don’t know their regulatory obligations regarding data breaches possibly risking hefty fines and financial loss.
6. Cybersecurity controls
Every business should have in place some essential cyber security controls to minimise the risk of an attack of systems compromise. They can include:
- Anti-malware. Implementing anti-malware on company devices significantly reduces the chance of a malware infection. Moreover, anti-malware is great at stopping malware for spreading and infecting other devices.
- Password manager. Password Managers are a great tool for storing and creating password. A user needs only to remember one password and utilise the features of the tool to generate strong and secure passwords.
- 2-Factor -Authentication. 2FA adds an extra layer of protection for accounts and devices and makes it extremely hard to compromise accounts.
- Limited user privileges for employee devices. This will prevent users or threat actors from remotely installing or uninstalling unwanted software in company devices.
Regular review of the implementation status of these controls is critical to ensure that a strong defence line is in place to protect against malicious activity and hacking attempts.
7. Cost of a cyber attack
There are many types of cyber attacks. Ransomware and phishing top the charts in Australia. Ransomware will lock your data and make it inaccessible while phishing is being used to steal credential and deploy ransomware. The average cost of a cyber attack in Australia is $276,000. Although, these direct costs can be crippling for a business they are dwarfed by the indirect cost of losing operational capabilities and reputational damage. The business should determine what would the impact of a cyber attack be and the cost to recover form it. Start by determining how much money is lost for every day of being unable to operate.
8. Information Assets.
In 2020 the most valuable traded commodity was data surpassing oil and gold. Your businesses’ information assets can include your client database, intellectual property and brand salience. By identifying and evaluating your information assets you can maximise your business’ value. More importantly, you are able to identify which asset is the most valuable in your business and take actions to mitigate the cyber risks facing thus ensuring its integrity.
Every business has a network of suppliers that relies on to be able to operate. You exchange sensitive information with suppliers on a daily basis nevertheless once that information enters your partner’s system its security and integrity now rely on their cyber security controls. It’s important for your business to understand what kind of information your suppliers gather and how they can use that data and information. Regularly review your agreements with your suppliers and ensure that they include clauses for protection of your data and intellectual property.
As mentioned above, your data and information may be your business’ most valuable asset. It’s critical to ensure that your data is backed up regularly and securely and can be available whenever needed. There are many cloud based and host based solutions out there. If you’re using Microsoft consider utilising OneDrive or SharePoint and create a backup review schedule. Backups should be reviewed and restored, ideally on a bi-annual basis to ensure that they are effective. Establishing proper backup procedures greatly reduces the impact of ransomware attacks and maintain the value of the business’ critical information assets.