The Covid pandemic in early 2020 has had a tremendous effect on the way we work and that effect looks set to continue with more businesses allowing staff greater flexibility to work outside of the traditional workplace.

This has given rise to a range of Cybersecurity issues that all modern businesses going down that path must address in order to remain successful and build customer trust in the digital age.

Now, more than ever, businesses will need to focus on cybersecurity and cyber risk transfer, and do it well.

This article does not urge overreaction to these issues, nor does it predict doom and destruction for those businesses who are yet to fully address the changes that Covid has wrought. Instead, we lay down a number of ways you can minimise this risk, including what should be incorporated into a cybersecurity framework, how the elements of that framework help to mitigate and respond to data breach incidents.

Essential elements to minimise cybersecurity risk

Cybersecurity must be addressed in the same way as any other business risk. In order to protect critical processes and functions and to ensure business continuity, organisations need to have a robust business response to cybersecurity, including:

• A tailored cybersecurity framework designed for the organisation which protects critical business processes and assets from cyber attack;
• An effective and carefully selected policy of cyberinsurance which acts as a risk transfer device that funds the cost of implementing key elements of the cybersecurity framework when necessary; and
• A system of regular testing and evaluation of cybersecurity procedures and plans because the capacity to effectively execute the plan in a crisis is critical to maintaining business continuity.

Designing an effective Cybersecurity Framework

As mentioned above, a tailored cybersecurity framework is necessary to protect critical business processes and assets from cyber attacks. Failing to have an effective cybersecurity framework could lead to delays and increased costs in responding to a data breach as well as a greater risk of claims or regulatory action.

---

Want to start a cybersecurity discussion for your organisation? Book a free consultation with us here.

---

Some of the key elements of an effective cyber and privacy risk management framework are:

• Data mapping: It is essential that you understand where your data assets are in your organisation, where your data flows and who has access to your data (both internal and external to your organisation). Undertaking an audit and mapping of your data is essential to understanding your own cyber risk perimeter.
• Data breach response plan: This one is particularly important – you need to plan ahead and have a robust and carefully considered plan to respond to data breaches as soon as they happen and test the plan regularly. At a minimum, the plan should cover:
  • what constitutes a data breach in the context of your organisation;
  • your crisis management team and when and how they are to be mobilised;
  • your response protocols, processes and escalation paths to enable rapid containment and remediation of the data breach;
  • who ought to be notified of the data breach, and when and how notifications are to be made;
  • your communications and PR strategy, including engagement with stakeholders; and
  • any changes to future business operations that may be required.
• Policies, practices and procedures: Your organisation should also have robust policies, practices and procedures in place designed to protect your data (including data about your customers). These should include having:
  • a governance body, including privacy officer;
  • regular reporting to the Board on cyber risk issues;
  • an external privacy policy which meets the Australian Privacy Principles (APPs), is easy to find and clearly and simply describes what your organisation does with customer information, why it uses that information and the options open to your customers regarding how their information is used;
  • privacy collection notices and consents in application forms and other organisational materials;
  • processes for the handling of information access and correction requests by individuals;
  • processes for receiving and responding to complaints and enquiries;
  • making use of de-identified data sets where appropriate;
  • records management processes, including with respect to data retention and destruction practices;
  • programs for undertaking threat assessments where there are heightened data sensitivity risks, and privacy impact assessments for new projects or changes in business information handling practices; and
  • disaster recovery/business continuity plans which dovetail seamlessly with your data breach response plan.
• Security Awareness Training for staff: Policies, practices and procedures are only useful if they are widely known within your organisation and they are followed. It is important that there is regular and bespoke training to staff on your cyber and privacy risk management framework, the application of the APPs to your organisation’s handling of personal information, and the internal compliance practices, procedures, policies and systems that are in place.
  This training is critical now given remote working is the new norm in many workplaces. In particular, secure devices need to be deployed to employees accessing systems remotely (employee-owned devices generally lack adequate protection) and employee devices connected to the system should be tracked and able to be disconnected from the system when necessary.

---

Need help with Security Awareness Training? Schedule a free demo with us here.

---

• Supplier agreements: It is also essential that your supplier arrangements include security measures with respect to any data your supplier is handling on your behalf, and that your agreements with those suppliers have up to date data breach containment, remediation and notification clauses.