The question for business when it comes to cyber security is not “are we secure” but “what are our cyber security risks and what makes us secure?”
That’s the advice from Grant Thornton cyber security expert and partner Matt Green, who gave some poignant insights into what it means to be cyber secure in the current environment at a CCIWA membership briefing.
Green said managing cyber security starts with the board, with the requirement formalised for banking, insurance and superannuation companies overseen by the Australian Prudential Regulation Authority, with its new CPS 234 information security standard coming into effect on July 1.
“Effective cyber security needs to cover people, process, technology and supplies but it starts at the top with the board. The board has to own this – management, if they are playing that role as well, are equally as accountable – but the board must own cyber security,” he said.
“All the new and updated standards that are coming out are saying roles and responsibilities must be clearly articulated for cyber. The new standard that has just been released by APRA, CPS 234, Information Security, highlights in the very first paragraph that the board is responsible for and owns cyber security.
“It’s just the way it’s going and the only way you will get full effective cyber security in place in your organisation is if it is supported from the top.”
Green said asking ‘what makes us cyber secure and do we know our cyber risks’ will give a company a rich response and something to act upon.
He said this year’s highly publicised LandMark White case, where the ASX-listed company lost $7m in revenue after it was hacked twice with customer details and commercial information uploaded to the dark web, is an example of the devastation a data breach can wreak on a company.
An IT-contractor who had trusted access to the property valuation company’s systems was arrested on October 2 but damage from the loss of customers, investors and the CEO will take far longer to repair.
Get an independent report
With many businesses now using third party hosting on the cloud or software as a service, he said it’s important to ask for an independent assurance report before handing over your corporate secrets.
He recommends requesting a SOC 2 report, which is a globally accepted standard that defines the criteria for managing processes and customer data based on the five trust principles of privacy, security, availability, processing integrity and confidentiality.
“Firms such as Grant Thornton write SOC 2 reports, a standard where we go in every year and we audit their processes and security controls. We write a report, providing an overall opinion and at a control level identify if the organisations processes and controls were effective, partially effective or ineffective,” he said.
“That’s the strongest level of assurance you will get from your third party provider.”
Green recommends putting security clauses in the contracts with third party providers.
“You should be putting in there ‘If you want to do business with us, we need you to be secure and we need you to prove to us that you are going to be secure and the best way you can do that is by giving us a SOC 2 report once a year’,” he said.
Larger companies such as Microsoft, AWS and IBM provide SOC2 audit reports and they are becoming increasingly common for smaller and midsize companies.
“We are doing a lot of them and it’s becoming much more common place and they are going into contracts much more frequently. With government contracts, you need to have an ASAE 3402 or a SOC 2,” he said.
Make it a strategy
Green said it’s imperative that businesses develop a cyber security strategy in the same way they would have a business or IT strategy.
“It does not need to be War and Peace or as large as the Yellow Pages, but you do need to have a roadmap – you need to know what your priorities are, where you’re going to invest, soft controls to focus on, what technology you’re going to use and how it connects to the risk management of your strategic objectives of your business,” he said.
“Cyber security has got to be a strategic consideration, because it can be something that brings your business undone or it can become something that becomes a competitive advantage, because you get your SOC 2 report and say ‘look how good we are’, we take your security seriously and that’s why our clients do business with us.”
Business advisory firm Grant Thornton is a proud CCIWA Member. Find out more here.