Cyber-security threats and data breaches are becoming increasingly rampant, sophisticated and difficult to mitigate. Statistics from the latest Australian Cyber Security Centre Threat Report show that instances of malware attacks, data breaches, and intrusion attempts are on the rise. The challenge of ensuring cybersecurity is a global issue affecting many industries and organisations.
Even more worrying is the rising cost of cybercrime to businesses. In Australia, the average cost to small business of a cybercrime reported to the ACSC is $46,000, an increase of 14% on the previous year. Organisations are under pressure from the government through regulations such as the Australian Notifiable Data Breach legislation to improve their cybersecurity strategies.
However, implementing a robust cybersecurity system is often a tall order for many organisations. The reason for this is because so many different areas require security reinforcement that it’s easy to miss some critical marks or be overwhelmed by the effort. Cybersecurity is not a one-size-fits-all kind of investment; many organisations, especially SMEs and startups, struggle to make the right security choices.
In 2017, the Australian Cyber Security Centre (ACSC) came up with the Essential Eight strategy for mitigating cybersecurity threats. The Australian Signals Directorate (ASD) considers the Essential Eight as one of the most effective defence strategies against cybercriminals for all organisations. The Essential Eight are also known as the ASD Essential Eight.
Breaking Down the Essential Eight Framework
The Essential Eight strategy focuses on three key areas of cybersecurity:
- Preventing attacks
- Limiting the extent of attacks
- Data recovery and system availability
By targeting these three crucial areas, the ASD discovered that the Essential Eight mitigates about 85% of all targeted cyber-attacks. The Essential Eight cybersecurity controls fall within these broader categories.
The first step in cyber defence is protection. This part of the strategy is aimed at preventing malware delivery and the execution of malicious code.
Application whitelisting is the practice of identifying and specifying which software applications are permitted to reside and run on a computer system or network. The goal of whitelisting is to prevent potentially harmful applications from deploying malicious code.
Whitelisting allows only approved programs with explicit permissions to execute; this includes DLLs, scripts, exe, batch and other executables. This strategy can be implemented on workstations, servers, data hubs, and network equipment.
Use the latest versions of all client-based and server-based applications, including drivers and firmware. Also, ensure that your software applications are updated with the latest security patches. Newer or current versions of applications are always supported by their vendors and guarantee the latest and most effective security features.
Software updates help protect your data and hardware. Using outdated applications could expose exploitable vulnerabilities.
Configure MS Office Macro Settings
Microsoft Office macros are executable programs on their own and can be used to deliver malware and run malicious code. Block macros embedded in documents from unverified sources, especially online locations. Limit the write permissions of questionable macros as well.
Only allow the execution of vetted and approved macros, and restrict security reconfiguration on macros by the user.
User application hardening (UAH) refers to limiting the functions of an application to a specific scope. This reduces the risk of abnormal or unexpected behaviour. With regards to cybersecurity, UAH involves disabling or blocking flash, internet ads, some Java functions, and unnecessary features on web browser and MS Office packages.
Disabling such functions and features prevents any background processes that might give way to malware intrusion. Attackers are well known for using flash content, Java function, and popup ads to deliver malware and execute unwanted programs.
Limit Extent of Attacks
This stage focuses on limiting how far an intruder can get by minimising security loopholes in accessing data and resources. The idea is to seal off every access point and ensure that attackers have no means of gaining entry through these access points.
Restrict Administrative Privileges
Attackers usually target administrative accounts and credentials to gain privileged access to systems. Privileged accounts should not be used to read email, access online services, or download data from online sites. Credentials must be validated every time privileged access is requested on a system or application.
The privileges should be granted based on the user’s needs and job requirements. Also, regularly revalidate the need for specific levels of security clearance and privileges. Controlling access ensures that only the right individual can access and use secured services and data.
Multi-factor authentication (MFA) is a method of authenticating access credentials that requires two or more pieces of evidence (factors) to prove identity and privilege. Ideally, the first level of authentication is usually an alphanumeric password or code; the next level can include biometrics, one-time passwords, PIN, voice call, SMS, or email verification.
MFA provides an extra level of access security with every factor. Such a thorough authentication process is ideal when dealing with sensitive data and remote access.
Patch Operating System
Patching the operating system is similar to application patching, and equally as important security-wise. Install the latest operating systems on your workstations, servers, and IT equipment. Also, ensure that you install OS patches as soon as the vendor discovers and announces an exploitable vulnerability in an older version of the system software.
Do not use OS versions that are not supported by the vendor. Such versions are not considered for updates and patches, and the vendor is not responsible for any security-compromising flaws.
Data Recovery and System Availability
Data and resource availability is a big part of cybersecurity, and so is data and system integrity. The Essential Eight strategy caters to data availability as well as secure storage and access to information.
Regular backups are essential in ensuring data availability even after catastrophic failure or hardware and software resources, for instance, after a natural disaster. Back up your data on a daily basis, regardless of the volume and data generation rate. Backups should be stored offline or online in no-writable formats. Also, test data recovery and restoration systems frequently to ensure that they work properly, especially after changing or updating the IT infrastructure.
The ACSC defines four distinct maturity levels that determine an organisation’s preparedness to deal with cybersecurity threats using the Essential Eight. The levels are:
- Level 0: Limited or no implementation of the Essential Eight strategies.
- Level 1: Partially implement the Essential Eight strategies.
- Level 2: Mostly implement the Essential Eight strategies.
- Level 3: Fully implement the Essential Eight strategies.
Maturity level three and above should be your aim – meeting this grade this means that you’ve also implemented other additional strategies. You will, of course, have to run a cybersecurity audit to determine your maturity level.
The Essential Eight system is a tried and true cybersecurity strategy recommended by the ASD. Although it was originally developed to protect government agencies from cyber threats, it is still ideal for the private sector and suits many organisational structures.
There is no single solution to cybersecurity; it should be a combination of efforts and mitigation strategies. The Essential Eight system gives you a realistic target for your cybersecurity goals and provides a well-structured, easy-to-follow path towards achieving them.
The cost of falling victim to cyber-attacks goes beyond the monitory value. A cyber-attack can ruin your brand’s reputation and run you out of business altogether. In fact, many businesses never recover from data breaches; 60% of SMEs and small companies don’t last six months in business after a cyber-attack.
Cybersecurity should be a high priority in safeguarding your organisation’s future. Don’t make any compromises when it comes to data and systems security – you simply can’t afford to.