The Cyber Security Handbook for Small Business and Not-for-Profit Directors, co-authored by the Australian Information Security Association (AISA) and the AICD, equips SME and NFP directors with strategies to fortify cyber resilience.
Cyber incidents can have a devastating impact on SMEs and NFPs. Many breaches occur due to issues that can be avoided with minimal cost or resources overhead.
The Cyber Security Handbook for Small Business and Not-for-Profit Directors provides guidance on how to address those issues.
Cyber Fundamentals 101
Directors are advised to begin with maintaining an inventory of all IT assets — hardware, software and cloud services — necessary for tracking and managing the organisation’s technology endpoints.
A data stocktake should follow to provide visibility into the key data collected from various stakeholders — where it is stored, who has access and what are the data retention protocols. This is vital for understanding data significance and potential repercussions in a breach situation.
Access controls are another cornerstone, with recommendations for implementing unique logins for staff members and restricting administrative privileges to essential personnel only. Protecting logins with complex passwords and multifactor authentication (MFA) is key. Use of authentication apps are preferred over text messages for MFA due to their resistance to phishing attacks.
Keeping software/firmware up to date through automatic updates from trusted sources should be non-negotiable. Regular backups of critical systems and data, isolated from primary systems, should be implemented. Successful access to back-up copies and restore testing will save you on a bad day.
Training employees to recognise malicious emails and social engineering attempts is vital, alongside developing a robust cyber incident response plan. This should outline steps and contacts for swift and effective incident management.
These foundational practices will provide a robust framework for SMEs and NFPs to enhance their cybersecurity posture without excessive complexity or cost.
Cyber culture
Fostering a culture of cyber awareness requires proactive leadership, continuous education and leveraging external resources. This collectively enhances the ability to spot and stop potential cyber incidents, ensuring long-term operational stability and stakeholder trust.
Directors need to set the tone from the top and embed cyber resilience into the organisational ethos. Regular communication, testing and education are pivotal. Cyber awareness should be an enduring commitment.
Key practices for promoting a cyber-resilient culture include mandatory training and phishing tests for all employees and volunteers. Appointing a cybersecurity leader within the organisation ensures strong cyber practices are consistently promoted and staff have a dedicated point of contact for cybersecurity queries. Subscribing to cybersecurity alert services, such as those provided by the Australian Signals Directorate, keeps the organisation informed about emerging threats.
Training content should be educational and engaging to effectively alter employee behaviour towards cyber threats. This shift can transform the weakest link (employees) into a robust line of defence against cyberattacks. Training should cover recognising phishing attempts, safe browsing practices and reporting suspicious activities.
External resources and industry initiatives, such as the COSBOA Cyber Wardens program, offer valuable training to enhance preparedness and response capabilities, and help SMEs and NFPs stay abreast of the latest threats and best practices.
Risk management
SMEs and NFPs should adopt a comprehensive risk management approach to safeguard operations. Cyber risk is an operational risk that can be integrated into existing risk management frameworks. The key is to implement accessible, low-cost controls tailored to an organisation’s capabilities and threat landscape.
Documenting internal policies and processes is important. Outline practices to secure IT assets and data, ensuring staff are aware of safe, acceptable usage. Clear responsibilities and effective reporting mechanisms enable informed decision-making on risk, strategy and incident response.
Third-party risk management is necessary. SMEs should oversee their interactions with vendors/service providers to ensure alignment with cybersecurity expectations. The board should understand that key agreements include limitations on system access, confidentiality clauses and provisions for data retention and recovery.
Safeguarding critical data is highlighted by the guide. This includes understanding the flow of data within the organisation and securing it in storage and transit. Implementing encryption and access controls alongside monitoring for suspicious activity fortifies data protection.
Incident response
Effective incident response planning is a strategic necessity for SMEs and NFPs. The guiding principle is simple — preparation is paramount.
A comprehensive cyber incident response plan (CIRP) is fundamental. This should outline responsibilities, detailing who manages incidents and what resources are required. Identify personnel who can act swiftly and competently. A contact list including legal counsel, forensic experts and communication specialists is recommended for a coordinated response.
The CIRP should include clear communication strategies, which help to mitigate damage and maintain trust. The plan should prioritise the restoration of critical systems, specifying the order of recovery and necessary timeframe.
Regular testing and updating of the CIRP, such as scenario planning and mock exercises, ensure the response team remains adept and the plan stays relevant amidst evolving threats.
Post-incident reviews are also critical. These reviews facilitate learning from each incident, enabling organisations to refine their strategies and enhance resilience. They also help to rebuild the organisation’s reputation by demonstrating a commitment to continuous improvement.
A well-crafted, regularly tested CIRP ensures SMEs and NFPs are proactively managing and reducing cyber threats, thus safeguarding operational integrity and stakeholder confidence.
This article first appeared under the headline 'Cybersecurity Handbook’ in the August 2024 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content