5 Steps to Confront Business Cyber Risk Head-On

5 Steps to Confront Business Cyber Risk Head-On

Andrew Robinson

  • It may come as no surprise that cyber risk is one of the biggest risks in global business right now. Cyber incidents aren't just financially crippling, as they can also have a devastating impact on your business' reputation.
  • Many organisations fail to properly manage cyber risk due to their indifference, or they simply don't know how to approach what can be quite a complex task.
  • But there is some good news - you can create a robust cyber resilience program within your business by following five key steps.
  • Read on to learn how to protect your business against cyber security risk.

The 2020s are off to a rough start.

COVID-19 has been a massive wake-up call for every business. The pandemic hit and left a lot of boards shocked and dazed.

In a post-coronavirus world, businesses that responded well will have pride of place as in every risk presentation. But most risk and leadership teams, from the company chair to the executive team, and department heads to project leaders, are missing one key ingredient: communication.

Unfortunately, the world of compliance can be full of smoke and mirrors.

Why? Because for many, risk and compliance seem so cut and dry. The short answer is regulation. Not because of it, but in its name.

Why have regulators stepped up the game?

Regulators have recently stepped up their game, and they have only just begun. They had to. Too many organisations ticked a few boxes and wiped their hands, thinking they were ‘safe’.

Your internal IT department is not an island. Yes, they can manage threats and secure data, but have you discussed what you’re protecting, or what you’re protecting it from? Just because you may not hold confidential customer information does not mean you won’t be targeted.

Simply ‘meeting standards’ is not the full picture.

Compliance assessments are often in danger if they're not achieving intended outcomes because companies are not implementing the requirements authentically. Mix in some complacency and you've got yourself quite the appetite for risk. Scary, huh?

You cannot ‘fake it til you make it’ with compliance. Nor will simply ticking boxes ensure your business builds resilience.

What is one of the biggest risks in global business right now?

Cyber incidents are one of the top global business risks right now. A cyber incident can be financially crippling for a business, yet an attack can also infect other risks like ‘loss of reputation’ (and when that hits, say goodbye to your clients and market share) and ‘business interruption’ (also in the top 10).

With COVID-19 doing enough damage as it is, a cyber incident is the last thing you need while you're trying to get your business back on track.

Many organisations have sadly failed in their approach to risk management due to their indifference or have simply been unaware of how to appropriately tackle such a complex task.

You might remember a company you have worked for that knew how many risks it was prone to, yet ignored them, or which had good intentions toward risk and cyber security concerns, yet was mistakenly worried about the wrong ones. 

How can I protect my business against cyber risk?

The great news is that you can create a decent cyber resilience program within your business by bringing the following five key elements together.

1. Invest in a cyber insurance policy

Cyber-risk coverage is an essential part of your risk management plan. But be very careful when choosing a policy as it can feel like a grey area with uncertainty around payouts. Be sure to engage a cyber advisory practice.

2. Conduct a cyber security risk review

Conduct a cyber security review involving everyone in your company. Risk reviews are the most effective place to start, at any time, for any risk domain.

The tech tools are waiting for you. Shake off the spreadsheets and PowerPoint slides and unleash the power of your people to bring the best results to your next risk assessment.

3. Implement an information security management system (ISMS)

An information security management system (ISMS) based on ISO/IEC 27001 will enable you to manage information and security-related risk, improve your security maturity and demonstrate compliance to both internal and external compliance requirements.

Be sure to find a tech company that gives you a platform with bonus capabilities that go beyond GRC and that start with asset management, e.g. the ability to identify and classify information assets using a customisable schema. You can then link risk assessments to impacted assets and understand what is at risk.

4. Educate your company and raise awareness of cyber security

Raising awareness of eCyber security is vital across the whole organisation. That means educating all staff about cybersecurity and risks including employees, contractors, and relevant stakeholders.

5. Consider employing cyber professionals

If you have an internal team, great. If not, make sure you include them in your third-party vendor risk reviews.


Covering all five steps will not only help you identify gaps in your organisation's cyber security, but it will also help you determine how quickly your business can or will recover if you’re attacked.

Failure to achieve true compliance is not entirely a board’s fault. The silo’ed approach to the traditionally non-overlapping domains of GRC, ISMS and cybersecurity has not been very conducive to risk management progress.

The question is: How can we continuously be glancing over the shoulder of our organisation’s present moment and feel confident?

Put simply, the frame you put around your attitude to risk and information security largely determines your experience of it.

There’s no silver bullet for the unknown, but the right mindset is a damn good place to start.

Andrew Robinson

Head of Cybersecurity at 6clicks PTY LTD

Andrew is a Founder and the Head of Cyber Security for 6clicks, a Software-as-a-Service platform for risk management and compliance. The platform helps organisations complete cyber security assessments as well as various GRC/ISMS activities aimed at implementing stronger cyber security. Before joining 6clicks, Andrew worked for both the Australian national authority on cyber and information security, the Australian Signals Directorate, and across the justice portfolio of the Victorian Government including courts, corrections, emergency services and integrity bodies. Andrew also has significant experience performing assessments and building security programs (e.g. ISO 27001 and ISM) in various sectors including financial & legal services, health, education, transport, energy/utilities and IT companies such as telecommunication providers, data-centers and software vendors. Holding a masters degree in Policing, Intelligence and Counter-Terrorism specialising in Cyber Security, along with various industry certifications, Andrew is well credentialed. He also continues to carry out assessments of ISO 27001 certification bodies on behalf of the Joint Accreditation System of Australia & New Zealand (JAS-ANZ). ​Andrew aims to help as many organisations as possible improve their cyber security and succeed with digital transformations that benefit us as individuals and as a society.