Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Easy Mode

Get it Done

The Journey

  • What else about the cybersecurity in your business is keeping you up at night?

    • What advice do you need or what steps do you need take?

  • Ensure you have a Trusted Advisor that is helping your business with all things IT and Cyber.

    • They don’t have to be the same people or same company. Cybersecurity is not solely and IT thing and IT is not all about cybersecurity.

  • You have a Trusted Advisor that is a key member of your business team.

    • The Trusted Advisor works with your business proactively, and are on hand for any key decisions and changes in business processes.

  • AI?

    • This is a whole other topic.

    • If you are using any of these new Generative AI tools in any way, stop and think what data you are feeding it.

    • If you would not put that data on your public website, don’t give it to an AI engine.

    • Listen to this podcast which has some excellent pragmatic advice about AI in your business.

  • Have an audit of your business usage of Generative AI (and other AI tools). See if you can turn it off until you decide what the risks and ramifications are for your business using it. The ACSC has some good AI documentation.

  • AI is used where appropriate and only where approved.

  • AI usage is monitored and the business responds to the rapidly changing technology by continuing to evaluate if the usage fits within your business risk profile.

  • What happens if you have a cybersecurity incident?

    • Do you know who to turn to, what the first steps are, and then what the next steps are?

  • Incident Response Plans are tested.

    • Incident Response Plans are kept in up to date hard copy form, and all staff know what their roles and responsibilities are if an incident happens.

  • Who has access to your physical premises?

  • What can visitors see or hear when they are wandering around?

  • Have a visitor register so you know who comes into your premises and when.

    • Have a visitor badge to identify that this person is a visitor.

    • Let staff know what is expected of them when there are visitors in the premises.

  • Do you want a “clean desk policy” so nothing is visible when the cleaners come through at night?

  • Are visitors (eg trades, repairs) escorted within your premises at all times?

  • There may need to be a policy to do Police vetting on any staff member or contractor that has access to the premises, or who has administrator privileges to your business applications.

  • All of the tech things! Yes, the things that you don’t want to know about or think are too hard. If that is the case, find someone who can explain it until you understand it, and why it is important for your business.

  • Challenge your Technical Advisor and ask good questions. But that does need to be balanced with knowing when to take advice from them.

  • What are the technical things in your business that you don’t understand? Here are a few examples:

    • Multi Factor Authentication - MFA

    • Encryption including Encryption at Rest and End to End Encryption

    • Transport Layer Security - TLS

    • Secure Sockets Layer - SSL (the s in https:)

    • Antivirus

    • Firewall

    • etc

  • Some more advanced technical concepts that may be needed for your business as it grows.

    • DKIM, SPF, DMARC for email

    • Single Sign On - SSO

    • Identity and Access Management - IAM

    • Virtual Private Network - VPN

    • Remote Desktop Protocol - RDP

    • etc

  • Even more advanced topics of technology to understand more about how they are used in your business.

    • Asset Discovery

    • Application Allowlisting

    • Penetration Testing

    • Threat Intelligence

    • Vulnerabilities

    • Hardening (eg in regards to Browser, Email, Software, Hardware).

    • Privileged Access

    • Break Glass

    • Logging and Monitoring

    • Network Security

    • Cryptography

    • Audit

    • Data Classification

    • etc

  • Talk to your Business Insurance Broker about whether you may need Cyber Insurance.

    • There is a lot to know and the terms and restrictions are difficult to understand, but if your broker recommends, it is worthwhile to understand what Cyber Insurance can do for you.

    • Cyber Insurance is unlike other Insurances - it is not going to repair your business back to the way it was before (like rebuilding a house after damage). Cyber Insurance is not a substitute for actually doing the hard work to improve your business' cybersecurity practices.

  • Understand all the terms and conditions of your Cyber Insurance

  • Have a good dialogue with your Insurance Advisor so they really understand your business and the cyber risks your business faces.

  • Ensure your insurance gives you access to a team that will help your business manage a significant incident.

  • A lawyer specialising in cybersecurity recommended that I talk to a lawyers on their panel, to understand what they do in case of an incident, and that is something she regularly does with the insurance companies she works for.

  • Legal and Insurance is a key part of your business as usual and you have a trusted Legal Advisor and a trusted Insurance Advisor along with your trusted Technical Advisor.