Why you need a cyber security policy for your business

Australian companies and organisations are being warned to remain vigilant and increase cyber security measures. The Australian Cyber Security Centre has issued a high status alert because of the risk of cyber attacks having international consequences.

What can I do to protect my business?

This is a timely reminder of the importance of having a cyber security policy for your business. If your business doesn’t have a cyber-security policy, you could be leaving yourself open to a cyber attack.

The implications of a cyber attack on your business are likely to be more than just an inconvenience. Important information or data held by your business such as customer records and personal information, financial records, emails, business plans, intellectual property and employee records could be at risk. You could potentially suffer financial loss due to the theft of funds, data or information, disruption to your business, damage to your reputation and loss of public trust and significant costs to restore your systems.

What is a cyber security policy, and why do I need one?

You will need to develop policies and procedures to help employees understand how to prevent an attack and to identify potential incidents. You will need identify what is important to your business and then consider the risks and the steps you will need to take to reduce the effects of a cyber attack.

A policy helps your employees to understand their role and their responsibilities in protecting your business in order to avoid a cyber security incident.

It is easy for employees to make mistakes and enable a data breach or attack. A basic cyber security policy should address the following at a minimum:

1. Rules for using email encryption;
2. Steps for accessing work applications remotely;
3. Guidelines for creating and safeguarding passwords;
4. Rules on the use of social media; and
5. Information in relation to the monitoring of emails.

If a cyber security incident occurs, you will need to minimise the impact of it on your business and get back to business as usual as quickly as possible. It can be difficult and stressful to respond to an incident in the moment so it is beneficial to have an incident response plan in place that will guide you through the required steps.  An incident response plan should guide you through the following:

1. How to respond to a cyber incident;
2. What actions to take and when; and
3. Staff roles and responsibilities for dealing with a cyber attack.

How do I ensure my cyber security policy is followed?

It is not enough to just have a policy in place, you must ensure that employees are trained in and understand the policy and that the policy is implemented at all levels.

You should also consider providing employee training to ensure employees are aware of:

1. their obligations under the cyber security policy;
2. how to prevent cyber security breaches from occurring; and
3. how to respond promptly where a breach has occurred and the steps employees should follow.

What else can I do to protect my business?

Technology

If the following protections and processes are not already implemented, you should consider implementing them to ensure your business is protected:

1. Firewalls;
2. Dual factor authentication;
3. Monitoring of emails; and
4. Undertaking phishing drills to determine holes in your IT system.

When undertaking these steps, it is important to ensure that employees are aware of the systems in place and their obligations, which may need to be incorporated into your policies and, in some circumstances, into employment contracts.

Insurance policies

You should also ensure your business has the appropriate insurance policies in place that would cover losses in the event of a cyber attack. Cyber liability insurance cover can help your business with the costs of recovering from an attack. Like all insurance policies, it is very important your business understands what it is covered for and an experienced insurance adviser should be consulted to determine the appropriate policy for your business needs.

Privacy Policy

When considering the protection of your business and the information you hold, it is also important to review your privacy policy. It is essential that you keep your customers’ information safe. If you lose or compromise their information, in a cyber-attack or otherwise, it will damage your business reputation, and you could face legal consequences.

If the Privacy Act covers your business, you must comply with the Australian Privacy Principles. Even if the Privacy Act doesn’t cover your business, it’s important to handle your customers’ personal information appropriately.

You need to have a clear and up-to-date privacy policy that outlines the information you collect, what you use it for and how you protect it. It is recommended that you make this policy available on your website.

If your business is covered by the Privacy Act, you will also need to comply with the Notifiable Data Breaches scheme in the event that a data breach occurs.

What can Coulter Legal do to assist?

Our experienced corporate and commercial lawyers can assist you to draft a cyber security policy, an incident response plan and a privacy policy for your business. If you have existing policies, we can review these with you and update them as required.

We can also advise you as to your legislative obligations in relation to cyber security incidents, data breaches and the protection of personal information.