How to get the basics of cyber security right
The importance of cyber security risk management for business
Hackers continue to make headlines globally, prompting many business owners to reassess their cyber security measures. The truth is, no business is immune to security breaches, but there are measures you can take to help protect your company and your customers.
Indeed, now more than ever it’s important to consider cyber security strategies as part of any risk assessment you may perform while business planning for the future.
Where to start with your cyber security strategy
The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security. The role of ACSC, is to help make Australia the most secure place to connect online. And the guidance they give extends to businesses, large and small.
The ACSC can help you to:
- Learn the Essential Eight risk mitigation strategies for business
- Defend your business against ransomware and malware
- Lower the risk of business email compromise (BEC)
What is the Essential Eight?
The Essential Eight is a set of risk mitigation strategies developed by ACSC to help businesses limit their exposure to cyber security threats.
These strategies are broadly aimed at:
- Helping prevent cyber attacks
- Limiting the extent of cyber crime, and
- Recovering data and systems availability post attack
The ACSC recommends that businesses implement their Essential Eight security guidelines as a baseline. Doing so may help defend your business against breaches.
What are the eight essential mitigation strategies?
According to the ACSC, when you incorporate the Essential Eight in your cyber security strategy, it helps make it harder for adversaries, AKA hackers, to compromise your system. So, what are these core strategies? Let’s take a closer look.
Application control is a security approach designed to help stop unapproved or malicious code (also known as malware) executing on systems. Its purpose is to ensure only approved applications can be installed or executed on your systems. The application control solution that suits your business best will depend on the software and systems you use.
To learn more, visit Implementing Application Control
Patching is the process of upgrading software to the latest versions. When you "patch" your business applications, the hope is that you will patch any "holes" known as vulnerabilities in the application or operating system itself.
Patches help to fix known vulnerabilities or flaws that could otherwise provide an entry point for hackers to access your systems.
To learn more, visit Assessing Security Vulnerabilities and Applying Patches.
You should aim to always use the latest version of applications where possible, and patch applications on computers with “extreme risk” vulnerabilities as soon as possible.
Configure Microsoft Office Macro settings
Microsoft Office applications can use macros to automate routine tasks. Macros are basically embedded codes and powerful tools that can be easily created to greatly improve productivity.
However, as cautioned by ACSC, some macros can contain malicious code resulting in unauthorised access to sensitive information as part of a targeted cyber intrusion. So, if your business uses Microsoft Office, it’s important to include macro security as part of your overall cyber security strategy.
To learn more, visit Microsoft Office Macro Security.
User application hardening
User application hardening means making sure you review and configure applications to help ensure they work correctly and in a manner that’s secure. Within the rapidly shifting technology landscape, application hardening should also include regularly updating old tools or applications.
The ACSC recommends you configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. They also advise businesses to disable any features in Microsoft Office, web browsers and PDF viewers that you do not use.
To learn more, visit Technical Example: User Application Hardening.
Restrict administrative privileges
Administrative privileges give users the ability to make major changes to systems. Hackers actively seek admin accounts to give them greater access to data and systems. So, the fewer admin accounts you have, the better.
You should aim to restrict administrative privileges to operating systems and applications based on employee duties. It's also wise to regularly revalidate the need for privileges you grant to users. For example, someone who mainly uses their computer for email and browsing the internet doesn’t need admin rights.
To learn more, visit Multi-factor authentication.
Patch operating systems
We know we’ve already talked about patching, but it appears twice in the Essential Eight. This is because cyber criminals often target vulnerabilities in systems to hack organisations. So, as you’ve probably guessed by now, patching is important.
Patches improve the security of operating systems by fixing known vulnerabilities. The ACSC also recommends working with the latest versions of operating systems and to not use unsupported versions.
To learn more, visit Technical Example: Patch Operating Systems
Data backup is the process of protecting data against the negative consequences of security breaches, by copying it from one location to another.
According to ACSC, performing regular backups will help your business to recover and maintain its operations in the event of a cyber incident, for example, a ransomware attack.
Before you start, pre-plan your backup to include all data you'll need to recover in the event of a security breach. Most backups should include sensitive information, customer data, software, and configuration settings. For good measure, businesses should also regularly check that backed up data can indeed be restored.
To learn more, visit Technical Example: Regular backups
How to start your Essential Eight journey
We recommend that all businesses should familiarise themselves with the Essential Eight by using resources provided by the ACSC which offer further detail. Once you’ve done so, you can start to think about ways to implement the risk management strategies within your organisation.
Recommended reading on the Essential Eight
- Strategies to Mitigate Cyber Security Incidents. For guidance to help your business mitigate cyber security incidents caused by various cyber threats.
- Essential Eight. An online hub of resources designed to help you integrate the Essential Eight into your cyber security strategy.
- Essential Eight Maturity Model. A framework designed to help your business implement the Essential Eight using a risk-based, step-by-step approach.