PFS Consulting

How to manage your cyber risk

Australian organisations have traditionally been a little behind their global counterparts in the uptake of cybersecurity measures, with CIO magazine reporting that 85 per cent of Australian businesses have suffered a data breach. This is significantly above the global average of 60 per cent. 

However, the introduction of the Notifiable Data Breaches (NDB) scheme, as well as Europe's General Data Protection Regulation, means Australian companies are starting to put much more effort into ensuring they are cybersecure. 

How can you defend your business from cyber threats?

1) Create a cybersecurity culture

Creating a culture of cybersecurity, one that permeates all levels of your organisation, is the number one thing you can do to protect your business from cyber threats. The most recent Office of the Australian Information Commissioner (OAIC) report indicates that since the NDB came into effect in February, 63 data breaches have already occurred, with nearly half (46 per cent) happening due to human error.

As the report indicates, "the importance of implementing robust privacy governance alongside a high-standard of security" is clear. 

In fact, data from IBM suggests 95 per cent of attacks involve human error at least to some extent, showing that even if you have the most expensive cybersecurity technology in place, you are still left open to attack if your employees aren't cyber aware.

Create a comprehensive process document that details all the steps employees must take if they suspect a breach or see a suspicious email. Make this a key point in induction training, and send regular updates when potential attacks or phishing scams have been discovered, so that staff know exactly what to look for.

Cybersecurity training shouldn't be too theoretical – it's hard to understand the exact coding behind hacking, and it's better to ground it in examples of what a breach might look like and how attacks could affect employees' everyday work.

Ensure training highlights cybersecurity in practical, everyday aspects, instead of focusing on the more theoretical parts like coding.Ensure training highlights cybersecurity in practical, everyday aspects, instead of focusing on the more theoretical parts like coding.

2) Conduct regular risk assessments

You also need to conduct a risk assessment of your whole organisation – including processes and systems – to pinpoint vulnerabilities and identify areas for improvement. This should take into account your key assets and any critical information that you hold.

Customer data should be first and foremost on this list – it's among the most important information you can hold, and it is your duty to ensure it's kept secure. This is especially the case now the NDB has made it compulsory to report data breaches for many entities operating in Australia. 

The problem is, in the digital age, it's possible to collect so much information (almost everything is recorded) that we often aren't aware of exactly what data we hold. So a key part of this risk assessment stage should be finding out the precise nature of the information you have, where it is located, and how many security measures are currently in place to protect it. 

As with any risk assessment, you should take into account potential issues as well as current ones, and also bear in mind your future growth strategy and tech needs. 

3) Update your systems regularly

Finally, it's essential to install updates as soon as they become available. The famous WannaCry ransomware attack spread because of a vulnerability that exists in pretty much every modern version of Windows. It was a vulnerability that Microsoft had issued a patch for a whole two months before the attack, and it was those that didn't install it on their systems that fell victim, including the English National Health Service and the Cadbury factory in Hobart. 

Risk management is an integral part of what the team here at PFS Consulting does. We'll conduct a range of tailored services to ensure your business is as secure as it can be, not just from cyber threats but from all organisational risks.

To hear more, reach out today.