High profile cyber attacks over the past 12 months – Census and the Bureau of Meteorology are two examples – have company directors scrambling to tighten up their IT security strategies.
Many are now wondering if their cyber resilience policies and procedures are effective enough in a global environment where attacks are more complex than ever. Directors also question how they will respond after an attack to lessen the financial and reputational impact on their organisations.
When creating a cyber security strategy, it’s important to establish a common language so everyone understands the technical issues being discussed.
Cyber security is a term often used synonymously with information security and business continuity and is generally seen purely as an information technology issue rather than a corporate risk issue. The truth is it is both.
The diagram below provides an easy way to understand the relationship between cyber security, information and risk management and how information technology management and business continuity also support security risks.
So, what questions do company directors need to ask when assessing their organisation’s cyber resilience?
The following questions are a starting point recommended in a report by the body responsible for company regulation the Australian Securities and Investments Commission (ASIC).
- Are cyber risks an integral part of the organisation’s risk management framework?
- How often is the cyber resilience program reviewed at the board level?
- What risk is posed by cyber threats to the organisation’s business?
- Does the board need further expertise to understand the risk?
- How can cyber risk be monitored and what escalation triggers should be adopted?
- What is the people strategy around cybersecurity?
- What is in place to protect critical information assets?
- What needs to occur in the event of a breach?
Many boards will find that management can only partially answer the above questions. To address this problem a range of cyber security frameworks have been developed to assist with the communication between the board and management and to focus discussion only on areas which need attention.
Is your organisation cyber resilient?
Several different frameworks are available to assist management address this question. All the reputable frameworks have similar elements and give similar outcomes if applied correctly, however some are more expensive and complex than others to implement.
In Australia, a commonly used framework is ISO 27000 which is an international standard against which organisations can be certified as compliant. Certification is a costly process and does not necessarily improve outcomes so many organisations will use this framework but not become certified.
However, one of the most commonly used frameworks internationally is the Cyber Security Framework (CSF) developed by the US National Institute of Standards and Technology (NIST). This framework is free and can be downloaded and used by any organisation.
Sign up for MIS Asia eNewsletters.