Cyber Security & the key questions for senior leaders

The increasing sophistication of cyber criminals, means organisations face a continued battle to protect themselves from a cyber attack. Many experts believe that a significant number of smaller and medium sized organisations are unaware of the real damage a cyber attack can inflict and are therefore not taking sufficient precautions. This is partly due to the difficulty senior leaders face in obtaining enough meaningful information to develop effective cyber defence strategies and partly due to a lack of rigour in asking 6 key questions, such as:

  1. What is my organisation’s cyber risk profile?
  2. How can I decide what level of risk is acceptable?
  3. How can I reduce this risk in a cost effective way?
  4. How do I respond to a cyber attack or data breach?
  5. How do I balance acceptable levels of risk and costs?
  6. How can I build an effective cyber security strategy?

These questions are deliberately challenging in two ways: firstly they are wide ranging and can be answered on multiple levels; and secondly, they require considerable thought which can take up valuable time for busy people dealing with day to day issues.

However, given the introduction of Data Breach Notification in Australia and GDPR legislation in the EU along with the strengthening of Privacy legislation in over 80 other countries, means the risk of a cyber attack is not only confined to the damage it can do to IT infrastructure, systems or the financial loss associated with an erroneous transaction, it can have much more wide-ranging repercussions if that cyber attack results in a breach of Personal information.

According to the Office of the Australian Information Commissioner (OAIC), of the data breaches registered between 1st April 2018 and 31st March 2019, 35% were caused by human error and 60% were caused by cyber attacks. This left just 5% which were attributed to system faults.


The risks of cyber attacks are therefore very real and can be very painful. So the real question is why aren’t organisations doing more to protect themselves?

I believe there are 4 main answers to this question:

The first is that many small and medium sized organisations believe that cyber criminals are only really interested in larger organisations and so they have the “They aren’t after me” syndrome.

The second centres around a lack of information; leaders either don’t know the questions to ask or are trusting their IT people to have it under control. The problem is that often the IT teams probably have the basics in place, e.g: they have network monitoring, advanced email filtering, updated firewall configurations, etc. And so they are ‘on it’. However, organisations change rapidly. New systems are implemented, hardware is upgraded, permissions are changed as people come and people go. Knowledge is lost. It is unlikely ‘IT’ have had the time to think strategically to put the relevant policies and procedures in place to ensure appropriate ongoing governance is maintained. However, leaders continue with the assumption that everything is fine meaning that investment isn’t put into ongoing staff awareness programmes.

This leads to number 3 which is a lack of investment in people. The first line of cyber defence in any organisation is its people. They create the policies, follow processes and carry out transactions. Ensuring cyber risk and IT governance is front of mind keeps your ‘Cyber Guard’ up.

The last answer is that many business leaders are not IT ‘savvy’ and don’t necessarily know where to start.

Simon Cohen
Virtual CIO and Cyber Security Specialist
Director Cohesis

If you are interested in learning more about Simon and Cyber Security Workshops in Perth, please visit this link.  He has created two training programmes to help organisations develop their Cyber Security maturity:

  1. The first seeks to establish a baseline of understanding as to what the current threats are and how, on a basic level, to deal with them. It includes practical advice and guidance and points organisations in the correct direction with actionable steps and a Cyber Security Maturity Assessment Report.
  2. The second is more advanced and helps an organisation’s senior leaders to build a Cyber Security strategy. During this course, participants delve into the various security layers, cultures and capabilities that persist in an organisation, tease out the risks and agree on appropriate ways to deal with the various risks that are uncovered.

Both of these courses are designed to be interactive and attendees will need to be engaged and proactive to get the most of them. However, in doing so, will leave a lot closer to having the answers to those 6 key questions above.