SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Why Australian businesses should add cybersecurity to the end of financial year checklist
Wed, 20th Jun 2018
FYI, this story is more than a year old

Australian organisations should be looking at their ICT security as part of their planning process for the new financial year - and making sure they have adequate ICT security measures in place for networks, data and devices for the next 12 months and beyond.

Adelaide-based cybersecurity consultancy firm CQR has provided a quick checklist to help businesses sort their security.

Check your cover

A new financial year is a good time to review your various insurance policies. Determining whether your organisation would benefit from cyber liability cover should be part of the process. This is a form of cover designed to help organisations mitigate the frequently significant costs associated with recovering from a cyber related attack or security breach.

A niche product just a short time ago, cyber insurance has gone mainstream, in the wake of a tsunami of businesses of all stripes shifting their operations online and embracing social media as a means of communicating with customers.

A reputable broker can provide you with information about your cyber liability insurance options and assist you to secure cover which is suited to the size and scale of your organisation.

It's important to note that cyber liability insurance should not be regarded as an alternative to implementing robust cyber security measures. In fact, businesses may struggle to get cover if they're unable to demonstrate that they have reasonable measures in place. These may include implementing appropriate software tools, updating them regularly and training staff to reduce the likelihood of internal security breaches occurring.

Ramp up security education and training

Prevention is better than cure. When it comes to warding off cyber infiltrations and privacy breaches, ongoing education is the most effective pre-emptive action you can take.

Now is a good time to put a training program in place to educate staff about day-to-day security practices that can help keep company and customer data out of the wrong hands.

Ensuring security awareness is ingrained in every employee takes time and training will only be effective if it's a regular occurrence, not a one-off initiative or an afterthought to the induction process for new starters

Understand your privacy reporting responsibilities

Experts estimate thousands of serious data breaches occur each month. There are stiff penalties for Australian businesses which fail to inform customers and the Office of the Information Commissioner if they experience or suspect one.

A serious data breach is any situation where personal information is compromised – think customer names, contact details or personal records. Penalties for not reporting breaches within 30 days can be as high as $1.8 million for serious or repeat offenders.

The introduction of new privacy laws on February 22 was expected to catch thousands of small businesses on the hop. If you've yet to review your privacy policy and develop a data breach response plan, now is a good time to get to grips with your reporting responsibilities and ensure you have it covered off.

Keep data safe in the cloud

If your business hasn't moved some or all of its ICT activity to the cloud, it's likely you're assessing the business case for doing so and finding it a compelling one. Addressing data security implications is a vital part of this process. Having experts evaluate your technology, people and processes can help ensure applications are migrated smoothly and safely.

Fraud alert

While it's not technically an IT risk, invoice fraud is a broader security issue. End of financial year is the peak season for it, as businesses look to close off their accounts and square up with suppliers, and experts say this year has seen an unprecedented level of activity.

Ensuring your account payable process is robust and you have checks in place to identify rogue invoices is a sensible addendum to your end-of-financial-year cyber security review.

Getting started

Sometimes the toughest thing about implementing a cyber-security strategy can be getting started. Start by acknowledging that cyber-security isn't just an IT problem – it's an enterprise-wide matter.

Staff from across the organisation will be the strongest line of defence in your campaign to protect company and customer data from privacy breaches and malicious activity.

Input from employees in the finance, human resources and executive teams can help identify areas within the business which are especially vulnerable while a security audit by an external consultancy may flag any risks or gaps you've missed.