Cyber security is a matter of global significance that impacts us all. Increased connectivity through the internet means greater potential for people to be impacted by cyber-crime, and cyber espionage and hacktivism.

Last November, Prime Minister Tony Abbott announced a review of Australia’s cyber security policy and strategy with a view to making sure Australia is well placed from a cyber security perspective. This review is both timely and necessary. The internet brings many brilliant opportunities, but also a higher risk that personal and commercial information will be stolen or critical networks disrupted.

It is critically important for our government to have cyber security firmly in its sights. The government’s cyber-security review is an important step forward and one that other countries, like the United Kingdom, have done well.

However, the issue cannot be left to government alone to solve. Organisations and individuals play an essential role in effectively reducing cyber security risk.

The media is full of stories about companies being hacked and industry reports constantly warn of an ever ‘sophisticated’ threat environment that is becoming noisier and more complex.

In 2015, being targeted by hackers or cyber criminals should not be a surprise. It is common place and occurs every day, multiple times around the world. A small number of these attacks are sophisticated and targeted, but the vast majority are fairly basic in nature. They are a reasonably foreseeable event and every company can take steps to actively manage cyber risk.

As business people we should not rely on government to lead the way. While the government plays a critical role in times of crisis or when there are issues of national security, what is critically important is that cyber security is well understood in the boardrooms of Australia. Even more so because most of our critical infrastructure is owned by the private sector.

For most companies – data is their lifeblood. Businesses depend upon data to run their companies, improve their productivity and to provide services to customers. Customers have the right to expect that their personal information will be protected.

All of this means it is more important than ever for company leaders to ensure reducing cyber risk for their organisations is high on the agenda. It is critical that companies do not take a victim perspective on cyber-crime and view it as something that occurs out of the blue. Companies need to ensure that adequate investments are made to protect against this risk and that this expenditure results in real, effective security outcomes.

In my experience, organisations need to know five key things about cyber security: to know and understand the value of their data, know who has access to that data, know where that data is, know who is protecting that data and know how well it is protected.

Leaders should demand to know these five things. The answers and any remediation action taken to protect data and systems will go a long way to ensuring that cyber security risk is being well managed across the private sector.

Mike Burgess was appointed by the Prime Minister to the Independent Panel of Experts advising government on the current Cyber Security Review.