Cyber risks: Security starts at the top

30 October 2019

The question for business when it comes to cyber security is not “are we secure” but “what are our cyber security risks and what makes us secure?”

That’s the advice from Grant Thornton cyber security expert and partner Matt Green, who gave some poignant insights into what it means to be cyber secure in the current environment at a CCIWA membership briefing.

Green said managing cyber security starts with the board, with the requirement formalised for banking, insurance and superannuation companies overseen by the Australian Prudential Regulation Authority, with its new CPS 234 information security standard coming into effect on July 1.

“Effective cyber security needs to cover people, process, technology and supplies but it starts at the top with the board. The board has to own this – management, if they are playing that role as well, are equally as accountable – but the board must own cyber security,” he said.

“All the new and updated standards that are coming out are saying roles and responsibilities must be clearly articulated for cyber. The new standard that has just been released by APRA, CPS 234, Information Security, highlights in the very first paragraph that the board is responsible for and owns cyber security.

“It’s just the way it’s going and the only way you will get full effective cyber security in place in your organisation is if it is supported from the top.”

Green said asking ‘what makes us cyber secure and do we know our cyber risks’ will give a company a rich response and something to act upon.

He said this year’s highly publicised LandMark White case, where the ASX-listed company lost $7m in revenue after it was hacked twice with customer details and commercial information uploaded to the dark web, is an example of the devastation a data breach can wreak on a company.

An IT-contractor who had trusted access to the property valuation company’s systems was arrested on October 2 but damage from the loss of customers, investors and the CEO will take far longer to repair.

Get an independent report

With many businesses now using third party hosting on the cloud or software as a service, he said it’s important to ask for an independent assurance report before handing over your corporate secrets.

He recommends requesting a SOC 2 report, which is a globally accepted standard that defines the criteria for managing processes and customer data based on the five trust principles of privacy, security, availability, processing integrity and confidentiality.

“Firms such as Grant Thornton write SOC 2 reports, a standard where we go in every year and we audit their processes and security controls. We write a report, providing an overall opinion and at a control level identify if the organisations processes and controls were effective, partially effective or ineffective,” he said.

“That’s the strongest level of assurance you will get from your third party provider.”

Green recommends putting security clauses in the contracts with third party providers.

“You should be putting in there ‘If you want to do business with us, we need you to be secure and we need you to prove to us that you are going to be secure and the best way you can do that is by giving us a SOC 2 report once a year’,” he said.

Larger companies such as Microsoft, AWS and IBM provide SOC2 audit reports and they are becoming increasingly common for smaller and midsize companies.

“We are doing a lot of them and it’s becoming much more common place and they are going into contracts much more frequently. With government contracts, you need to have an ASAE 3402 or a SOC 2,” he said.

Make it a strategy

Green said it’s imperative that businesses develop a cyber security strategy in the same way they would have a business or IT strategy.

“It does not need to be War and Peace or as large as the Yellow Pages, but you do need to have a roadmap – you need to know what your priorities are, where you’re going to invest, soft controls to focus on, what technology you’re going to use and how it connects to the risk management of your strategic objectives of your business,” he said.

“Cyber security has got to be a strategic consideration, because it can be something that brings your business undone or it can become something that becomes a competitive advantage, because you get your SOC 2 report and say ‘look how good we are’, we take your security seriously and that’s why our clients do business with us.”

Business advisory firm Grant Thornton is a proud CCIWA Member. Find out more here.

Share This Post

You may also be interested in

$10m RED grants round opens
$10m RED grants round opens
Regional businesses have an opportunity to share in $10 million of funding with the release of the seventh round of the State Government’s Regional Economic...
Read more »
Rio Tinto supporting WA communities and businesses to thrive 
Rio Tinto supporting WA communities and businesses to thrive 
Rio Tinto has revealed the extent of its impact on the WA business community with the release of its inaugural report ‘Our Contribution to Western...
Read more »
WA-USA trade alliance drives growth for businesses
WA-USA trade alliance drives growth for businesses
The WA-USA bilateral trade relationship transcends decades and has entered a new era driven by global demand to decarbonise. 
Read more »

Acknowledgement of Country

The Chamber of Commerce and Industry WA (CCIWA) acknowledges the traditional custodians of Australia and their continuing connection to land, sea and community. We pay our respects to the people, the cultures and the elders past and present.

Aboriginal flagTorres Strait Islander flag
Find out more

Helpful links

Copyright 2024 © CHAMBER OF COMMERCE AND INDUSTRY OF WESTERN AUSTRALIA LIMITED
ABN: 96 929 977 985 ACN: 099 891 611
All content is for general information purposes only, and should not be used as a substitute for consultation with professional advisers
Linkedin Logo
Twitter Logo
Facebook Logo