The ASX released its much anticipated ASX 100 Cyber Health Check Report today, 20 April 2017.
It is a good document and was a worthwhile exercise which came about off the back of Prime Minister Turnbull’s April 2016 Cyber Security Strategy. We recommend reading the report – it contains interesting insights into how 76 companies in the ASX 100 view their own cyber maturity. As the report notes, it is critical to raise awareness and create a strong national culture of cyber maturity. The exercise that has been carried out by ASX and the “Big 4” professional services firms is undoubtedly valuable and should have a trickle-down effect to influence other organisations.
But, to get practical, it was a survey. While self-assessment is an important component of a cyber health check, it only scratches the surface (which the report acknowledges – it is clear that company directors acknowledge there is a great deal of work to be done).
It is likely you will see countless articles written about the ASX report in the coming days and weeks. It is also likely they will all emphasise the fact that every organisation needs to assess and build its cyber maturity.
Here is a quick, high level guide on how to do it:
1.You need to understand your current level of cyber maturity
This is what a cyber health check should tell you. You need to take a holistic view of your organisation and allow experts to ask the tough questions. There are literally hundreds of questions to ask which should reach every corner of your business – corporate governance, leadership and culture, HR, IT, legal and compliance, contracting processes, PR and corporate affairs, premises security and operations, etc.
And that’s just the internal stuff. You also need to understand your marketplace because the big hacks tend to involve third parties. Who are your customers, suppliers, partners, etc? What access do they have to your systems and premises? What contractual protections do you have in place with them?
You should be turning over stones in all of the areas.
2. You need to understand your exposure
Every business has unique risks. Before you can develop a strategy to manage them, you need to be able to articulate them.
3. You need to define your risk appetite
Your risk appetite should be informed by the nature of your business, your regulatory obligations, your contractual obligations, your corporate mandate, etc. To state the obvious, your risk appetite will inform your strategy.
4. You need a strategy backed by a budget
Whether it is a major organisation-wide project or some targeted investment, it is highly likely you will need to invest in certain areas. A carefully defined strategy that flows from the work done as described above will ensure you maximise the value of your investment. A word of caution here – beware software and hardware vendors spruiking magical solutions. Software and hardware solutions are obviously crucial and can be extremely valuable, but they are rarely a silver bullet. Think more holistically. Cyber security is about the weakest link. For example, you can patch your systems but when did you last patch your people?
5. You need a governance framework to monitor your resilience
Given that cyber risk is not going away, you’re in for the long haul. Just like workplace safety, constant vigilance and investment is going to be required.
Who should do it?
Go external. You need a fresh set of eyes and relevant expertise. Cyber is relatively new for everyone so there should be no hard feelings if (when) weaknesses are identified. To some extent, the entire market is learning together and against the backdrop that most businesses face a daily barrage of attacks. The right experts will take a collaborative and constructive approach. In our view, you need lawyers, IT security experts (including “ethical hackers”) and PR people with genuine crisis expertise to all work together. The reason for this is that, apart from the risks being business-wide, the issues overlap significantly and a good strategy requires people with different expertise to work together.
Addisons Lawyers has formed a strategic alliance with leading IT security and crisis management and communications firms. Together, we offer seamless and holistic cyber security consulting services to help your organisation build cyber maturity. Our starting point is a Cyber Health Check which is the important first step to building cyber maturity.
If you’d like to learn more about how we work, feel free to give me a call.
Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.