How cyber security can help you achieve B Corp certification and address UN sustainable development goals

Businesses with a commitment to social and environmental impact are increasingly discovering competitive advantage. The world’s leading independent verification of business impact is B Corp – an exhaustive certification process that requires applicants to detail how their organisation positively impacts the world around them. Robust data security and privacy practices can therefore significantly enhance an organisation’s capability to deliver a positive social and environmental impact – through both protection the employee, customer and community data, and from bolstering overall business resilience. Several of the assessment criteria of the B Corp process explicitly relates to the organisation’s data security, governance and privacy practices. This talk will provide insight into what these requirements are, and how organisations can capture and report their information security wins as part of the certification process. Beyond B Corp, businesses can also support the United Nation’s Sustainable Development Goals (SDG), as defined in Transforming Our World - the 2030 Agenda for Sustainable Development.

All organisations seeking B Corp certification are required to undertake a Business Impact Assessment (BIA). The BIA helps companies assess their performance across impact areas such as governance, workers, community, environment, and customers. Information security is crucial for any business aiming to have a positive social impact for a broad range of reasons, including:

• Protection of sensitive information: Many businesses collect and store sensitive information about their customers, employees, and stakeholders. This can include personally identifiable information (PII), financial data, and healthcare information. A data breach can expose this information to malicious actors, leading to identity theft, financial fraud, and emotional distress for affected individuals. Data breaches can also have a disproportionate impact to vulnerable and traditionally under-served peoples.
• Mitigating cybercrime: By safeguarding sensitive data, businesses can inhibit avenues for financial fraud, identity theft, money laundering, and other illegal activity. Cybercrime is primarily perpetrated by organised crime groups and businesses subject to a cyberattack can be pressured into making payments to prevent customer data from being leaked on the dark web. This can be particularly challenging for impact-focussed businesses, as cooperating with such groups can directly fund criminal activity, while refusing to pay negatively impacts their customers and community. Further, in an era of state-sponsored cybercrime, a strong information security posture not only denies cybercriminals lucrative payouts, but can also reduce funding for wars of aggression, illicit weapons procurement, and state actors bypassing sanctions.
• Financial resilience: In Australia, the average cost per cybercrime for a small business is $46,000 and $97,200 for medium businesses. Financial consequences typically include direct costs such as regulatory fines, legal fees, and remediation expenses, as well as indirect costs such as reputational damage and loss of customer trust. By investing in robust data security measures, B Corps can protect their long-term financial resilience which is critical to their ability to continue and grow positive social impact initiatives.

This talk will provide a detailed description of how specific information security evidence can address B Corp assessment criteria and SDG targets.