According to its annual cyber threat report, the Australian Cyber Security Center (ACSC), cybercrime reports in Australia reached 76,000 in the last financial year, highlighting the need for improved cybersecurity. To address this issue, the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) have developed five governance security principles for boards of directors. These principles aim to enhance an organization's cybersecurity and foster effective cybersecurity practices.
1. Set clear roles and responsibilities
Establishing a dedicated team with defined roles and responsibilities is crucial for effective cybersecurity. All members of the organization should be made aware of their roles in managing cyber risk, as cybersecurity is no longer solely the responsibility of the IT team. Clear lines of management responsibility and communication at all levels, including board reporting, are essential. Directors should continuously update their understanding of cyber risk management and seek expert advice when necessary.
2. Develop, implement, and evolve a comprehensive cyber security strategy
Organizations must develop a well-documented cyber security strategy overseen by the Board and implemented by management and team members. This strategy should proactively address risks and evolve as the risk landscape changes. Key elements to consider include protecting digital assets and data, managing third-party and supply chain risks, and establishing frameworks for storing, protecting, and destroying sensitive data.
3. Embed cyber security in existing risk management practices
Cyber risk should be integrated into the organization's overall risk management practices. Regular board reviews and assessments of cyber risk and controls should align with evolving threat landscapes and technological advancements. While engaging experts such as Managed Security Service Providers (MSSPs) is beneficial, the Board should still oversee cyber risk management.
4. Promote a culture of cyber resilience
A culture of cyber resilience should be cultivated starting from the Board and senior leaders and flowing throughout the organization. Education and awareness through regular training programs are essential for all end users and stakeholders, including directors. Good cybersecurity practices should be encouraged, promoting timely reporting, transparency, and awareness. Regular tests and exercises, such as simulated cyber attacks and phishing tests, should be conducted to assess staff preparedness.
5. Plan for a significant cyber security incident
Organizations should have a documented response plan in place for significant cybersecurity incidents. This plan ensures appropriate responses and clarifies the roles and responsibilities of major stakeholders, including the Board. Key elements of the plan include identifying responsible personnel, allocating necessary resources, triage and immediate response, containment and eradication strategies, communication channels, and recovery procedures.
Implementing these governance security principles is crucial as cyber-attacks cost Australian businesses an estimated $1 billion annually. Cyber resilience is vital for business sustainability, and the AICD's principles provide a starting point for directors to enforce robust cybersecurity measures. Leveraging AI and automation tools, such as 6clicks Reporting and Analytics suite, can streamline the implementation of comprehensive cybersecurity frameworks, making cybersecurity oversight hassle-free and efficient.