According to its annual cyber threat report, the Australian Cyber Security Center (ACSC) received 76,000 cybercrime reports in the last financial year. With some significant and publicised data breaches such as Optus, Medibank, and The Smith Family, there’s a new wave of cybercrime on the scenes.
This has prompted the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) to come up with a set of governing principles. These principles are aimed at the Board of Directors to help them play an important role in strengthening the cybersecurity of the organisation and to help with effective cybersecurity management.
As Australian customers share their private data with organisations, they expect that this information is protected. Thus, it is the responsibility of an organisation to ensure that information security and cyber security are prioritised. In times when data breaches by bad actors are a serious concern, protecting data needs alignment and collaboration between businesses, industry, and the government.
A very important part of strengthening the cybersecurity of an organisation is to build a risk-aware and risk-resilient culture. The Board can play a major role in building this culture and the AICD cybersecurity governance principles are to support the Board in preparing to face the myriad cyber threats. The principles provide a framework to build cyber resilience in organisations of all sizes across different industries.
Below are the five cybersecurity governing principles.
These principles have been developed after consultation with and feedback from government agencies, industry experts, cybersecurity professionals, regulators, and senior directors. They are designed to help directors as well as governance professionals to understand cyber risk, take proactive measures to mitigate risk and be prepared to deal with a significant cybersecurity incident. Let’s look at each principle in detail.
The first step towards cybersecurity is to establish a team with each member having defined roles and responsibilities. With cybersecurity no longer being only the IT team’s job, all members of an organisation need to be made aware of their roles and responsibilities to manage cyber risk.
There should also be a clear line of management responsibility and communication at all levels. This should include board reporting, communication with senior leaders and decision-makers, and keeping track of emerging threats and trends in cybersecurity. The directors should ensure that their understanding of cyber risk management is up to date.
The AICD encourages directors to take expert advice to set clear roles and responsibilities and for identifying areas of improvement.
There needs to be a well-documented cyber strategy overseen by the Board and implemented by the management and team members in the organisation. The strategy should proactively address risk and as the risk landscape evolves, the strategy should evolve, too. The idea is to evaluate the strategy and improve cyber maturity over time. It should address the below points.
Cyber risk should be treated as an integral part of the business strategy and should be included in the existing risk management practices. Just as the board reviews business risk, cyber risk should also be reviewed and the effectiveness of the cyber controls should be assessed. These reviews and assessments should be in line with the changing threat landscape and the technological advancements which can impact the organisation’s threat exposure.
The idea behind this governing principle is not to reduce cyber risk to zero but to effectively protect the organisation from risks and create a more secure environment. Most organisations outsource cybersecurity to MSSPs and while it is a good idea to engage experts, the Board should still be involved in the oversight of cyber risk management.
A cyber-resilient culture should begin at the Board and the senior leaders and should flow through the organisation. And the key step to cyber resilience is education and awareness for all end users and stakeholders through regular training. There should be specialised training programs for directors, too. Good cybersecurity practices should be promoted at all levels to encourage timely reporting, transparency, and awareness.
The other part of adopting this principle is to conduct regular tests and exercises to measure the preparedness of the staff against cyber attacks. This includes carrying out simulated cyber attacks, phishing tests, penetration testing, etc.
An organisation should have a documented response plan in the event of a significant cybersecurity incident. The response plan ensures that the organisation is in a position to appropriately respond to the incident and that all major stakeholders including the Board have a clear understanding of their roles and responsibilities.
The key elements of a response plan include:
Cyber attacks are expensive with the cost of cyber crimes in Australia estimated at about $1 billion per year. Cyber resilience is crucial to the sustenance of businesses and the AICD cyber governing principles are a good starting point for the directors to enforce robust cybersecurity measures.
While adopting a comprehensive cybersecurity framework can feel like a lot of work, with the help of AI and automation tools, it becomes considerably easier. At 6clicks, we help you on your journey to build cyber resilience by automating your Information Security Management System (ISMS). With a Reporting and Analytics suite that supports data storytelling, insights, and collaborative dashboards, overseeing cybersecurity is hassle-free and quick.