Article tags

  • Cyber safety for business

Estimated reading time is 4 minutes.

As a business owner, managing risk is something you do every day. Online security risks need to be talked about, identified and managed just like any other business risk.

To understand your cyber security weaknesses and the risks they pose to your business, you need to explore people and processes, as well as technology, and your legal and regulatory obligations.

You’ll need to understand what your risks and responsibilities are so you can make informed decisions about how to best manage your cyber security risks.

What are cyber safety risks?

A cyber safety risk is any threat to the confidentiality, integrity or availability of your business data. Threats targeting technology are only part of the story – your employees can be your biggest cyber security weakness. For example, it only takes one employee to click on a link in a single malicious email to open the door to cyber criminals. One human error could compromise the safety of your business.

How to identify the cyber safety risks to your business

The first step to protecting your data is understanding its value. Then you can prioritise the data you need to protect and identify your online security risks. Here are some questions to help you begin this process:


Over and above the business risks you’ve identified, there are a range of laws, obligations and regulatory requirements related to cyber safety that you need to comply with.

Your regulatory obligations when it comes to cyber safety

Depending on your industry and business structure, there is a range of cyber security regulatory obligations you may need to comply with.

For example, the Australian Securities and Investment Commission (ASIC) makes directors accountable for identifying and assessing cyber security risks. Depending on the magnitude of the business risk, cyber risks may impact on directors' disclosure requirements to investors.

Your regulatory obligations may fall under the following authorities:

If you are unsure of your regulatory obligations when it comes to cyber safety risk mitigations, seek legal advice.

How to mitigate people and process risks

Cyber safety risk mitigation may include introducing the following.

Awareness campaigns: Introduce cyber safety awareness programs and campaigns targeted at management, all the way through to front line employees, partners, third parties and customers and train them on the cyber safety basics such as how to recognise spam and phishing messages.

Collaboration with industry peers: Collaborate and share cyber safety information with industry peers to keep on top of what is happening in the broader landscape and any threats specific to your industry.

A cyber safety strategy: As a business, you need to balance business outcomes with risk when agreeing on a cyber safety strategy and the governance you put in place around your strategy. Your policies and governance processes need to allow for enough flexibility that your business can respond quickly to new threats.

Help direct employees to support: Put cyber security reporting processes and communications in place that direct employees to help and support.

Cyber safety accountabilities as part of contractual obligations: Cyber safety these include cyber safety accountabilities as obligations in all contractual agreements with employees and employees and third- party vendors.

Data protection controls processes and tools: Ensure your business has the right cyber security controls, processes and tools in place to protect your data. You can find out more in How to protect your data from cyber security threats.

A third-party vendor cyber security checklist: Have a checklist of questions in place to ask of third party vendors to understand how they protect your business data.

Questions to consider:

  • What business risk mitigations do you have in place for cyber safety risks?
  • Do you have a business continuity plan in place?
  • How do you back-up your data and where is your data stored?
  • How are cyber security threat incidents managed?
  • How and when will you notify me if you’ve suffered a breach?

Depending on the likelihood of a cyber security attack on your business, it may be worth your while to investigate cyber insurance. Cyber insurance is a policy to help recover the financial consequences of losing your critical business data.

How to mitigate technology risks

A successful cyber attack on critical technology systems like your payroll, financial transfers, manufacturing or point of sale systems could stop your business from operating. You can find out more about how to mitigate technology risks in the article How to protect your data from cyber security threats.

For a prioritised list of practical actions business owners can take to make their technology systems more secure, take a look at the Australian Signals Directorate Essential Eight cyber safety risk mitigation strategies.

Helpful resources

Building employee awareness of cyber safety

Empower your employees to help manage your online security risks

How to protect your business from online security threats

Online threats don’t have to turn into crimes with security controls in place.

Understanding the value of your business data

Protecting valuable business data from cyber crime is everyone’s business.

Safely storing your data

Your stored business data travels in and out of your network. What key controls can you put in place to ensure it’s safe?