Well, if it’s today, you might first ensure you’re not vulnerable to the current global ransomware attack. However, the fact that it’s happening and has now hit Australia should prompt questions from senior leaders in every Australian business and government funded organisation such as:
- Does your organisation have up to date well documented ICT security policies?
- Does your organisation have up to date well documented procedures for ICT security (like patching, which is the vulnerability exploited in the WannaCry hack)?
- Have your ICT security policies and procedures been implemented effectively with all computer users?
Security incidents of varying types are being publicised at an alarming rate. There are now many examples of those incidents occurring here, not overseas. Australian organisations have many reasons to be looking hard at ICT security.
Of course no organisation’s network is 100% safe. However, some leadership teams see cyber security purely as a compliance issue and an ICT responsibility.
If you really want to keep your data safe, protect your customers and the reputation of your agency or business, ICT security policies and procedures should be “embedded”. What I mean by that, is that we need to start treating ICT policies and procedures with the same gravitas as those other policies we’re all so familiar with, like Occupational Health and Safety, Anti-Discrimination and Sexual Harassment.
When your computer users are as familiar with your ICT Security policies as they are with HR policies, and your ICT team have all the procedures in place they need to support ICT security, you’re being proactive about closing doors to a security incident. If you’re not proactive, it’s like leaving the windows open and doors unlocked at home; when a thief can get into your house more easily than the neighbours’ yours is the easy target.
Yes, the current ransomware attack exploits a technical vulnerability (effective implementation of procedures could have addressed through patching) but started with a phishing email to computer users (a strong embedded policy may have avoided). So, as always, people are the link and the policies and procedures need to be in place and communicated to effect changed behaviours.
In addition to the evolving security environment there are many risks occurring now around an increased need for mobility in most organisations. Those include risks of data breach through loss of hardware such as mobile phones, tablets and storage devices like USB sticks. Risk around third party access to systems is also an area of focus.
As a response, we are experiencing increased compliance in Australia with new data breach legislation requiring mandatory reporting. We are also experiencing increasing audits to try and police the management of risk. Unfortunately new legislation and more audits will not solve the problem entirely. Engagement with ICT by senior leaders is essential. Most of our clients are now asking the CEO to sign off on their ICT Security Policy, which is great to see. However, in addition to ICT leadership, organisation-wide support at the senior leadership level is what is required to have robust ICT security.
You can take steps to protect your organisation from being hacked right now by being the champion for updating your ICT security policies and procedures and ensuring effective implementation.
If your team doesn’t have the time or skills to do the work, ROI Solutions can assist. We have considerable expertise with ICT policies and procedures and the services are delivered using a flexible model to save you time and budget. Please contact us to discuss on 0414 702 163.
Published on LinkedIn, May 2017