How to mitigate the cyber safety risks to your business
Over and above the business risks you’ve identified, there are a range of laws, obligations and regulatory requirements related to cyber safety that you need to comply with.
Your regulatory obligations when it comes to cyber safety
Depending on your industry and business structure, there is a range of cyber security regulatory obligations you may need to comply with.
For example, the Australian Securities and Investment Commission (ASIC) makes Directors accountable for identifying and assessing cyber security risks. Depending on the magnitude of the business risk, cyber risks may impact on directors' disclosure requirements to investors.
Your regulatory obligations may fall under the following authorities:
If you are unsure of your regulatory obligations when it comes to cyber safety risk mitigations, seek legal advice.
How to mitigate people and process risks
Cyber safety risk mitigation may include introducing the following.
Awareness campaigns: Introduce cyber safety awareness programs and campaigns targeted at management, all the way through to front line employees, partners, third parties and customers and train them on the cyber safety basics such as how to recognise spam and phishing messages.
Collaboration with industry peers: Collaborate and share cyber safety information with industry peers to keep on top of what is happening in the broader cyber threat landscape and any threats specific to your industry.
A cyber safety strategy: As a business, you need to balance business outcomes with risk when agreeing on a cyber safety strategy and the governance you put in place around your strategy. Your policies and governance processes need to allow for enough flexibility that your business can respond quickly to new threats.
Help direct employees to support: Put cyber security reporting processes and communications in place that direct employees to help and support.
Cyber safety accountabilities as part of contractual obligations: Cyber safety accountablilities include cyber safety accountabilities as obligations in all contractual agreements with employees and third party vendors.
Data protection controls processes and tools: Ensure your business has the right cyber security controls, processes and tools in place to protect your data. You can find out more in How to protect your data from cyber security threats.
A third party vendor cyber security checklist: Have a checklist of questions in place to ask of third party vendors to understand how they protect your business data.
Questions to consider:
- What business risk mitigations do you have in place for cyber safety risks?
- Do you have a business continuity plan in place?
- How do you back-up your data and where is your data stored?
- How are cyber security threat incidents managed?
- How and when will you notify me if you’ve suffered a breach?
Depending on the likelihood of a cyber security attack on your business, it may be worth your while to investigate cyber insurance. Cyber insurance is a policy to help recover the financial consequences of losing your critical business data.
How to mitigate technology risks
A successful cyber attack on critical technology systems like your payroll, financial transfers, manufacturing or point of sale systems could stop your business from operating. You can find out more about how to mitigate technology risks in the article How to protect your data from cyber security threats.
For a prioritised list of practical actions business owners can take to make their technology systems more secure, take a look at the Australian Signals Directorate Essential Eight cyber safety risk mitigation strategies.