Own your own security

Controlling cyber risk for your business

As a trained and experienced professional, you spend years learning your craft and nobody expects you to also learn the crafts of all the specialists you depend on… Except one: turns out you ARE expected to be an expert on IT security, and if you are not, you might get fined, lose your reputation, your ability to earn a living, your business. Not a comforting thought to wake up to one day.

In the last few years, governments around the world have ramped up their attention to cyber security, trying to stem the tide of attacks from other nations, businesses with no morals and of course the vast dedicated criminal element. The Australian government is on that band wagon and has just signed a deal with Microsoft who will invest 5 billion in Australia to improve cyber security infrastructure, training and strategy – with an emphasis on further developing AI technology.

That sounds great! We don’t have to worry anymore! Microsoft and AI to the rescue!

The big BUT

Whatever happens at the big end of town (governments, multi-nationals, bleeding edge technology), it is at the intersection where the targets (your business, your staff) and the bad actors (cyber criminals, state-based perpetrators, intellectual property thieves) meet that the actual attacks occur. National legislation and security investment are all ineffectual unless the vast army of small businesses actually takes action. So It’s you at the coal face, or where the rubber hits the road that has to OWN YOUR OWN SECURITY and make it happen for your business.

Governments and regulatory bodies are crystal clear on that point, and are ramping up fines, penalties, obligations and responsibilities for business owners and managers to make certain you are crystal clear too.

Some fines for you

Everyone knows unless it hurts, most people treat rules casually: comply when it is convenient. Hence the shifting ground: there are now a whole raft of opportunities to fine you if you have inadequate security in your company. Here are a few that can apply to you:

• There are complaints from your clients
• You are running critical infrastructure
• The security issue is a telecommunications breach (that includes sending spam)
• There are repeated offences – two or more times
• The security issue is a breach of the Australian Privacy Principles
• Anything that exposes sensitive or personally identifiable data

Governments and regulatory bodies are holding businesses to account. Here are a few recent examples:

• 2022 – new bill passed to fine companies up to $50 million for data breaches
• 2022 – Federal court judgement fines Australian company $750 thousand
• 2023 – Victorian civil case judgement $100,000 for privacy breaches

Here are the two MOST COMMON ways businesses fall short on security and risk, scoring fines, losing precious data, or losing the whole business:

1. Theft of work by staff, clients, supply chain partners and criminals

This is a horror story that happens all too often. The simple rule: don’t trust anyone, do these things:

• Your supply chain is a risk – get your contracts and theirs reviewed by an expert who understands both contracts and security.
• Take control of your data – assume it is a target and design the environment for security (not for easy access). Get help with this.

2. Lack of understanding of the value of data

A comment I often hear is “our business doesn’t have high value data”. Or: “we don’t have industrial secrets, therefore nobody would be interested in our data”

These are not valid comments: the value of data is almost always related to the value that data has for the OWNER of it, not to the world at large.

Your business is paying salaries and delivering services to clients. What is the impact on you as a business owner or manager if you can’t keep doing these things?

• What will you sacrifice to be able to keep your business afloat?
• If it’s a choice between pay up or lose your business, what will you choose?

A cyber crook knows that small businesses are MORE LIKELY to pay up. Why? Because small-ish businesses are MORE LIKELY to:

• Not realise the value of their data
• Have poorer visibility of their IT assets
• Be unable to fully recover from attacks because they may not have have good response and tested recovery plans

And why does all this happen? Typically small/medium businesses are low on security resources and expertise so they:

• Lack of visibility into IT assets
• Lack of capability to identify and contain threats
• May not have a proactive incident response plan
• May have inadequate disaster recovery planning
• Often have poor access to cyber security resources and expertise
• Often have poor access to cyber security resources and expertise

Notice most of these risks are around what you do as a business, they are not specifically technology related.

IT security is a business function

Hang on, isn’t IT security a black art that only specially trained experts can understand and manage? Nope. Your IT security starts with your business plan. The key questions are NOT IT related, they are business related:

• What does your business do?
• What is important for your business to be successful?
• What would send you broke?
• What do you do to earn revenue?
• What does it take to deliver your services to your Clients?
• What does it cost to deliver your projects?
• What tools do you use?
• If your architects can’t work this week, what deadlines will you miss?

None of these questions are IT, they are business related. You as the business expert have to answer these questions, then invite your IT partner to the business planning meeting so they can help with picking the right technology to do what YOU decide the business needs.

Critical systems and risk

Each business function needs tools to do the job. Make a list of them. For each one:

Ask: how long your business could function if that system was not available? 1 hour? 1 day? A month? On the worst possible day of the month/year: eg payroll day, deadline for delivery of a project.

Ask: how much you can afford to lose? Is it okay to lose a whole day’s work? If it is, then a backup once per day is enough. If you can’t afford to lose more than one hour work, then your backup needs to support that.

Ask: what is the plan to recover this system if it is somehow damaged?

Third party risk

Just about every company has these. SalesForce, Practice Management systems, Microsoft 365. A typical comment I hear is: “It’s in the cloud, so we don’t have to worry about it. The cloud provider looks after it”

Wrong!

Most cloud providers do not take full responsibility for your data. They look after their cloud servers and platform, but you are expected to look after your own business requirements. That includes solutions for recovery of your data to meet YOUR business needs.

That means you need to understand your third party risks.

Third party risk – primary cyber risk for business

At the Australian Financial Review Cyber Summit on 18th September 2023, Joe Longo, ASIC Chair repeatedly identified third party suppliers as the primary cyber risk for business:

“Third party suppliers are the primary cyber risk for business. A business cannot “set and forget” their security. There is no vaccine for cyber attack. All businesses must act now. Lack of activity, planning and ongoing management is a potential breach of Directors’ duties: the duty to act with reasonable care”

AFR Cyber Summit 18th September 2023, Joe Longo, ASIC Chair

Prove you can recover

What makes an adequate disaster recovery plan?

• Document the plan – based on your critical systems
• Test it every year and whenever there is a big change
• Include your supply chain (Xero, SalesForce, Revit, Survey Monkey)

Once you have a critical systems list, and the plan for recovery is documented. Go ahead and test it. Check it off to see if everything works:

• As the business needs it to work?
• In the time frame you said it needs to work?
• With every business essential back running so you can function as normal?

If it doesn’t work as needed, having done a test, you now have a clear roadmap for what you need to change so it will work.

Questions for every board, business owner and manager

The answer to all these should be YES:

• Do you require your suppliers to meet YOUR security standards?
• Have you implemented the ACSC Essential Eight?
• Do you regularly audit your IT systems – including your third party suppliers
• Do you regularly TEST your Disaster Recovery Plan so you know you can recover everything and how long it takes?
• Do you have a security policy and do all your staff know and understand it?
• Do you regularly run Cyber Awareness training for your staff?

Build the planks of security into your business

If you would like help to make this work, contact me today. FooForce can help you with all your IT and security needs.

Contact me for a chat: [email protected] or phone us 02 9234 1234

Frances Russell is CEO and Managing Director of FooForce, a leading Australian Managed Service and Security Provider.? Frances is highly qualified in networking and security and has 20+ years experience advising organisations on business risk, IT strategy and security FooForce provides cyber security, IT strategy alignment, information security audit including cloud security, cyber risk awareness and full IT support services to companies across many industry sectors.