Secure Your Business: Directors’ Cyber Guide

Cyber threats today are relentless and evolving; unfortunately, no business is entirely safe, irrespective of its size. For directors and key decision-makers in small to mid-size enterprises (SMEs) and not-for-profit organisations, the obligation to protect the enterprise goes beyond mere IT concern; it is integral to their fiduciary duties.

Recognising this vital need, the Australian Institute of Company Directors (AICD), together with the Australian Information Security Association (AISA), developed a "Cyber Security Handbook for Small Business and Not-for-Profit Directors." This resource serves as a compass for directors navigating the stormy seas of cyber risks, emphasising core strategies to establish cyber resilience.

Directors' roles in fortifying an organisation against cyber threats extend beyond the traditional understandings of managerial responsibility. The manual reiterates that directors must integrate cyber risk management into their governance roles, acting with care and diligence. The Corporations Act 2001 mandates that directors ensure suitable systems are in place to strengthen cyber resilience and to proactively respond to cyber incidents.

The handbook outlines that SMEs and NFPs typically face distinctive challenges, including limited resources and technical know-how. Despite these challenges, the guide stresses that effective cyber security controls can be implemented without substantial financial investment. Cyber risks can be mitigated by maintaining regular software updates, securing critical information, backing up data, and implementing effective third-party risk management practices.

Additionally, the guide places importance on establishing a culture of cyber resilience. This goes beyond setting up policies; it involves fostering an environment of constant vigilance and proactive behaviour in the face of emerging cyber threats.

Directors are also prompted to ensure they are up-to-date with the latest regulatory requirements that relate to cyber security in their industry. For instance, entities holding an Australian Financial Services License must have risk management systems in place as stipulated by the Corporations Act. Meanwhile, healthcare and financial institutions must abide by industry-specific regulatory frameworks such as the My Health Records Act and APRA's prudential requirements, respectively.

As key decision-makers, directors need to possess not only a grasp of their cyber obligations but also the acumen to question, validate, and understand cyber security practices. Adopting a "show me how" approach rather than a "tell me how" can be a decisive factor in effective cyber governance.

Ultimately, the handbook isn't meant to be exhaustive but serves as a foundational tool for directors seeking to proactively protect their organisations from cyber risks.