25 October 2023

New Cyber Security Principles Help Guide Director Decisions

New Cyber Security Principles Help Guide Director Decisions

A new joint report featuring two peak industry bodies helps highlight the positive managing directors can have on cyber security.

The Australian Institute of Company Directors (AICD) has released a report in partnership with the Cyber Security Cooperative Research Centre (CSCRC), focused on giving managing directors a range of actions to support cyber resilience.

The AICD CSCRC Cyber Security Governance Principles lists five critical principles for managers and directors to follow to improve and support cyber security, along with a series of “governance red flags” to help identify issues that could indicate a broader underlying risk to information security that stems from the management level.

The information provided by the principles pairs well with the steps prescribed by other cybersecurity-focused organisations, including the ACSC’s Essential Eight framework and the NIST cyber security framework.

Included in the report is a list of the top ten questions directors can ask to help identify potential areas of weakness in an organisation’s overall cybersecurity posture across five key areas:

  1. Roles responsibilities
  2. Cyber strategy
  3. Cyber risk management
  4. Cyber resilient culture
  5. Cyber incident planning

The report’s release is timely, following in the wake of two sizeable informational security breaches.

First, the cyberattack on Optus, a large Australian telco, was reported in September 2022. This event saw attackers engage in what Optus called “the possible unauthorised access of current and former customers’ information.”

The second incident involved Medibank Private, an Australian healthcare insurance firm. First reported in October 2022, this incident came to light when Medibank noticed some “unusual activity” on its network. The alleged attackers then contacted Medibank, providing samples of data they claimed to have obtained during the attack.

These two attacks saw the information of potentially millions of Australians compromised, including:

  • customers’ names
  • dates of birth
  • phone numbers
  • email addresses
  • postal addresses
  • Medicare numbers
  • policy numbers
  • details from driver’s licences and passports
  • data relating to medical claims, including service locations and codes relating to diagnoses and procedures

The minister for Home Affairs and Cyber Security, Clare O’Neil, commended the release of the cyber security principles. O’Neil described them as ideal for “organisations of all sizes” and that there was a lot that “that even small business and not-for-profits can do to ensure that the data they use and store is securely protected.”

O’Neil stated: “As Australians entrust their most sensitive data to organisations, there is a legitimate expectation that it will be protected.”

Directors have a critical role to play and must seek to lift their own cyber literacy levels, recognising that this is a key risk that can never be eliminated but can be effectively managed.