As a business owner, managing risk is something you do every day. Cyber safety risks need to be talked about, identified and managed just like any other business risk.

To understand your cyber security weaknesses and the risks they pose to your business, you need to explore people and processes, as well as technology, and your legal and regulatory obligations.

You’ll need to understand what your risks and responsibilities are so you can make informed decisions about how to best manage your cyber security risks.

What are cyber safety risks?

A cyber safety risk is any threat to the confidentiality, integrity or availability of your business data. Threats targeting technology are only part of the story – your employees can be your biggest cyber security weakness. For example, it only takes one employee to click on a link in a single malicious email to open the door to cyber criminals. One human error could compromise the safety of your business.

How to identify the cyber safety risks to your business

Understanding the value of your business data is the first step to prioritising the data you need to protect and what your cyber safety risks are. Here are some questions to help you identify your cyber safety risks:

Consider WiFi, routers and switches, Virtual Private Networks (VPN), websites, social media platforms, printers, point of sale, manufacturing systems.

How to mitigate the cyber safety risks to your business

Over and above the business risks you’ve identified, there are a range of laws, obligations and regulatory requirements related to cyber safety that you need to comply with.

Your regulatory obligations when it comes to cyber safety

Depending on your industry and business structure, there is a range of cyber security regulatory obligations you may need to comply with.

For example, the Australian Securities and Investment Commission (ASIC) makes Directors accountable for identifying and assessing cyber security risks. Depending on the magnitude of the business risk, cyber risks may impact on directors' disclosure requirements to investors.

Your regulatory obligations may fall under the following authorities:

If you are unsure of your regulatory obligations when it comes to cyber safety risk mitigations, seek legal advice.

How to mitigate people and process risks

Cyber safety risk mitigation may include introducing the following.

Awareness campaigns: Introduce cyber safety awareness programs and campaigns targeted at management, all the way through to front line employees, partners, third parties and customers and train them on the cyber safety basics such as how to recognise spam and phishing messages.

Collaboration with industry peers: Collaborate and share cyber safety information with industry peers to keep on top of what is happening in the broader cyber threat landscape and any threats specific to your industry.

A cyber safety strategy: As a business, you need to balance business outcomes with risk when agreeing on a cyber safety strategy and the governance you put in place around your strategy. Your policies and governance processes need to allow for enough flexibility that your business can respond quickly to new threats.

Help direct employees to support: Put cyber security reporting processes and communications in place that direct employees to help and support.

Cyber safety accountabilities as part of contractual obligations: Cyber safety accountablilities include cyber safety accountabilities as obligations in all contractual agreements with employees and third party vendors.

Data protection controls processes and tools: Ensure your business has the right cyber security controls, processes and tools in place to protect your data. You can find out more in How to protect your data from cyber security threats.

A third party vendor cyber security checklist: Have a checklist of questions in place to ask of third party vendors to understand how they protect your business data.

Questions to consider:

  • What business risk mitigations do you have in place for cyber safety risks?
  • Do you have a business continuity plan in place?
  • How do you back-up your data and where is your data stored?
  • How are cyber security threat incidents managed?
  • How and when will you notify me if you’ve suffered a breach?

Depending on the likelihood of a cyber security attack on your business, it may be worth your while to investigate cyber insurance. Cyber insurance is a policy to help recover the financial consequences of losing your critical business data.

How to mitigate technology risks

A successful cyber attack on critical technology systems like your payroll, financial transfers, manufacturing or point of sale systems could stop your business from operating. You can find out more about how to mitigate technology risks in the article How to protect your data from cyber security threats.

For a prioritised list of practical actions business owners can take to make their technology systems more secure, take a look at the Australian Signals Directorate Essential Eight cyber safety risk mitigation strategies.

Helpful resources

Building employee awareness of cyber safety

When it comes to managing cyber safety risks and protecting your business your employees are your first line of defence.

How to protect your business from cyber security threats

Cyber threats don’t have to turn into cyber incidents with security controls in place.

Understanding the value of your business data

Protecting valuable business data from cyber crime is everyone’s business.

Safely storing your data

Your stored business data travels in and out of your network. What key controls can you put in place to ensure it’s safe?

Cyber Safety

Stay informed

Report a suspicious NAB message