Planning

With more Australian businesses being targeted by cybercrime each year, ensure you include cyber security in your business plan and budget to protect your organisation from threats online.

Tip:  Successful online security within a business of any size relies on management support, good internal communication and individuals taking personal responsibility for their online activities.

Plan and budget to protect your business

Planning is a significant aspect of cyber security. To protect yourself and your business from cyber threats, an online security plan is essential—and can significantly reduce your organisation’s exposure to cyber threats and the associated costs and downtime if a compromise does occur.

You also need to ensure that budget is allocated to the online security of your business. While free security and resources are available, they may not be the right choice for your circumstance. Having an effective online security plan may cost time and money but it can be significantly cheaper than recovering from being compromised.

Your plan doesn’t have to be complex. It should clearly and simply outline what needs to be protected and the key principles and rules for online security in your business. You can identify and adapt existing standards to deal with specific online security issues or technologies in the business, or write your own.

Ensure you include the following in your business plan:

  • Action plans for your staff to follow if something goes wrong, such as:
    • Equipment is lost or stolen
    • A computer is infected with a virus (such as <link>ransomware</link>)
    • Data is lost or stolen.

Important:  Make sure you have an action plan fully documented and tested for restoring data from back-up. Sometimes, this is the only option for recovery.

  • Employee policies - for safe use of the organisation’s internet-connection, IT network, email, social media, mobile devices and other computing assets. A policy on using strong passwords is also recommended. Learn more about strong passwords.
  • An outline - for how sensitive information is handled (who has access and how is it stored/protected).
  • A tracking or asset management system - so you know who is using what equipment in the organisation.
  • Systems in place - to ensure operating systems, security software, web browsers and other software are kept up to date.
  • A process for reporting breaches - using the Office of the Australian Information Commissioner’s Data breach notification – A guide to handling personal information security breaches.
  • A defined role in your organisation - that is responsible for information security. This ensures that security is considered in your organisation’s day-to-day activities. This person should:          
    • Ensure all staff understand their responsibilities for online security.
    • Stay abreast of current threats, trends and security options.
    • Assist with planning, acquiring and implementing security safeguards.
    • Enforce online security best practices and policies with management support.
    • Maintain and update the security safeguards used by your business. This can include creating back-ups, updating security software, changing passwords regularly, etc.

How to prepare your online security plan

There are a number of activities you can do when preparing your plan. These activities will help you identify the information assets that are critical to your business, and help you understand what threatens them. You can then apply counter-measures to protect those assets and reduce the risk to your business:

  1. Identify all business assets such as computers and business information, and determine their importance and value to the business.
  2. Discuss online security threats with employees or outside experts (as required) and determine which assets are at risk of harm if one or more of those threats occur.
  3. Prioritise risks as high, medium or low, then determine what can be done to reduce those risks.
  4. Evaluate the threats, risks and potential security safeguards, then decide what can and should be done to improve online security.
  5. Communicate the online security plan to all employees so they understand their roles and responsibilities. Explain the policies and standards to personnel so they understand the rationale for rules, to whom they apply and any consequence for not following the policy.

Don’t forget to regularly review and update your plan.

Learn more

Learn how to protect your business in five minutes with our Small Business Guide.