The word “cybersecurity” has quickly become embedded in the modern business language and it is a topic that I dare say is going to be rarely far from the headlines.
I recently attended a seminar run by the Australian Institute of Company Directors and the speakers were people worth listening to. The speakers were Sandra Ragg, Assistant Secretary Cyber Policy Branch Department of Prime Minister and Cabinet and Michael Trott, Director of Cyber Security at Optus Business.
The title of the seminar included the words “preparing for the inevitable” and I think that is a clear message. To paraphrase Al Gore, this maybe an “inconvenient truth” but it seems inevitable that most of us either individually or in a business will be impacted by some form of cyber breach. By that I mean some unauthorised access to our hardware, software or data, or disruption to our services or data.
Here are some practical observations and tips from the speakers:
- Cybersecurity is the number one risk for nations and businesses
- The challenge is to maintain the integrity, privacy and availability of data
- It matters a lot because we have a data driven future
- A recent study of Top 100 ASX company directors found that only 7% of directors understand this stuff
- Identify what your most valuable information and data is and make sure it is protected
- Have a communication plan in place and a clear hierarchy for decision making if something goes wrong
- Notifiable Data Breach Reporting Requirement applies from next year to any entity covered by the Privacy Act See more detail here: https://www.oaic.gov.au/engage-with-us/consultations/notifiable-data-breaches/
- The human factor is the hard bit to manage which is why education on a regular basis is so important
- Backups must be tested regularly so you know you can actually restore data from them
- A once a year test and assessment from a trusted expert is useful but is no longer enough
- Regularly go to https://www.staysmartonline.gov.au/ to get updates – you can sign up to receive alerts (something I have done) The Top 5 cyber security mistakes: by small business listed here are:
- No investment or dedicated resources
Have at least one person in charge of cyber security measures and awareness training
- Unaware staff
Have an online security awareness program
- No back ups
Particularly important to protect against ransomware attacks
- Out of date (software)
Updates and patches must be kept up to date
- Bring your own device
Develop a BYOD policy with clear guidelines and safeguards
- No investment or dedicated resources
Take a few minutes to read more about these five issues here: https://www.staysmartonline.gov.au/news/top-5-cyber-security-mistakes-small-businesses
The Smart Online website has good tips for passwords, some of which are:
- Passwords and PINs should be a secret known only to you or the people in your organisation who need them. Strong passwords are difficult to guess and should be:
- greater than 10 characters long
- a mix of upper and lower case letters, numbers and other symbols.
- Do not include:
- recognisable words or names, in any language
- repeated characters
- personal information
- anything you have previously used.
- Don’t use the same password for multiple services or websites.
- Don’t share your passwords with anyone.
- Don’t provide your password in response to a phone call or email, regardless of how legitimate it might seem.
- Don’t provide your password to a website you have accessed by following a link in an email – it may be a phishing trap.
- Be cautious about using password-protected services on a public computer, or over a public wi-fi hotspot. See a recent article on this here: https://blog.strategicgroup.net.au/why-you-shouldnt-connect-to-unsecured-wi-fi
- Change your passwords regularly, at least every three to twelve months. If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well.
I notice that The Tax Practitioner Board (TPB) have announced that cyber security training will now be recognised as part of continuing professional education requirements. Yet another indication of the importance of this topic.
In response to cybersecurity threats new insurance policies are being made available by underwriters. Not surprisingly, these will expect you to have in place certain safeguards for the cover to be valid, but it might be worth looking at. Accountancy Insurance amongst others provide this insurance. https://www.accountancyinsurance.com.au/products-services/cyber-insurance
As an accounting firm coach I speak with owners and managers of firms on daily basis. I’ve spoken with several who have experienced ransomware attacks or had other cybersecurity issues. These are real and present dangers. If cybersecurity is not on the agenda for your leadership team I suggest you get it on there fast and take notice of the StaySmartOnline site and your third party technology support provider. Get a plan to deal with cyber security.