As a business owner, managing risk is something you do every day. Online security risks need to be talked about, identified and managed just like any other business risk.
To understand your cyber security weaknesses and the risks they pose to your business, you need to explore people and processes, as well as technology, and your legal and regulatory obligations.
You’ll need to understand what your risks and responsibilities are so you can make informed decisions about how to best manage your cyber security risks.
What are cyber safety risks?
A cyber safety risk is any threat to the confidentiality, integrity or availability of your business data. Threats targeting technology are only part of the story – your employees can be your biggest cyber security weakness. For example, it only takes one employee to click on a link in a single malicious email to open the door to cyber criminals. One human error could compromise the safety of your business.
How to identify the cyber safety risks to your business
The first step to protecting your data is understanding its value. Then you can prioritise the data you need to protect and identify your online security risks. Here are some questions to help you begin this process:
Competitors, crime syndicates and opportunistic criminals. But also consider employees and business partners – insider threats can range from malicious intentions to ignorance or simply human error.
Employees, third party suppliers and service providers to your business (third party risks) such as your accountant or IT service provider (and their associates, ie. fourth party risks), government authorities, internet cloud services and software providers.
Consider where your data is stored and how it is accessed, such as computers, mobile phones and internet devices, USBs, printers, web mail, email and file transfer programs; who it's shared with and how they store and secure it.
Also consider identity and access management (such as two factor authentication, passwords and soft tokens).
Consider WiFi, routers and switches, Virtual Private Networks (VPN), websites, social media platforms, printers, point of sale, manufacturing systems.
How to reduce cyber safety risks to your business
Over and above the business risks you’ve identified, there are a range of laws, obligations and regulatory requirements related to cyber safety that you need to comply with.
Your regulatory obligations when it comes to cyber safety
Depending on your industry and business structure, there is a range of cyber security regulatory obligations you may need to comply with.
For example, the Australian Securities and Investment Commission (ASIC) makes directors accountable for identifying and assessing cyber security risks. Depending on the magnitude of the business risk, cyber risks may impact on directors' disclosure requirements to investors.
Your regulatory obligations may fall under the following authorities:
- Australian Securities and Investments Commission (ASIC): explore the Cyber Resilience website page, opens in new window.
- Australian Prudential Regulation Authority (APRA): explore the Management of IT Security Risk website page.
- Payment Card Industry (PCI) Data Security Standard (DSS): explore the PCI Security Standards, opens in new window.
- Office of the Australian Information Commissioner: explore the Guide to securing personal information, opens in new window.
If you are unsure of your regulatory obligations when it comes to cyber safety risk mitigations, seek legal advice.
How to mitigate people and process risks
Cyber safety risk mitigation may include introducing the following.
Awareness campaigns: Introduce cyber safety awareness programs and campaigns targeted at management, all the way through to front line employees, partners, third parties and customers and train them on the cyber safety basics such as how to recognise spam and phishing messages.
Collaboration with industry peers: Collaborate and share cyber safety information with industry peers to keep on top of what is happening in the broader landscape and any threats specific to your industry.
A cyber safety strategy: As a business, you need to balance business outcomes with risk when agreeing on a cyber safety strategy and the governance you put in place around your strategy. Your policies and governance processes need to allow for enough flexibility that your business can respond quickly to new threats.
Help direct employees to support: Put cyber security reporting processes and communications in place that direct employees to help and support.
Cyber safety accountabilities as part of contractual obligations: Cyber safety these include cyber safety accountabilities as obligations in all contractual agreements with employees and employees and third- party vendors.
Data protection controls processes and tools: Ensure your business has the right cyber security controls, processes and tools in place to protect your data. You can find out more in How to protect your data from cyber security threats.
A third-party vendor cyber security checklist: Have a checklist of questions in place to ask of third party vendors to understand how they protect your business data.
Questions to consider:
- What business risk mitigations do you have in place for cyber safety risks?
- Do you have a business continuity plan in place?
- How do you back-up your data and where is your data stored?
- How are cyber security threat incidents managed?
- How and when will you notify me if you’ve suffered a breach?
Depending on the likelihood of a cyber security attack on your business, it may be worth your while to investigate cyber insurance. Cyber insurance is a policy to help recover the financial consequences of losing your critical business data.
How to mitigate technology risks
A successful cyber attack on critical technology systems like your payroll, financial transfers, manufacturing or point of sale systems could stop your business from operating. You can find out more about how to mitigate technology risks in the article How to protect your data from cyber security threats.
For a prioritised list of practical actions business owners can take to make their technology systems more secure, take a look at the Australian Cyber Security Centre Essential Eight cyber safety risk mitigation strategies, opens in new window.
How we can help
If you’re a NAB customer and you believe your business or personal accounts have been impacted by fraud or a scam, we’re here to help. Explore the immediate steps you can take to protect yourself and discover when you should get in touch with us to make a report.
IDCARE is Australia and New Zealand's not-for-profit counselling and support service set up to assist Australians impacted by identity theft and cyber-related crimes.
IDCARE can assist NAB customers to navigate through the process when identity details or credentials have been compromised through fraud or scams. IDCARE is a free service for all Australians.
Australian Government | Australian Cyber Security Centre (ACSC)
The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together in a single location. It’s the hub for private and public sector collaboration and information sharing to combat cyber security threats. ACSC provides topical, relevant and timely information on how home internet users and small businesses can protect themselves from, and reduce the risk of, cyber security threats such as software vulnerabilities, online scams, malicious activities and risky online behaviours.
Australian Government | ReportCyber
ReportCyber is a secure reporting and referral service for cybercrime and online incidents which may be in breach of Australian law. The ReportCyber website provides a cybercrime reporting mechanism as well as helpful information about cybercrime.
Australian Competition and Consumer Commission | Scamwatch
Scamwatch provides information to consumers and small businesses about how to recognise, avoid and report scams using publications, videos and other online resources.
Australian Government | Office of the eSafety Commissioner
The Office of the eSafety Commissioner provides online safety education for Australian children and young people, a complaints service for young Australians who experience serious cyberbullying, and address illegal online content.
Australian Government | Attorney-General’s Department
The Attorney-General’s Department website provides helpful information and resources about your rights and protections in regards to identity security, freedom of information and cyber security. The Department has developed a range of resources to assist people protect their identity and recover from the effects of identity crime.
Apologies but the Important Information section you are trying to view is not displaying properly at the moment. Please refresh the page or try again later.