The Business Advisory Blog

The Business Advisory Blog

Insight, news and updates from Alliott NZ Chartered Accountants, Auckland New Zealand. The views expressed here are the views of the author and should be discussed in further detail should an article be relevant to your individual circumstances.

While every effort has been made to provide valuable, useful information in this publication, this firm and any related suppliers or associated companies accept no responsibility or any form of liability from reliance upon or use of its contents. Any suggestions should be considered carefully within your own particular circumstances, as they are intended as general information only.

Greg Millar
Published on

The threat cannot be overstated

  1. ipad outside screen-126Acceptable use: What company equipment can and cannot be used for.
  2. Access control: Who can access what, and when and where they can access it.
  3. Change management: Procedures to ensure that the impact of IT software or hardware changes on security is monitored and communicated.
  4. Information security: The rules governing the sensitivity of data and the accountability of employees.
  5. Disaster recovery: How business continuity will be maintained in the event of a successful attack.
  6. Passwords: Rules covering the format and updating of passwords and their reuse.
  7. Incident response: How the company will respond to an incident and recover from it, and who will take responsibility for remedial actions.
  8. Remote access policy: How employees will connect to the organisation’s systems remotely.
  9. Bring your own device (BYOD): How employees should use, connect and encrypt personal devices they use for company business.
  10. Email/communication: Acceptable use of email, social media, blogs and phone.

Key governance questions

  1. Does the board understand the organisation’s exposure to cyberattacks from both inside and outside the business, and the extent of the digital connections it has with suppliers, customers and the outside world?
  2. What are the vulnerabilities of the organisation to cyberattacks and the risks of it occurring?
  3. What are the likely business impacts of cyberattacks, including revenue loss, business disruption, crisis management, regulatory and recovery costs?
  4. What is the planned response to a cyberattack to deal with technical resolution, business disruption, impact, reputation management and regulatory response, and mitigating knock-on effects outside the business?
  5. What capabilities and resources does the organisation have for managing cybersecurity risks and dealing with incidents?
  6. How can the organisation collaborate with regulators, law enforcement, suppliers, customers and other stakeholders?
  7. How often does the organisation’s cybersecurity preparedness undergo review and testing, and who does the testing?
  8. Who is responsible for reporting on cybersecurity, both in an incident-based and regular basis?
  9. How often should there be board discussion of cybersecurity?

Source: Cyber and the CFO. Article originally published by (2019). [online] Available at:

Topics: accountability change communication continuity cybersecurity digital disruption employees Governance management risk security technology