Entrepreneurs have to consider a range of matters when starting a new business, from finding suitable premises to recruiting staff. You may find it challenging at times to keep up with everything as you try to get it all settled. Whatever else you are doing, one thing you should not overlook is cybersecurity.
Cybersecurity and data system integrity is one of the most important issues facing business today, and a major threat to your business survival. Studies have found that 60% of small businesses in the US hit by a cyberattack go out of business within six months. Considering that almost half of these attacks target small and medium-sized companies, that’s a troubling statistic.
Many business view cybersecurity as an optional add-on. Maybe you think you won’t be a target until your company grows or that built-in protections are good enough. But cybersecurity is essential to any company’s success, so you should take it seriously. It is important for everyone in the business to understand that cybersecurity is not just the information technology (IT) department’s responsibility, and emphasis should be placed on inculcating a culture of vigilance and awareness of cyber risks, or ‘cybersecurity management’ though all levels of the organisation.
The following is a “start-up guide” to cybersecurity management and sets out 10 key elements of cybersecurity management.
The key elements of cybersecurity management:
There are 10 key steps in implementing a cybersecurity management plan:
1. Understand your information assets and risks
An audit of IT assets should be undertaken to enable appropriate risk assessment. Consider conducting a privacy audit to gather details on the personal information that your organisation collects and uses. Any data that is personal information is regulated by the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APPs) and possibly also state or territory laws; and potentially even laws in foreign jurisdictions such as the European General Data Protection Regulation (GDPR).
2. Undertake a risk assessment
If necessary, external professionals should be brought in to the business to undertake a risk assessment which encompasses:
- defining and prioritising cyber risks;
- performing risk assessments and manage results; and
- protecting sensitive risk assessment reports.
This will help your business identify steps to be taken in the immediate, short and longer term to mitigate any risks posed by cyberthreats and attacks.
3. Identify your legal obligations
An audit or review of your business activity and services should be completed to identify the legal obligations which arise. This could include activities where your business:
- collects or uses personal information of customers, employees or others,
- offers securities in, or trades, as a publicly-traded company, or
- accepts certain forms of payment, including credit cards, other payment cards.
Where these activities are undertaken, it is important to ensure that your business is compliant with government rules and regulations. Failure to do so can result in prosecution, disruption to your business and sizeable fines being imposed.
4. Involve senior management and the board of directors
Directors and senior management of your business must prioritise cybersecurity issues. Key things you can do to ensure this happens include:
- appointing directors with an understanding of and experience with cybersecurity, including responding to data breaches and other cyber incidents;
- hiring a CIO, CISO or CPO or otherwise assigning clear responsibility for information security to appropriate qualified and experienced professional;
- assessing and actively managing cybersecurity risks;
- championing employee engagement with the organisation’s information security policy; and
- developing and testing a cyber incident response plan.
5. Develop and enforce an information security policy
A comprehensive information security policy helps managers and employees understand permissible activities and the steps which should be taken (or not taken) to safeguard confidential material, technology and information assets.
The information security policy should include the following:
- A foundational statement which identifies information security as a core organisational value, and defines the policy’s scope;
- details data categories used to assign risk and protection levels;
- details standards and policies for use of information assets, including access control and acceptable use;
- identifies the ways in which the organisation protects and manages its information assets;
- provides guidance on cyber incident handling;
- details your organization policy on information security issues and limits in working with external parties; and
- formalises your organizational risk management and compliance programs.
6. Implement a cybersecurity training program
Employees can cause data breaches and create risks that leave organisations open to cyber-risk and attacks.
To address this training programs should be developed that:
- build awareness of cybersecurity risks and threats;
- explain your information security policy in simple terms;
- mandate that employees must:
- comply with the policy; and
- are individually accountable for the information assets they access and use, including their user accounts and passwords.
- provide employees with resources and expert help to avoid creating unnecessary risks;
- help employees understand how to recognise and report suspected cyber attacks, data breaches and other cyber incidents; and
- offer tailored training for staff that handle personal information or other data that is subject to specific laws and regulations.
7. Limit access to systems
Even the most robust cybersecurity program may still experience data breaches and other cyber incidents. These risks are compounded where access to networks and systems is provided to external parties, such as suppliers or other service providers, as such third parties may themselves have been compromised.
To mitigate these risks cybersecurity measures should be implemented which manage supplier risks throughout the relationship and actively assess supplier capabilities and compliance programs through measures such as supplier assessment questionnaires, and independent assessments and certifications.
8. Develop and test a cyber incident response plan
Every contingency and risk presents differing facts and circumstances, making it difficult for organisations to prepare for every type of event. However, organisations which develop and implement a cybersecurity incident response plan (CIRP) will benefit from a standard framework that helps organisations prepare for and effectively handle cyber incidents.
Steps in developing a CIRP include:
- identifying legal obligations and other obligations that may affect the CIRP;
- determining the CIRP’s scope;
- establishing accountability for the CIRP and related activities;
- forming a cybersecurity incident response team (CIRT); and
- identifying and, if necessary, contracting with key external resources, including supplier or service provider representatives if the organisation outsources IT or data handling functions;
- defining incident response procedures;
- providing CIRP training and testing activities; and
- committing to periodically review and, if needed, update the CIRP.
9. Source and take out cyber insurance
Traditional commercial general liability insurance often excludes coverage for the substantial losses that can result from a data breach or other cyber incident.
For comprehensive coverage, managers should ensure that the insurance policy covers costs associated with data theft, destruction and restoration; denial-of-service (DoS) attacks; forensic investigations and cybersecurity audits; business interruption; regulatory fines and penalties; litigation costs, awards of damages and related expenses; public relations consultancy and associated costs; and liability for third-party damages and expenses, including those experienced by customers.
10. Maintain awareness of government initiatives to combat cyber crime
Various Australian government initiatives exist to combat cyber threats, which among other things, allow for the sharing of real time public and private cyber threat information through joint threat sharing centres.
Australian government initiatives include:
- the Australian Cybersecurity Centre, which acts as a hub for private and public sector collaboration and information sharing to combat cybersecurity threats;
- ReportCyber (formerly, the Australian Cybercrime Online Reporting Network (ACORN)), a national policing initiative of the Commonwealth and state governments that allows individuals to report cyber-crime; and
- the Australian Internet Security Initiative, which provides daily email reports to internet providers identifying IP (Internet Protocol) addresses on their networks which are infected by malware or potentially vulnerable to malicious exploits.
Things to remember:
As identified previously, awareness of cyber-risks and cyber-security management plan is critical to business survival. 88% of US small business owners feel they’re vulnerable to cybercrime. Whilst you may feel that your options are limited when first starting out, that is not a reason to avoid risks where you can. It is always prudent to set aside a portion of your budget for cybersecurity and scale up when you can. The costs, and disruption to business, when dealing with a cybersecurity breach are likely to far outweigh the limited costs in time and expense in thinking about and putting in place appropriate measures to address these risks.
For more assistance, or guidance around cybersecurity, and implementing a cybersecurity management plan, contact the experienced team at Biztech Lawyers.