Data breaches and impacts from cyber security threats are becoming more common for Australian businesses. From July to December 2023, The Office of the Australian Information Commissioner (OAIC) received 483 breach notifications. This was up 19% in the period January – June 2023.
Dealing with the aftermath isn’t cheap either. According to the Australian Signals Directorate’s “Cyber Threat Report 2022-2023” the average cost of a data breach in Australia went up by 14% in 2023, with a total reported loss of almost $80 million.
You may already have measures in place to protect your business. But regardless of your cyber maturity level, no business is immune to security breaches. So, it’s important to proactively consider what you more you could do.
Read on to explore how the Essential Eight can help protect your business and customers.
The Essential Eight is a set of risk mitigation strategies developed by Australian Cyber Security Centre (ACSC) based on their real-world experiences and insights. They help lead the Australian Government’s efforts to improve cyber security for Australia. These measures can help businesses of any size limit their exposure to cyber security threats.
The Essential Eight was first published in 2017. It was then updated in 2021, with further updated controls added in November 2023. Each update better aligns the controls and maturity model to help reduce risk. This is based on actual activity seen across the cyber landscape.
Including the Essential Eight in your cyber security plan can make it harder for hackers to get into your systems and help safeguard your most important data in the event that they do. Below we unpack these key strategies and why are they important.
This is about only allowing approved and trusted programs, or identified entities, access to your network. Doing this helps prevent the execution of malicious programs from harming systems in your environment.
Learn more about implementing application control
Patching is about making sure you upgrade software to the most recent versions. This includes things like your web browser, Microsoft Office or PDF viewers and includes apps running on your mobile phone. It is one of the most effective ways of securing your network and environment.
The Australian Signals Directorate (ASD) saw that 1 in 5 vulnerabilities were exploited within 48 hours of a patch or mitigation guidance being circulated.
Fully patched applications are an essential foundation on which other security controls can be improved. They help fix known vulnerabilities or flaws that could otherwise provide an entry point for hackers to access your systems.
The 2023 updates to the Essential Eight also recommend aligning maturity level patching and control review timelines to meet threat actor tactics, techniques and procedures. Be sure to read about the relevant Essential Eight maturity model changes.
Learn more about assessing security vulnerabilities and applying patches
Microsoft Office applications often use macros to automate routine tasks. These are embedded codes and powerful tools that can be easily created to help improve productivity.
However, Microsoft macros can also be used to deliver and execute malicious code on systems. This can cause unauthorised access to sensitive information. If you use Microsoft Office, it’s important to include macro security in your cyber security strategy.
Learn more about restricting macros
User application hardening means making sure you review and configure your applications. This helps ensure they work correctly and are secure.
Application hardening can also include regularly updating old tools or applications. You can also consider blocking or uninstalling items you do not use such as Flash, PDF viewers or Java on the internet.
Learn more about user application hardening
Admin privileges give certain users the ability to make major changes to systems. For hackers, access to these accounts means they can use them to gain full access to company information and systems.
It helps to restrict admin privileges based on employee duties. Consider regularly revalidating the need for privileges you grant to users. For example, someone who mainly uses their computer for email and browsing the internet doesn’t need admin rights. Similarly, privileged accounts shouldn’t access internet email and web services.
Controls should also be put in place to address organisational changes. This includes staff turnover or movements in the organisation.
In the 2023 updates to the Essential Eight, the ACSC also recommends admin privileges are considered in cloud services. This is important as many organisations continue to adopt cloud-based applications.
Learn more about restricting administrative privileges and related Essential Eight maturity model changes.
Hackers often target vulnerabilities in operating systems, like Office 365, to breach organisations. This means patching these systems is important.
Patches help improve the security of operating systems by fixing known vulnerabilities. The ACSC also recommends working with the latest versions of operating systems and to not use unsupported versions.
Learn more about patching operating systems
Backing up your data can help you recover more quickly if an incident impacts your ability to access your systems. It also ensures your information can be accessed following an incident, such as a ransomware attack.
Before you begin, consider what data you'll need to recover in the event of a security breach. This most likely includes sensitive information, customer data, software, and configuration settings. It can also be very worthwhile to check that your backed up data can be restored effectively. It's good to get confidence around this in advance of being in any active breach situation.
Learn more about the importance of regular backups and the 3-2-1 backup strategy.
Stronger user authentication makes it harder for threat actors to compromise sensitive information, even if they have a password. MFA is particularly important for any of your high-risk transactions or activities, such as payments or updating billing information.
There are different grades of MFA and the recent updates to Essential Eight have prioritised stronger and more robust forms of MFA and application control techniques.
The new minimum standard requires ‘something users have’, besides ‘something users know’.
This has been adopted across all maturity levels. Phishing-resistant MFA requirements start at maturity level 2. Explore the relevant Essential Eight maturity model changes.
Learn more about multi-factor authentication
The ASD Essential 8 Maturity Model helps to define how advanced a business is in regards to cyber security. To help with the implementation of the Essential Eight, the ACSC has identified four maturity levels (zero through to three).
When implementing the Essential Eight, it helps to identify and plan for a target maturity level suitable for your business.
We recommend you read the information on the Essential Eight published by the ACSC. This gives more information on the Essential Eight maturity model. It can also help you get a firm understanding of your requirements. The ACSC recommends progressively implementing each maturity level until that target is achieved.
The best place to start is to familiarise yourself with the Essential Eight by using resources provided by the ACSC. This can help you start to think about ways to implement the risk management strategies within your organisation.
The recent 2023 updates also saw the ACSC update their process guidance. This helps organisations assess their implementation of the Essential Eight strategies. It can also help you understand how effective that implementation is against their desired maturity level.
By signing up for Cyber Wardens, a program from the Council of Small Business Organisations of Australia (COSBOA) that aims to educate businesses like yours on how to help fight online threats.
Insights to help you review your cyber security strategy and help you protect your business and customers.
