Organisations of all sizes struggle to implement basic governance and internal controls. This isn’t surprising. If you look at the Information Security Management System by the Australian Government, there are more than 3,000 different controls you can implement. So, it’s important to understand where you want to start and get the basics right first. This is where experience matters.
In 2019, The New South Wales Auditor-General’s Report to Parliament analysed the internal controls and governance of 40 of the largest agencies in the NSW public sector. The report found several findings that were common to multiple agencies, related to areas that are fundamental to good internal control environments and effective organisational governance. The Auditor-General also examined information security controls over key financial systems and found user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access, and an absence of privileged user activity reviews at more than third of the agencies.
Failures of key internal controls and governance practices is all too common. We often find through our client consultations that there’s no formal IT policy or adoption or procedures for cyber security. One of the principal concerns is the perceived investment, including the time required to create these policies and procedures, implement cyber awareness programs for employees, and so on.
This is also where you get a disparity between larger enterprises over ones with fewer resources. Often, we find with small and medium sized businesses, where they’re focused on survival, they neglect to invest in and protect themselves with good security policy and procedures.
Building your security posture
Cyber security is an ongoing issue so knowing what you’re actually trying to defend against or protect is key. This will help you understand what’s important and what’s not important. Once you understand what the business is trying to achieve, you can then work out what your plan is and then where your ongoing issues will be. Cyber then becomes part of a natural planning process, rather than an afterthought, and another business risk to consider.
Once you find the solution for your organisation that becomes your security posture. That is, your
overall cybersecurity strength, and how well it can predict, prevent, and respond to ever changing threats.
Novaworks is ISO 2700:2013 certified and certified for hosting federal government and other SaaS applications in the cloud. Every day we think about information security management frameworks, manuals, procedures, and policy, which has transformed our way of thinking and ensures we think about cyber security every day. We make sure our clients realise what they should be thinking about on a day-to-day basis, rather than after an incident has occurred and reacting.
We help our customers understand what cyber security really is and incorporating that into their ongoing operations. We help minimise cost and minimise unnecessary security activities that may not be needed. The security sector is broad – it’s not just antivirus, it’s not just identity, it’s not just encryption. There is a lot to consider.
The important point to remember is that you first need to put a framework in place, but dial it down to the basics, be clear on what it is you are trying to protect or defend against, and then do what’s right for the business. And don’t forget. Cyber security is everyone’s responsibility. It’s all about making every employee at every endpoint of potential risk, whether that’s an email with malware attached or a device being used over public Wi-Fi, accountability extends beyond the IT team.
The bottom line is that increasing cybersecurity spending is not going to make any business more secure. However, knowing the effectiveness of cybersecurity spending will and that is the goal we should all be working towards.
Need help? Download our Guide to Cyber Security or book an appointment with a NovaWorks cyber security expert.