A robust cybersecurity program acknowledges the interdependencies between systems and includes governance, management and assurance policies and processes that continually evolve to meet the needs of the changing environment and business needs.
Below is a step-by-step guide to assessing the state of your cybersecurity.
Step 1: Prepare
The first step to protecting your organisation is understanding your exposure. To do so, it’s helpful to undertake an audit and gap analysis of your systems and processes and how they relate to cybersecurity. This process should address risks related to people, processes, technology and information.
With this information you can determine the appropriate response, which can broadly be categorised as follows:
Avoid: This is a process by which you assess your areas of vulnerability and minimise or cease your activity in these specific areas.
Mitigate: This is a proactive process by which you assess your areas of vulnerability and modify your organisation’s policies and processes to limit risk in specific areas.
Transfer: This approach seeks to ‘transfer’ the risk to third-parties, typically external suppliers such as insurers, data management and security providers, making them accountable for managing your risks.
Accept: Alternatively, you may deem certain risks acceptable to your organisation and no action is required. This is typically the case when the financial cost of mitigation exceeds the potential financial impact of the risk itself
Step 2: Respond
While it’s common for organisations to invest resources in systems and processes, many neglect to plan and prepare for an incident in the event cybersecurity systems fail.
A robust incident response plan should include the follow steps:
Identification: Determine what has occurred and act to contain the incident, particularly in relation to preventing harm to people.
Investigation: Examine the factor(s) causing the incident and understand your obligations to disclose the event to affected parties as the incident unfolds.
Action: Take the appropriate steps to prevent reoccurrence and communicating with affected stakeholders.
Recovery: This involves returning to usual operation with improved risk procedures and actively managing reputational damage (if any) to restore confidence in your organisation.
Step 3: Follow-up
A post-incident review is critical to evaluating and managing the short and long-term impact to an organisation. It allows for a more thorough review and understanding of the situation and the response, and the impact to reputation and revenue, enabling organisations to develop processes to manage and mitigate future risks.
The findings should be documented and reported to the relevant stakeholders, including learnings and remediation steps.
With growth in the number of connected devices and systems, both personal and professional, the number of entry points for cybercrime has exponentially increased.
As a manager, not only are you responsible for tangible business assets, but also for the value of your brand, the safety and wellbeing of your personnel and of course the security of your valued clients’ private information.
For peace of mind that your business is protected from cyberthreats, contact Pitcher Partners for a confidential discussion.
Click here to read our breakdown of the key factors driving cyberthreats as we help you to understand the risks.
 According to ABS data, there were 2,238,299 actively trading businesses in the Australia in 2016-17. Stay Smart Online figures claim 59% of Australian businesses experience a cyberbreach monthly.