When any business or organisation falls victim to a cyber attack, there are enormous financial repercussions, as well as legal issues and a suitable dent in your public reputation as an organisation.
Australia's relative wealth, high levels of online traffic and large market of technology adoption make it an attractive target for cyber criminals. In 2014, 693,053 Australian organisations experienced a cyber attack, costing the Australian economy millions and driving thousands of businesses into the ground.
Now more than ever, senior executives are responsible for de-risking the organisation against cyber attacks, amongst other business risks. Organisations cannot afford to function in silos and cyber criminals don’t discriminate, pointing to a need for a more cohesive, overarching governance framework in organisations of all sizes.
But what does this mean in practical terms and how can businesses develop and implement an effective governance framework? The following considerations are key to the development of your governance framework:
Structure
your organisation located in one place or is it spread across multiple geographies? Is it a traditional hierarchical structure or a matrix management structure? The structure of your organisation has implications for your governance framework in terms of how you develop policies and accountabilities develop and deploy training, how you communicate, and importantly how the organisation responds in a crisis.
Beginning with the CEO and COO, all the way through the IT management and down to those who test, monitor and audit information systems, every part plays a key role in defining the company's security stance. A well-defined security chain of management aligned to the structure of your organisation is vital to protect your company against attack.
Policy Development and Review
Your security policies should be aligned to both your business objectives as well as how your organisation works. So for example, if you don’t have a policy and the infrastructure in place for BYOD, but your staff regularly access their emails on their personal smartphones, you’re leaving your company exposed on a variety of fronts.
Good governance plays an extremely important role in your organisation’s ability to adapt to both current needs and future challenges. The governance framework should therefore comprise regular audits of security policies, the implementation of technical controls, audits and assessments and driving awareness amongst employees. It should also create a plan for the future, focusing on deterring emerging threats, fast-moving changes in the technological landscape and developing policies around emerging technologies, such as mobile, cloud and social.
Make sure these are aligned to your business objectives and reviewed regularly, to ensure you’re remaining one step ahead of the cyber criminals. Also think beyond your internal stakeholders and consider how you will educate your customers on your policy. It is a great reassurance for customers to know that companies have their back and that they are guarded against hijackings.
Proper Training
Your staff are your number one asset, but uninformed, they are also your biggest risk. Ensuring they are well informed and trained in recognising potential threats such as socially engineered emails could be the difference between an attack and successfully protecting your organisation. Providing regular training so your employees at all levels understand the risks of spear phishing and opening untrustworthy documents is integral to protecting the company, as well as themselves. Organisations should be focused on awareness and education programs, demonstrating the likelihood and potential consequences of an attack. Vigilance is key.
Rapid Response Procedures
It’s one thing to get everyone in the room and train them on the dangers and telltale signs to look out for, but cyber criminal networks are extremely fluid, changing their patterns and tactics almost daily to break through defences and wreak havoc.
Companies and their executives need to develop a cyber continuum, whether internally or with a security provider, of tested processes that enable it to respond appropriately to incidents of all sizes, including those which escalate and threaten the survival of the organisation itself.
Cyber criminals are getting smarter and their attacks more aggressively targeted, so it’s past time that business and organisations re-evaluated their cyber structure and recognise it’s time to change and adapt in order to survive.
Craig McDonald is the CEO and founder of MailGuard , a leading Australian technological innovator providing complete enterprise-grade protection against email and web security threats such as phishing and malware, spyware, viruses and spamKeep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.
