Cybersecurity resources for boards

CyberStrategyGovernance
Written By Slade Sherman

Recent cyber breaches on firms such as the Medibank Cyber Breach and Optus attack serve as a reminder of the importance of cybersecurity and the need for businesses to take precautions against such threats. These occurrences highlight the importance of firms frequently updating and maintaining their cybersecurity systems and protocols, carefully monitoring their networks for indicators of prospective attacks, and having a plan in place for responding to and limiting the effects of a cyber attack.

Cybersecurity in Modern Organisations

Cybersecurity is concerned with keeping computer systems and its components, such as hardware, software, and data, from being attacked, gaining unauthorised access, or being damaged or rendered useless in any other way. Because cyberattacks can target data centres, websites, applications, servers, or accounts, it is now an integral component of IT governance.

Do boards need to be aware of all potential cyber risks?

Boards cannot claim a lack of awareness of the risk to their organisations given the frequency with which data breaches and cyberattacks are revealed. As a result, directors must have a broad understanding of cybersecurity risk and what it means for their oversight responsibilities, as cybersecurity has evolved into a risk that must be addressed as part of a larger enterprise-wide risk management framework rather than as a distinct issue.

Cyber recommendations and resources in Australia

Security measures such as two-factor authentication, frequent employee training on cybersecurity best practices, and the usage of secure networks and encryption technologies should be considered by businesses. Companies can better protect themselves against the growing threat of cyber attacks by implementing these and other precautions. The following are some useful resources for dealing with cybercrime:

The Australian Cyber Security Centre (ACSC) Information Security Model

The Information Security Manual is created by the Australian Cyber Security Centre (ACSC) (ISM). The ISM's goal is to lay out a cyber security framework that organisations may use in conjunction with their risk management framework to secure their systems and data from cyber threats. The ACSC provides a variety of resources for small, medium, and large organisations, including helpful suggestions, recommendations, and assessment tools.

ASIC Cyber Resilience Resource 

ASIC provides an outline of cyber resilience good practices including (a) key questions for an organisation's board of directors, (b) reports, speeches and articles, and (c) a list of recommended processes covering;

  • Cybersecurity governance and strategy

  • Cyber risk management and threat assessment

  • Collaboration and information sharing

  • Asset management

  • Protective measures and controls

  • Detection systems and processes

  • Response and recovery planning

ISO Standards - ISO/IEC 27001

ISO standards can be used by businesses of all sizes and sectors to manage the security of assets such as financial information, intellectual property, employee data, and third-party information. ISO/IEC 27001 is the most widely recognised international standard for information security management systems (ISMS) and their requirements. More than a dozen ISO/IEC 27000 standards offer further best practices in data protection and cyber resilience.

APRA Prudential Practice Guide - CPG 234 Information Security

This information in APRA CPG 234 is intended to provide direction to APRA-regulated organisations' boards, senior management, risk management, and information security specialists.

TGA Cyber Security Guidance 

Provides guidance to manufacturers and sponsors on the cyber security of medical devices that have software or electronic components. This addresses the hazards associated with the connectivity and digitisation of medical device technologies, which may be vulnerable to increased cyber attacks, potentially resulting in increased patient damage. (For example, denial of service, device modification resulting in patient injury, loss of privacy, or alteration of personal health data)

Slade Sherman
Previous

What skills does a company need to take advantage of AI
Next

eCommerce Principles - do’s and don’ts