It’s an old adage that has been around for generations: good hygiene can reduce and prevent serious illness. As cybersecurity incidents increase in both frequency and severity, organisations can limit the damage by ensuring that hygiene projects remain on the executive agenda.
Cybersecurity risk management for organisations across Australia is more relevant than ever. And it’s little wonder.
Most Australians are aware of recent breaches impacting corporate Australia and the risk posed to customers past and present as their data is exposed on the dark web. The potential for identity theft and sensitive health information being available for download has started some serious conversations about why data is retained, for how long, and what is the real risk to personal data when organisations hold onto it.
The situation has got so serious for corporate Australia that the government has been forced into forming a brand-new cyber policing model to get tough on cyber criminals.
Amid the upheaval, it’s become clear that while digital transformation has expanded the options for businesses and consumers, it has also heightened the exposure of organisations and institutions to cyber risks, with cyber threats fast ranking as a top threat in most industries.
Despite perimeter protection designed to prevent hacks, the recent breaches have shifted the question from will we get hacked to when will we get hacked and what should we pre-emptively do about it?
Amid the surge in criminal cyber activity and the increased attendant risk, organisations are being called upon to undertake a mindset shift in thinking about how to deal with the threat posed by potentially catastrophic hacks. The lens of risk management can assist, and good terminology can help explain the importance.
‘Hygiene’ and cybersecurity risk management
There are simple things we do every day – taking a shower, brushing our teeth, eating well, for example – that are simply good personal hygiene. Good hygiene is a proactive way to prevent illness, disease, and suboptimal personal performance from gaining hold in the first place. COVID is the most recent example of why it’s so important: We’ve all seen the videos of how to wash your hands for the appropriate number of seconds or how to properly protect oneself with a mask. Most of us realise we probably take a few too many shortcuts in protecting our health.
For most people, however, hygiene isn’t necessarily a word we associate with technology, cybersecurity, or risk mitigation. However, the concept can be a useful one when thinking about how to make smart, forward-looking decisions about protecting organisations from cybercrime and risk.
Put simply, good corporate hygiene is all about shifting organisational mindset so that leaders think proactively about cybersecurity and other risk mitigation projects and elevating the importance of risk mitigation strategies before threats materialise, knowing that, at some point, it’s likely defences will be breached.
In essence, establishing robust cyber hygiene practices should be routine, like brushing your teeth – a very regular habit.
Making a case for cybersecurity hygiene
Turning cybersecurity into the corporate equivalent of a mouth rinse (or daily shower) is easier said than done. Even in today’s riskier environment, many stakeholders within organisations often take it for granted and are unlikely to get on board with undertaking potentially costly hygiene work in the area, with no immediate direct return on investment.
Drawing on risk management ideas to frame up the threat can assist in getting buy-in. In conversations with stakeholders, the key question regarding perimeter and internal cybersecurity safeguards becomes, is it better to have it and not need it, than not have it and need it?
The staggering costs of corporate Australia’s recent hacks – for one company, at least $140 million – is enough of a reason to stop dragging the cybersecurity chain, as the cost to respond to data hacks often well outweighs the cost of investing in preventative measures.
When viewed through a risk management prism — and the acceptance that it’s a question of when not if a hack occurs – it opens up the ability for organisations to genuinely consider a multitude of issues that have big potential business costs attached to them.
For example, it illustrates to stakeholders that a strong cybersecurity risk management strategy comes with benefits, including safeguarding business reputation and image, easing the workload of the IT team, gaining an edge over competitors and preventing revenue loss.
Then the next step becomes how to achieve good hygiene.
Three questions can help guide the way:
- First, ‘will I be hacked?’ Depending on the risk profile, it may be unlikely at present but probably increasing.
- Next, ‘would a hack be successful?’ This depends on the strength of the company’s defences.
- Finally, the potential impact of a hack has to be examined and minimised.
These questions raise the conversation about how adequate internal controls are in preventing or defending the organisation should a hack happen.
Prioritising cybersecurity controls
A company’s internal record management processes should prompt organisations to ask key but often overlooked questions like ‘do we hold data we shouldn’t hold anymore? Where do we store it? Is it appropriate? Do we have a policy and are there regular audits to determine how we collect, store, and archive data?’
This puts focus on basic ‘hygiene’ controls that may have gone by the wayside, which would help to ensure robust protection from cybercrime is in place. For example, installing reputable antivirus and malware software at the local user and server level, using network firewalls and updating software across individual and networks regularly,
Other basic controls when it comes to preventing cybercrime include strong password enforcement, backing up regularly, keeping hard drives clean, and securing company routers.
By taking these steps to achieve good cybersecurity hygiene, organisations will be better placed to deal with the rising risks from cyberattacks in today’s increasingly digitised world.
Quay Consulting partners with the CPM Group to enable organisations to adopt better systems integration as part of the project delivery process. To find out more, please contact us.
We believe that quality thought leadership is worth sharing and encourage you to share with your colleagues. If you’re interested in republishing our content, here’s what’s okay and what’s not okay.