With instances of malicious cyber activity, including malware, ransomware and phishing on the rise, enterprise level companies are experiencing increasing levels of vulnerability when it comes to their digital security.
In February 2022, the Australian Cyber Security Centre (ACSC) released an advisory¹ urging Australian organisations to rapidly adopt an enhanced cyber-security posture.
So, how can organisations balance continued innovation and growth with changing security needs? And, more importantly, what can enterprises do to reframe security as a key business priority?
In a discussion hosted by business nbn® entitled ‘Enterprise Security: what is your weakest link?'², an expert panel examined the big security challenges facing Australian businesses, and the important things to consider in strengthening security culture.
Following are some of the key outtakes from that discussion.
Embrace security as an enabler
Having an enterprise-wide cyber security strategy is essential to ensure business’ continuity and growth. Organisations should treat security on par with any other business risk, including financial, quality, or occupational health and safety.
Factoring cyber security into the overall risk strategy of a business helps ensure adequate controls are in place. This reduces exposure to cyber threats, so the business can continue to focus on innovation and expansion. A mature approach to cyber security should be seen as an enabler, and not an obstacle or added operational cost.
Build a security culture
Senior executives play an important role in amplifying the importance of cyber security across the organisation. When a CEO talks about security being critical to business performance, it sets the tone for a culture of security awareness for all employees.
“The relationship you've got with your supplier has to be trusted. If it's not trusted, change suppliers"
Darren Kane, Chief Security Officer, nbn
While there are many cyber security tools and technologies available, their adoption requires people across departments and organisational functions to recognise the benefits. By advocating for security, leaders not only shape the culture of the organisation, but can also influence industry peers.
Assess your security on a maturity scale
It is no longer enough to know if you have cyber security measures in place or not. Every business must assess its own threat environment and work to keep improving their cyber security posture.
Organisations with a mature security posture understand cyber threats are a foreseeable risk. They build trust in their teams and put appropriate security controls in place. The ACSC’s Essential Eight Maturity Model³ offers guidance to organisations on identifying a target level of security maturity suited to their environment, and working towards achieving that target.
Set security KPIs
Security risks will differ from business to business, so it's important to take the time to identify the priorities for your business. Is it data or infrastructure? Is it technology or people? Then, within the overall risk assessment, select the security measures to address that priority and put KPIs in place to continuously measure and report on the criteria that have been prioritised. Whether your security focus is patching systems, identity and access management or encryption, strive to achieve the KPIs you have set to keep your goals on track.
Presenting security reports in a clear and easily understood manner to board members helps them get a clear picture of how security risk can be effectively managed. Businesses should also consider a security audit by a third party – to get independent reporting and insights on security levels and risk exposure.
Secure your supply chain
As businesses grow, parts of their operations are outsourced to suppliers. This allows them to scale and serve customer needs efficiently. However, this can also expose an enterprise to security threats in the supply chain.
It is important to have trusted suppliers with visibility on the security measures they have in place to protect their platforms and services offered. Sharing your own security reports with suppliers helps build trusted relationships through the supply chain.
Empower your people
Employees have a key role to play in keeping their organisation cyber safe. Data breaches can occur due to an employee clicking on a malicious link for example, but this is often due to a lack of security awareness resulting from poor training. Naming and shaming employees who may have unwittingly enabled a breach must be avoided at all costs. Regular cyber security training programs help keep staff updated on the nature of the latest threats. When people are empowered with the right knowledge, they become the true enablers of a culture of security.
A strong security culture protects the people, systems and processes in an organisation. It inspires trust in customers and partners, helps build reputation in the market and can improve business performance.
There is no single solution to enterprise security. It is an iterative and shared journey. By building a strong security culture and bringing people along on the journey, business leaders can work to improve their cyber security posture.
Sources
