Cyber Security for Small Business and Not-for-Profit Directors

Microsoft 365Security
Written By Lisa Beavan

Strategies for Enhancing Cyber Resilience

In today's digital age, small businesses (SMEs) and not-for-profit (NFP) organisations are increasingly vulnerable to cyber threats. Recognising this, the Australian Information Security Association (AISA) and the Australian Institute of Company Directors (AICD) have co-authored a comprehensive guide to help directors navigate the complex terrain of cyber security. This blog post will outline essential strategies that you can implement to fortify your organisation's cyber resilience.

  • Cyber Fundamentals

  • Fostering a Cyber Culture

  • Comprehensive Risk Management

  • Effective Incident Response

Cyber Fundamentals

The first step in bolstering your organisation’s cyber resilience is understanding and implementing basic cyber hygiene practices. Here are some foundational strategies:

  • Maintain an inventory of all IT assets, including hardware, software, and cloud services, to manage and track your technology endpoints effectively.

  • Conduct a data stocktake to understand where key data is stored, who has access, and what the data retention protocols are. This helps in gauging the potential impact in case of a data breach.

  • Implement strict access controls, including unique logins for staff members and limiting administrative privileges to essential personnel only. Secure logins with complex passwords and multifactor authentication (MFA), preferring authentication apps over text messages.

  • Ensure all software and firmware are updated automatically from trusted sources and maintain regular backups of critical systems and data isolated from primary systems.

  • Train employees to recognise malicious emails and social engineering attempts and develop a robust cyber incident response plan.

Fostering a Cyber Culture

Cultivating a culture of cyber awareness is crucial for long-term operational stability and stakeholder trust. Here’s how directors can set the right tone:

  • Proactively lead and embed cyber resilience into the organisational ethos. Regular communication, testing, and education are critical.

  • Implement mandatory training and phishing tests for all employees and volunteers. Appoint a cybersecurity leader within the organisation to promote strong cyber practices.

  • Subscribe to cybersecurity alert services to stay informed about emerging threats and ensure staff have access to the latest information.

  • Create educational and engaging training content to effectively alter employee behaviour towards cyber threats. Cover key topics like recognising phishing attempts, safe browsing practices, and reporting suspicious activities.

  • Leverage external resources and industry initiatives, such as the COSBOA Cyber Wardens program, to enhance preparedness and response capabilities.

Comprehensive Risk Management

Adopting a comprehensive risk management approach is key to safeguarding your operations. Here’s what you need to do:

  • Integrate cyber risk into your existing risk management frameworks, implementing accessible, low-cost controls tailored to your organisation’s capabilities and threat landscape.

  • Document internal policies and processes, outlining practices to secure IT assets and data, along with clear responsibilities and effective reporting mechanisms.

  • Manage third-party risks by overseeing interactions with vendors/service providers to ensure alignment with cybersecurity expectations. Include limitations on system access, confidentiality clauses, and data retention provisions in key agreements.

  • Understand the flow of data within the organisation and secure it in storage and transit using encryption and access controls while monitoring for suspicious activity.

Effective Incident Response

A well-crafted incident response plan is fundamental for managing and mitigating cyber threats. Consider the following:

  • Develop a comprehensive cyber incident response plan (CIRP) outlining responsibilities, detailing who manages incidents, and specifying required resources.

  • Include a contact list for legal counsel, forensic experts, and communication specialists in the CIRP to coordinate the response.

  • Ensure clear communication strategies to mitigate damage and maintain trust, and prioritise the restoration of critical systems with defined recovery orders and timeframes.

  • Conduct regular testing and updating of the CIRP through scenario planning and mock exercises to ensure it remains relevant amidst evolving threats.

  • Perform post-incident reviews to learn from each incident and refine strategies, demonstrating a commitment to continuous improvement and rebuilding organisational reputation.

Conclusion

Following these outlined strategies from The Cyber Security Handbook for Small Business and Not-for-Profit Directors will significantly enhance your organisation’s cyber resilience. Implementing these practices can safeguard operational integrity and build stakeholder confidence, ensuring long-term success and stability.

For more personalised advice and to strengthen your organisation's cyber security further, book a chat with GBA Online.

*This post was adapted from an article that first appeared in the August 2024 issue of the AICD Company Director magazine under the headline' Cybersecurity Handbook‘.

Lisa Beavan
Next

What Happens If…?