The updated Australian Standard (AS8001) for fraud and corruption was recently released, applying to all organisations operating in Australia. Its purpose is to guide how Boards and Executives can prepare their organisations to manage fraud risk. With unprecedented levels of cybercrime, it’s not surprising that this update to the Standard also includes a requirement to help manage information (cyber) security risk.
Cyber resilience strategies must come from the top and inside-to-out, as attacks often occur from downstream control failure, with disastrous outcomes resulting from tiny vulnerabilities. The new Standards messaging emphasises this, and how critical it is for boards to take an active role in improving cyber resilience - echoing Australian and global regulatory standards and frameworks released in the past two years.
It’s incumbent on the board and executive to better understand the cyber threat landscape, including the national and international context, their strategies and limitations before deciding on the appropriate response.
How should boards respond to such a complex and often misunderstood area of risk management? The updated standard discusses having a thorough plan and mandates that an organisation’s cyber strategy include an Information Security Management System (ISMS). Therefore, this should be an organisation’s first step.
What is an Information Security Management System?
An ISMS is simply a way for an organisation to govern and control risk. It’s not a technical system or solution, but a systematic approach to risk in the context of your organisation, including leadership, how you manage performance, and the right controls you need to have in place.
There are many different standards, best practice frameworks, regulatory standards and governance standards to consider from a cyber security perspective. However, when we are implementing an ISMS we typically think of one: ISO 27001:2013.
About ISO 27001:2013
ISO 27001:2013 is a leading international standard focusing on information security, comprising cyber, information and physical security, with two key components - mandatory management and risk-based control.
Mandatory management – Understanding your risks
This component enables an organisational understanding of risk and what is required to manage it, by asking management to consider the scope of the risk environment.
It’s important to establish a baseline understanding of each threat and how the organisation is trying to protect against it. This will help with understanding the broader picture, the controls required and where you need to be from a compliance perspective.
Essential questions to ask when seeking to understand threats are:
- What information assets are we trying to protect?
- Who are we trying to protect our information assets form from?
- Where is the information asset, who has access to it, and why?
- What are the cyber threats our organisation faces?
- What controls do we currently have in place to protect our information assets, and how effective are they?
- Do we regularly evaluate our controls?
- Who are our third parties, and how are we controlling their access?
- Do we have good governance and management, led by the right people?
It’s important to note that all organisations have different threat landscapes and risks they need to manage. Banks, for example, have a vastly different threat profile to a local government agency, and a local government agency is quite different to a charity.
Risk-based control - Designing and testing the right controls
The standard’s second component addresses the controls organisations need and/or have in place, such as vulnerability management and change management, including how they’re designed and how to test their effectiveness.
At this point, some of the control areas to work through include preparedness, educating staff, password management and multi-factor authentication access.
If the right controls aren’t in place, or existing ones aren’t monitored, it can be detrimental to your organisation. However, designing and testing controls can also be an iterative process – getting it right is a marathon, not a sprint.
Due to feeling overwhelmed or pressured by regulatory requirements, many organisations try to fix things quickly. In our experience, it’s better to make small, well considered changes over time that get the organisation to where it needs to be.
Lastly, testing of controls is critical. Organisations often have response plans, but either don’t test them or, if they do, don’t include the right people in the process. If a real threat emerges, there will need to be a variety of people in the room, not only technical staff, so ensure senior management, legal representation and a cyber-consultant are included.
How to get prepared
Although you only need to consider the first component of ISO under the new fraud standard, all organisations should have a handle on both the risks and control testing. Our team has seen a lot of requests for ISO27001 recently, as regulators such as APRA have released their first information Security Standard. Further, in New South Wales cyber security policy mandates an ISMS.
Cyber fraud is an ever-evolving landscape. Organisations need to be on the front foot - including sharing information, talking to peers, talking to government agencies, and industry bodies to make sure they’re well prepared.
If you want to understand how the Standards apply to your organisation, get in touch with a BDO Cyber Security Specialist.