Current

    The responsibilities of directors for cybersecurity oversight at small businesses and NFPs are just as great as at any other organisation.


    AICD and Australian Information Security Association (AISA) have launched a new short, practical and pragmatic publication for directors and those involved in the cybersecurity governance of small businesses and not for profits. 

    AISA has been a long-standing partner of AICD and this resource can provide practical guidance for members and those involved in the broader governance community in Australia, on how to build cyber resilience and tackle this ever-present threat.

    The cyber-threat environment for Australian businesses has seen a 23 per cent increase in the number of crimes reported, according to the latest data from the Australian Signals Directorate (ASD). Email compromise and online banking fraud are the two most prevalent threats. 

    The role of a director at an SME or NFP can often be more hands-on because they might be an owner, manager or a volunteer who is also on the board. This can increase the challenges and complexity faced by these directors, said Simon Mitchell, AICD senior policy adviser, during a webinar held on 26 June 2024. 

    However, the core duties of a director apply regardless and include the duty to act with care and diligence, the duty to act in good faith and in the best interests of the organisation, and a reliance on information and advice provided by others. 

    Regulatory obligations relevant to cybersecurity include the Corporations Act 2001 and ACNC Governance Standards, the Security of Critical Infrastructure Act 2018, and the Privacy Act 1988. However, there is a small business exemption for the application of the Privacy Act, which means that most businesses with a turnover of less than $3 million a year are not covered by its obligations.

    Low-cost controls

    Often, SMEs and NFPs have limited resources, no dedicated IT staff and no access to external expertise. But the data they hold can be highly sensitive. A poll taken during the webinar found that participants rated a breach of sensitive information to be the highest concern for their organisation.

    Panellist Scarlett McDermott, founder and principal of Longitude Advisory, said implementing low-cost measures, such as a password management tool, and talking about strong password practices with staff were good first steps for organisations to take.

    Dominic Schipano, national executive officer at CITT, said multifactor authentication was essential and that checking the company’s website and how it is set up was also very important.

    Akash Mittal GAICD, chair of the Australian Information Security Association (AISA), said staff training was the first line of defence to spot and stop a threat, and engaging with staff would help to keep the business resilient.

    “The human element is often where vulnerabilities emerge, but it can also be the greatest strength, with appropriate support and training,” agreed Mitchell.

    Protect what matters most

    SMEs and NFPs can often fall victim to debilitating cyber failures  because they rely on a single system for business operations. Understand what data is being collected and what threat it might bring, said Mittal. If data is no longer required by the organisation, then don’t hold it, he said — and ensure there is information security in place.

    The panel highlighted the need to make sure systems are being backed up and that the back-up is working properly. Be proactive in managing third-party risk.

    In a poll taken during the webinar, asking what controls should be in place for managing third-party risks, 81 per cent of participants backed the need for clearly defined responsibilities of each party in the event of a security incident.

    Be prepared

    The panel agreed that it was not a matter of “if” a cyber incident occurred, but “when” a cyber incident will occur, and the clear message was to be prepared for it.

    “Having planned your response, having strong business continuity plans in place, having strong disaster recovery plans in place, that is something you can control in this world of unknowns, particularly in terms of third parties,” said McDermott. “It’s really important not just to write a policy about that, which is quite a cheap thing to put in place, but also to do tabletop exercises. Get the board together, or get the senior leadership team together, and actually walk through what you would do if all of a sudden, one or more of your vendors were completely offline,” she added. “Actually work through the challenges that you would face and make sure that your staff are given the opportunity to discuss if that action would work. Engage some of your frontline staff, because they know where those problems are going to show up.”

    The enemy of a good cybersecurity culture is staff who are afraid of the consequences, continued McDermott. “Trust is a core element of a strong cybersecurity culture. So help people to have control over what they need to do, make sure they know what they need to do and that they’re not scared to tell you if something’s gone wrong.”

    Mitchell said a response plan needed to focus on how to minimise damage, communicate effectively and reduce recovery time and costs.

    Almost a third of webinar participants said they felt their organisations needed to improve their incident response management, while 20 per cent said they needed to improve cybersecurity awareness. Almost 20 per cent said they felt they needed to improve their third-party risk management.

    This is an edited version of the discussion from the AICD webinar held 26 June 2024. The full recording can be accessed here until 14 July 2025.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.