Cyber risk management is often a topic that many business owners feel doesn’t apply to them; that it is for large organisations to deal with. Yet Kathryn Green , the Director of Digital Technology, the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO) at the Australian Radiation Protection and Nuclear Safety Agency (ARPANSA), says that “risk management as a whole is vital to business success and resilience, whether you’re a small business, a not-for-profit or a government organisation.” In fact, the products and services that ARPANSA delivers are “to protect people and the environment from the harmful effects of radiation.” Risk management and cybersecurity fall within that brief because “understanding the potential pitfalls to stop us delivering, or that impede our delivery of products and services is so important.” These risks are even more important now, especially in light of the pandemic, “as more and more businesses are online and virtual.”

To illustrate the importance of cyber risk management, “let us to look at the fictional case study of a small business.” It might be fictional in that this particular business does not exist, but all the components of the case study are real and based in reality. The business is run by two entrepreneurs “who have a passion to move forward, producing beautiful and functional shoes.” They have been in business for a decade, with a “strong community of customers and they have wonderful relationships with their suppliers, their artists and producers.”

As entrepreneurs, the two partners are always looking for opportunities for growth and development. As part of that, they took their business online during the pandemic and as a result, now want to take a “deep dive into risk management, specifically to understand the devastating effects of cyberattacks on their small business.” When the business started, the biggest worries concerned theft or destruction of physical stock or property.

The deep dive into risk management included “mapping the phases of design, production, delivery, customer support, and customer engagement,” and how all of these components fit into the business ecosystem, including the financial, HR and compliance measures. A lens of cybersecurity could then be “overlaid on top of this map to see which areas were high priority and needed to be defended or responded to quickly in the case of a failure or an attack.” This then allowed them to “go through each individual component to identify the systems that were potential points of risk or failure, and what controls needed to be implemented to ensure the continued success of their business.”

This illuminating exercise showed not only the areas where they were strong, “but revealed a number of points of weakness that they needed to address.” For instance, some of their customer information was accessible to people outside of the business. “So multifactor authentication and other systems were in put in place that allowed them to understand how their information and their data was being accessed and used.” This was particularly important with regards to communication between manufacturers and suppliers. Moreover, “operational technology has become a target for cyber criminals,” so they needed to secure their laptops as well. Much of their website and social media accounts – “which is the lifeline of the organisation” – was being managed in-house on their own computers, so they needed to ensure that their online store and website were “protected as much as possible, and could be restored or refreshed at any stage, if ever compromised.” On top of all that, although they were the entrepreneurs and creatives behind the business who undertook the inquiry and were implementing the changes, “their staff needed to know that to continue to run the business successfully, they too need needed to understand cybersecurity.” This meant appointing champions of change amongst the staff, conducting training and “identifying how to respond to cybersecurity incidents.” The training was conducted by external experts, and they also “established relationships with cybersecurity vendors to monitor the systems and keep them aware of any emerging stress in the cyberattack landscape.” This included the creation of “incident response playbooks” and scenario planning.

Every element within that case study was real, even if the business itself may have been made up. What it showed is that “cyber risk is now a core component of their business. The fictional entrepreneurs would have gained confidence that they were managing their business well and could react to any eventuality that came their way.” This is particularly relevant in our modern world.