In brief - We are often told by Directors that the 'thing' that keeps them up at night is worrying about cyber security. Are they going to be the victim of a hack? How would they handle that? What is their IT system like?
As we watch the Optus data breach play out, it is a good reminder that businesses should conduct regular health checks for cyber security.
Below is a list of key things your business can do now.
1. Review your Cyber Security Plan
A cyber security plan will enable a swift response to a cyber breach, such as a ransom, a business email compromise, or payment redirection fraud. If your business was hacked and issued a ransom, would you pay it? At which point would you move from a 'no' to a 'maybe'?
- Conduct a security risk assessment
- Evaluate your technology
- Create a risk management plan
- Identify and document (electronically and in hardcopy) the escalation tree for the business with names and phone numbers
- Know who you need to alert and when (if you are classed as Critical Infrastructure you have strict reporting periods)
2. Review your data breach response plan
If your company had a data breach, what do you do? Who do you call? What investigation do you carry out before you tell your clients or do you tell them first and provide details later?
- Review of data that is stored
- Develop a security policy
- Identify and document (electronically and in hardcopy) the escalation tree for the business with names and phone numbers
- How can the breach be contained, will external IT assistance be required and who can you call for urgent assistance
- When will customers be notified? (consider the implications of the Notifiable Data breaches scheme)
3. Ensure you use multi-factor authentication
4. Discuss with your IT personnel whether they consider the systems to be adequate to withstand a breach. If they do not know, seek external IT assistance
5. Review how you receive and pay funds, what are the protocols and checks?
6. The best line of defence, once the IT systems have been verified, is to educate your staff
- Conduct regular penetration testing on your computer networks by third parties
- Conduct regular training to remind staff about how to identify, detect and respond to:
- a business email that is compromised
- spam and phishing emails
- Conduct simulated testing
This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2024.