As Medibank and Optus continue to navigate major data breaches, the Australian Institute of Company Directors (AICD) has released formal cyber security principles to guide company boards of directors that are being exhorted to brush up on managing the “core risk” of cyber security.

Produced through a collaboration between the AICD and Cyber Security Cooperative Research Centre (CSCRC), the newly released Cyber Security Governance Principles document establishes a framework to help directors manage cyber risk within their organisations.

This includes establishing roles and responsibilities around cyber security; development and evolution of cyber strategy; incorporating cyber risk into existing risk management strategies; building a cyber resilient culture across the organisation; and preparing and responding to a significant cyber incident.

The guidance also includes a five-step checklist of “practical low-cost steps” for directors of small businesses and not-for-profit organisations.

“Companies must expect to be attacked,” said CSCRC CEO Rachael Falk, “and the worst thing any organisation can do in this current environment is to proceed with a false sense of security.”

Cyber security, she said, “is a core risk that has to be incorporated into the everyday business of running any organisation."

The principles were developed in response to consistent feedback from the AICD’s director membership – who have repeatedly said in membership surveys that they lack the tools and knowledge to “engage effectively with management”, the organisation said.

A recent survey ranked Australian boards of directors as the world’s least sophisticated when it comes to understanding cyber security and its place in the pantheon of corporate risk – with just 58 per cent saying they see cyber security as a top priority, and 34 per cent admitting their organisation would be unprepared to cope with a cyberattack in the next 12 months.

The new guidelines will, AICD explained, “enable directors of all sizes of organisations to ask the right questions of management, spot red flags in how cyber security risk is being managed, promote a culture of cyber security resilience and prepare and respond effectively to significant cyber security incidents.”

A crash course in cyber security culture

The guidance comes amidst a flurry of new data breaches that has kept cyber security investigators and government regulators operating at top speed in recent weeks.

The major Optus breach, for one, was followed by the ever-worsening compromise of the healthcare information of around 10 million Medibank customers’ medical histories.

Other firms reporting data breaches recently include Australian Clinical Labs subsidiary MedLab Pathology and strata management firm SSKB – which was hit with a ransomware demand for $460,000 as customer data was published on the dark web.

Each company’s response to their breaches has varied dramatically, ranging from the full disclosure and government engagement of Optus and Medibank to MedLab’s decision to wait eight months before disclosing that the personal information of 223,000 customers had been compromised.

The mass compromise of consumers’ data has highlighted the dangers of collecting personally identifiable information (PII) and storing it long-term – yet despite reports of so many breaches in recent weeks, a new survey of 1,010 Australians found that most are still happy to share their personal information.

Fully 76 per cent of respondents, for example, said they are comfortable sharing their date of birth – used across nearly every industry as a key identifier to prove a person’s identity – although other types of data were perceived differently.

Three-quarters of respondents said they were happy to share their home address, although just 56 per cent said they were OK sharing their driver’s licence details – another key identifier that has become a major issue in recent breaches.

With some companies now hiring crisis communications experts with cyber security nous, many directors are clearly watching and learning – and the new AICD-CSCRC guidelines will provide further material to help board members adjust to the new normal.

“Cyber security is a crucial area for boards and we know they are looking for as much support as possible,” said AICD managing director and CEO Mark Rigotti. “Building cyber resilience within organisations is ultimately about building resilience across the nation as well as capacity within our teams and organisations.”