A business will have a variety of digital devices in use to support its operations. Personal computers, IT servers, mobile phones and laptops connect to a business’ network and can hold significant amounts of sensitive data while providing entry into a business’ critical systems. Identifying and creating a registry of digital devices is a significant part of a business’s cyber security delivery to allow data security and access control.
By the end of this topic, you will understand:
- legal requirements for cyber security
- how to gauge the level of cyber security awareness in a workplace
- how to develop and grow cyber security awareness programs in keeping with business values
- how to create a cycle of continuous improvement.
Before computers, business security focused on protecting physical assets from theft. Important documents such as ledgers and contracts would be locked in safes. Networked computers have evolved and grown into the internet of today with the one constant being that crime has followed it. While physical cybercrime such as stealing computers and phones exists, vast criminal proceeds can be generated from attacking a business’ digital systems – stealing and altering data; also ransoming access to a business’ systems. It is for this reason that cyber security matters.
Example
One of the earliest cybercrimes that gained notoriety was Phone Phreaking which were attacks on telephone networks. One method was to use a handheld tone generator to move past the dial tone. A series of sounds allowed the hacker to put the exchange the phone was connected to into a ready state to accept a phone number. Phone Phreaking allowed public phones, even phones in lifts, to be used to make free phone calls.
This gap in cybersecurity was finally closed in the 1990’s when tone-controlled telephone exchanges were replaced with end-to-end digital switches.
Protection from Malicious Attack
Computers are networked and designed to accept logons. As a result, there is need to provide protection for a business’ information technology platforms. By accepting network access, business information systems can also be accessed by unauthorised third parties – called Hackers. To provide a cyber-safe workplace due to hacking attempts, businesses require cyber security policy to:
- ensure the integrity of business data
- ensure the continuity of services to the users of a business’ digital infrastructure.
Cyber security is a response to cybercrime. Cybercrime occurs when malicious third parties exploit software vulnerabilities as well as physical opportunities (such as reading a written down user password) with the intent to gain unwanted access to a business’ digital platform. By gaining access, third parties can:
- steal confidential data
- corrupt data and systems to make digital systems inoperable
- gain benefit from fraudulent financial transactions including ransoming data and access. In this case, if the business owner does not pay a ransom, the malicious third party or ‘hacker’ denies the business access to their vital digital platforms
While it is in a business’ best interests to protect its digital systems, in Australia and other countries there are legislative requirements and codes of practice that require cyber security to be rigorous.
Legislative requirements relating to cyber security
Data Protection Legislation
In Australia, data protection is primarily governed by the Privacy Act 1988 (Cth). The Privacy Act includes the Australian Privacy Principles (APPs), which outline how private sector organizations should handle, use, and manage personal information. Key aspects include:
- Collection and Use: Organisations must only collect personal information that is necessary for their functions or activities. They must also obtain consent and inform individuals about the purpose of the collection.
- Data Security: Organisations are required to take reasonable steps to protect personal information from unauthorised access, disclosure, misuse, or loss.
- Access and Correction: Individuals have the right to access their personal information held by an organisation and request corrections if necessary.
Notifiable Data Breach Legislation
The Notifiable Data Breaches (NDB) scheme, introduced in February 2018, amends the Privacy Act to require organisations to notify individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm. Key points include:
- Mandatory Notification: Organisations are obligated to notify affected individuals and the OAIC when they become aware of an eligible data breach.
- Assessment of Harm: Organisations must assess whether a data breach is likely to result in serious harm, which may include physical, psychological, emotional, economic, or financial harm.
- Timely Notification: Notifications must be made as soon as practicable after becoming aware of a breach.
Tip
A breach is when a third party illegally gains access to a business’ digital platform. The breach may result in the release of sensitive information, fraud, loss of data and other negative impacts on the business, clients and other third-party companies.International Legislation
Australia, when trading and communicating with overseas companies will be required to comply with local cyber security requirements. For example, the General Data Protection Regulation (GDPR) is the data privacy convention adopted in the European Union. Any Australian business sending or receiving personal information regarding EU citizens is required to comply with the GDPR. In the USA, the amended Data Privacy Act encompasses compliance requirements for the handling of personal data belonging to citizens of the USA. Australian businesses should consult with the Department of Foreign Affairs and Trade (DFAT) and the Australian Cyber Security Centre to discover more about international cyber security requirements.
It's important to note that the legal landscape is subject to change, and organisations should stay informed about updates to legislation and regulations to ensure compliance. Additionally, legal advice should be sought to address specific organisational circumstances.
Watch
Learn more about the Security of Critical Infrastructure (SOCI) Act and role it plays:
Critical Infrastructure (cisc.gov.au)
Reading
The Office of the Australian Information Commissioner lists the kinds of businesses required to comply with the NDB on its website: Rights and responsibilities | OAIC
Cyber security regulations evolve to ensure business’ act vigorously to protect their systems. While not exhaustive, the following organisations have guidelines on defending against cybercrime: Australian Tax Office:
Essential Services
A further requirement for Australian businesses is compliance with the Security of Critical Infrastructure (SOCI) Act (2018). Businesses that deliver essential services are required to comply with the Act. There are 11 essential service sectors:
- Communications
- Data storage and processing
- Financial services and markets
- Water and sewerage
- Energy
- Healthcare and medical
- Higher education and research
- Food and grocery
- Transport
- Space technology
- Defence industry
Businesses that deliver significant services in any of these sectors are expected to provide a register of all their critical assets (including digital) and report any cyber penetration attempts to the Australian Cyber Security Centre (ACSC). A third requirement will be added soon requiring lodgement of a written risk management plan. The expectation of the SOCI Act is to ensure that the highest level of cyber security is in place across the 11 essential services.
The Act provisions penalties ranging up to $166,500 for corporations. The SOCI Act allows the government to act unilaterally to restore services when a business is deemed unable to do so as well.
Example – Pipeline Lockout
The Colonial pipeline in the USA carries oil from the Texas oil field along the East cost of America. The oil is refined at refineries along an 8,000-kilometre pipeline and without it, fuel supplies across the USA would grind to a halt. On May 7, 2021 the digital infrastructure that supports the pipeline was subject to a ransomware attack. Only after paying a ransom of $4,400,000 was the service restored.
While most of the money paid was recovered, the disruption to US transportation was catastrophic as petrol supplies dwindled.
Watch
Learn more about the Security of Critical Infrastructure (SOCI) Act and role it plays. Follow the link below:
As we have seen, there are compliance reasons for which Australian businesses must make cyber security a priority. Along with the loss of income and the potential for reputational damage from a breach, there are growing reasons why all business’ need to address cyber security. Often, the term cyber security is equated to sophisticated software management and complex network infrastructure. While integral to cyber security delivery, ensuring that personnel in a business are aware of and practice cyber security behaviours is equally important.
Regarding the Colonial Pipeline cyber security breach, cyber security experts believe hackers gained access not with a sophisticated exploit, but through a simple email or file being opened online which loaded malware to allow the hackers access. In effect, a member of Colonial’s own staff facilitated the attack. Ensuring a culture of cyber security exists in a business is a critical defence against cybercrime.
Watch
Learn about the secret lives of hackers. Watch the video below:
Creating a Cyber Security Culture
To create a workplace that applies cyber security thinking and complies with sound cyber security policy is a three-step process:
Step 1: Benchmark the Workplace
First you should benchmark the current awareness of safe and unsafe cyber security practices and the level of understanding of the importance, risks and policies relating to cyber security in the workplace. This process highlights gaps and areas to improve. Further, it allows the prioritising of closing gaps that expose a business to the greatest risk of a breach of their digital platforms.
A cyber security gap ranges in complexity and impact. A gap may be as simple as staff not following password security policy. A gap can be as complex as a code bug in a webserver that can allow hackers to access a business’ core systems.
Note: A digital platform is a business’ information technology space. It is where a business’ networked devices (such as PCs and mobile phones) access, update and create workflow using shared systems – such as sales databases or inventory management systems. Hackers use this networking to a business’ info tech systems to gain illegal access.
To create a benchmark, informal and formal processes are undertaken. An informal process does not make use of a data collection instrument. Data gathering using an informal process relies on meetings, ad hoc conversations and observations without using a tool such as a survey.
Formal processes gather data using short quizzes and surveys. Staff are asked the same data collection questions.
Benchmarking
- Discussing cyber security in meetings with staff and managers to gather insight
- Evaluating workplace cyber policy for gaps in compliance and for policy that requires change.
- Gathering input from staff using a survey. The survey collects current thinking and how staff work with cyber policy in the workplace
- Alone or combined with a survey, using a quiz to establish cyber security knowledge as relevant to a business’ cyber policy. The quiz tests competency.
The result of the benchmark is a business wide benchmark of cyber security policy and workplace behaviours. Where gaps are found, these gaps can be closed through policy and behavioural change. The next two steps in the process can be undertaken concurrently to target identified gaps in order of risk.
Step 2: Analysing Benchmarks and Training to Gather Insight
Once the initial benchmark is established, closing gaps in cyber understanding can be prioritised. Additionally, in some cases, building the benchmark will identify workplace processes that need to change rather than closing a gap in cyber understanding in staff. In this case, communicating the required changes to key stakeholders is needed to implement workplace procedural changes.
Core results from assessing the cyber security awareness level in a business are:
- The identification of where cyber security policies and procedures require creation or modification
- The creation of training programs to close gaps in staffed cyber comprehension and to demonstrate required cyber safe workplace behaviors
Step 3: Growing Understanding
Based on the benchmark results, developing training programs to explain required cyber security behaviour should be provided to all staff. Prioritising areas of highest risk, the programs describe operationally how cyber security policy in a business is to be followed.
In addition to providing formal programs, regular and as-required email bulletins to provide updates on local business cyber security matters are helpful. Not only does this improve staff understanding, but it also promotes a culture of thinking about cyber security in the workplace. Importantly, messages from senior managers such as the CEO assist in highlighting the serious way in which a business treats adherence to cyber policy and encourages thinking about cyber safety
Case Study
Changing Workplace Behaviour
Jane is the compliance manager at ACE Pty Ltd. She has conducted a benchmark of ACE and found a variety of gaps in cyber security compliance. Some of these gaps have been addressed in existing procedures but staff are not complying. Others are caused by workplace behaviours that should be prohibited by policy and enforced but no policy exists.
Jane also finds that in some cases staff are complying with policy, however ACE’s existing operational processes and policy have not secured some cyber security risks. Jane writes her benchmarking results into the following report:
ACE Pty Ltd Cyber Security Awareness
Gaps in workplace behaviours that are covered by workplace policy:
- Passwords written on sticky notes and placed on monitors
- Use of USB sticks to move data from computer to computer.
Gaps in policy requiring closing:
- Staff are not required to lock screens when away from their desk
- No password policy noting that personal details are to be used in making passwords such as using a partner’s birthday or name of a family pet.
Policy describes workplace behaviour and staff are compliant, however the policy is deficient:
- Staff are permitted to browse the internet at work from business devices at lunchtime
- Staff can bring their own device to work and connect it to the business network as needed.
Jane meets with senior managers at ACE and details the findings in the report. She suggests that:
- A refresher program be developed to update staff on ACE cyber policy to ensure the practice of using USB sticks (that can contain viruses) and putting passwords written on sticky notes to be seen widely are stopped. They note that this program should be developed as a priority.
- The policy on operational use of PC’s be updated to ensure screens are locked and passwords are not selected that can be guessed. Jane notes that password naming conventions can be enforced by creating digital rules on Ace’s server. Jane indicates that updating the policy is to be followed with an educational program to inform staff.
- The policy on browsing the internet at work at lunchtime be stopped and the cyber policy updated accordingly. This will ensure staff do not accidently load malware (a program designed to damage IT systems) into their PCs from using infected websites. Further, that BYOD be stopped at work to ensure only business devices are used with appropriate anti-virus software connect to the ACE network.
Jane notes in the meeting that the changes will require operational changes from staff and she asks the managers to assist in: making time for staff to attend information sessions on required behaviours, and to inform staff of the changes to come.
Note: The term vector describes a way that a business’ digitalCyber security policy exists to protect businesses and third parties, such as clients, from cybercrime. platform can be illegally accessed. A vector can be:
- physical (such as not securing a door to a server room)
- provided by staff (for example, by using common passwords that can be guessed
- a software exploit (such as using vulnerabilities in common business software to allow access to a business’ data).
Activity 1 - Managing Data Breaches
Cyber security policy exists to protect businesses and third parties, such as clients, from cybercrime.
The most common cyber security policies and procedures relate to the following points:
- securely storing, sharing and managing information
- encryption, and protocols for its uses
- data classification and management
- media/document labelling
- data governance
- acceptable use
- bring your own device
Let’s see what each of these policies is meant to cover in the table below:
| Organisational Policies and Procedures relating to: | Explanation |
|---|---|
| Securely storing, sharing and managing information | The policy for securely storing, sharing, and managing information in a cybersecurity context aims to establish guidelines for protecting sensitive data throughout its lifecycle. This includes specifying secure storage practices, access controls, and encryption methods. The policy should cover protocols for sharing information securely, emphasising encrypted communication channels. Additionally, it should address management practices, such as regular audits, to ensure ongoing compliance with security standards and regulations. |
| Encryption, and protocols for its uses | The encryption policy is designed to provide a framework for implementing and maintaining robust encryption measures to protect sensitive information. It covers the types of data that require encryption, the encryption algorithms and protocols to be used, and the circumstances under which encryption should be applied. The policy ensures that encryption is implemented consistently across the organisation, both for data at rest and during transmission, using industry-accepted best practices. |
| Data classification and management | The data classification and management policy focuses on categorising data based on its sensitivity and importance. It outlines the criteria for classifying data into different levels, such as public, internal use only, confidential, or highly confidential. The policy includes measures for implementing access controls based on data classification, ensuring that appropriate security measures are applied to safeguard data according to its significance. It also addresses data handling procedures and regular reviews to adjust classifications as needed. |
| Media/document labelling | The media/document labelling policy sets out the standards and procedures for marking both physical and digital media or documents with appropriate classifications. This ensures that individuals handling the information understand its sensitivity and adhere to the corresponding security measures. The policy aims to prevent accidental disclosure and supports a consistent approach to handling and protecting information assets throughout their lifecycle. |
| Data governance |
The data governance policy establishes the framework for managing and overseeing the organisation's data assets. It includes roles and responsibilities for data stewardship, guidelines for data quality, integrity, and security, and processes for regular audits. The policy ensures that data is treated as a valuable organisational asset, promoting responsible use, protection, and leveraging of data for strategic purposes. It aligns data practices with business objectives and regulatory requirements. |
| Acceptable use |
The acceptable use policy outlines the acceptable behaviours and practices concerning the use of organisational technology resources. It covers the responsible use of computers, networks, and internet access to prevent security incidents, unauthorised access, or misuse. The policy sets boundaries for acceptable behaviour, specifies consequences for policy violations, and contributes to creating a cybersecurity-aware culture within the organisation. |
| Bring your own device |
The BYOD policy addresses the security implications associated with employees using their personal devices for work purposes. It defines security requirements for personal devices, including antivirus software, encryption, and software updates. The policy aims to strike a balance between employee flexibility and maintaining a secure computing environment, highlighting the shared responsibility between the organisation and employees to ensure the security of sensitive information accessed or stored on personal devices. It helps mitigate risks associated with BYOD practices while promoting compliance with cybersecurity standards. |
Developing effective cybersecurity policies and procedures
Developing effective cybersecurity policies and procedures for an organisation is crucial for safeguarding its information assets and ensuring a secure computing environment. Here are some tips and considerations to help you create robust cybersecurity policies and procedures:
- Begin by understanding the organisation's structure, operations, and the types of data it handles.
- Identify critical assets, sensitive information, and potential vulnerabilities.
- Familiarise yourself with relevant laws and regulations governing data protection and cybersecurity in your industry and region.
- Ensure that your policies align with these legal requirements.
- Conduct a thorough risk assessment to identify potential threats and vulnerabilities.
- Prioritire risks based on their potential impact and likelihood.
- Collaborate with key stakeholders, including IT teams, legal, human resources, and management, to gain diverse perspectives and ensure buy-in.
- Use clear and easily understandable language in your policies to ensure that all employees can comprehend them.
- Avoid technical jargon unless it is necessary for specific roles.
- Clearly define the scope of each policy and specify to whom it applies.
- Tailor policies to different departments or roles within the organisation if necessary.
- Define procedures for granting and revoking access to systems and data.
- Implement strong authentication mechanisms, such as multi-factor authentication
- Classify data based on sensitivity and importance.
- Specify the handling procedures for each classification level.
- Develop a clear incident response plan, outlining steps to take in the event of a cybersecurity incident.
- Establish reporting mechanisms for employees to report security incidents promptly.
- Implement a cybersecurity awareness training program for all employees.
- Regularly update training to address emerging threats and technologies.
- Establish procedures for regular security audits to assess the effectiveness of your policies.
- Implement monitoring systems to detect and respond to security incidents in real-time.
- If applicable, include guidelines for evaluating and managing the cybersecurity practices of third-party vendors.
- Ensure that vendors align with your organisation's security standards.
- Define policies for securing mobile devices, including smartphones and tablets.
- Address issues such as data encryption, device management, and acceptable use.
- Cyber threats evolve, and technology changes. Regularly review and update your policies to stay current.
- Conduct simulated cyber-attacks or penetration testing to assess the effectiveness of your security policies and procedures.
- Use the findings to make improvements.
- Document policies and procedures in a central location that is easily accessible to all employees.
- Communicate changes effectively and ensure everyone is aware of the latest policies.
- Establish a process for continuous improvement based on feedback, incidents, and emerging threats.
- Regularly revisit and update policies to address new challenges.
- Before finalising your policies, have legal experts review them to ensure compliance and minimise legal risks.
- Ensure consistency across all policies to avoid confusion and conflicts.
- Cross-reference related policies for clarity.
- Gain support from top executives to emphasise the importance of cybersecurity.
- Executive support helps ensure that policies are taken seriously throughout the organisation.
By considering these tips and best practices, you can develop comprehensive cybersecurity policies and procedures that contribute to a strong security posture for your organisation.
Watch
Learn about the Confidentiality, Integrity, Accessibility (CIA) principle that all cyber security seeks to address. Watch the video below:
Activity 2 - Quiz
