Information security management systems are essential for Australian businesses of all sizes to meet diversifying security challenges. But knowing where to start in implementing one can be a challenge in itself. In this article, we explain what is expected of business owners in tackling information security, and how to identify when your business may be in need of a formalised information security management system.

You Have No Information Security Policies in Place

A worrying 29% of Australian SMEs have no information security policies in place to protect their company data. If you are part of this 29% of vulnerable organisations, your business must consider implementing an information security management system that includes formalised information security policies.

Security policies and procedural documentation should be provided to employees at the beginning of their contract. It is also the employer's responsibility to ensure staff are educated on policy and notified of changes. If your business does not have any established security policies, including a staff education program, your company is at risk of data loss. In January, Prime Minister Malcolm Turnbull stated in relation to new measures to protect Australian cyber security, that “awareness is the most important first step.” 

Financial institutions, telecommunication companies, hospitals, health centres, and governmental bodies, or any other businesses that are required to protect sensitive or personal data, must address information security with the utmost importance. However, even the retail industry obtain large customer databases, which have the ability to cause irreversible damage if leaked. Attention needs to be devoted to information security risks within the office, and proactive protection often begins with your employees.

You Do Not Train Your Staff On Cyber Security

In February 2017, the Australian government announced that they would invest $1.9 million to universities that deliver specialised training in cyber security. Dan Tehan, a minister assisting the Prime Minister on cyber security, stated that, "Cyber security skills are fundamental to the success and growth of Australia's digital economy but like many other nations, Australia is suffering from a skills shortage in this field.”

Further to understanding company security policies, your staff must know how to respond during security breaches. Phishers and cyber criminals may target unprotected employees, obtaining personal and professional information through social media, email networks, and over the phone. Cyber security training will assist your staff in recognising covert security threats as they appear, and responding according to policy.

You Are Not Compliant With ISO 27001

The security responsibilities of businesses fall under one fundamental principle, including confidentiality, integrity, and availability. ISO 27001 is an internationally recognised standard designed to allow for the secure exchange of information, reduced exposure to security threats, and protection of your business from potential liabilities.

A company should be able to effectively address information confidentiality, integrity, and availability. These fundamentals protect information from unauthorised parties, modification by unauthorised users, and securely permit access to legitimate users. Without an information security management system compliant with the ISO 27001 standard, businesses leave themselves vulnerable and may suffer legal, financial and reputational damages.

If you are concerned that your business is not adequately protected against costly data loss, get in touch with a Compliance Council consultant today to discuss your certification to ISO 27001.

To learn more about the data threats facing all Australian businesses, download your free copy of our Information Security Whitepaper below: