If you own a business, you need to know if your company is ready in the event of a cyber-attack. Having a false sense of security is relatively common, especially among smaller businesses that mistakenly believe that cybercriminals only target larger businesses.
Cybercrime has risen to alarming levels in Australia, as well as around the world. The Australian Cyber Security Center (ACSC) reports that a cybercrime incident occurs approximately once every ten minutes. Not only is this seen in external threats to your company but also internal vulnerabilities.
To help Australian businesses of all sizes, the ACSC has developed strategies to mitigate common attack routes. Collectively, these strategies are known as the Essential Eight. The implementation of these tactics bundled together is referred to as the Essential Eight Maturity Model. When put into practice, the strategies can significantly reduce the risk of cyber criminals causing havoc within your business.
In terms of saving time, money, effort, and a damaged professional reputation, the proactive approach of the Essential Eight is preferable to cleaning up after a cyberattack.
What is the Essential Eight Maturity Model?
The model is a compilation of mitigation options put together by the federal government. It provides a guide to how Australian organisations should protect themselves against cyber threats. The purpose is, in part, to provide a starting point for businesses to begin evaluating their security and their readiness for attacks.
In addition to being a security baseline for businesses, the Essential Eight Maturity Model helps companies to manage relevant risks and offers steps in addressing pressing threats.
The Essential Eight Maturity Model Components
- Application Whitelisting
- Patching Applications
- Restrict Administrative Privileges
- Patching Operating Systems
- Disable Untrusted Microsoft Office Macros
- Use Application Hardening
- Employ Multi-Factor Authentication
- Run Daily Backups
Individual Components Explained
1. Application Whitelisting – Creating a whitelist is a matter of looking through your software applications and deciding which can run on your company’s computers.
- You will first need to identify which information systems and applications are used to support your organisational and business processes. This will be your master list as you decide what will run and what will not.
- Create secondary lists for various positions or departments. For example, your art department will need different applications than your human resources department.
- Create a list of applications that fall in the middle, a grey list, and decide if anyone besides you can execute these applications.
- Make sure you have made the whitelist a part of your information security and general IT policies. This will prevent confusion and make the approval process simple.
- Watch for unsanctioned shortcuts or shadow IT.
2. Patching Applications – Fixing weak spots in security is critical to cybersecurity. It is a common practice for cybercriminals to exploit known vulnerabilities in applications. Unfortunately, unless the app itself is designed for security purposes, most place security relatively low on the list of priorities.
Several steps are involved in assessing whether or not your applications need patches.
- Find out all of the applications on your network and go a bit further by discovering why you have the apps.
- Check to find out if you have the most current patches and releases available for the apps. Some are free, and the maker will ensure you know about them. Others release the patches with little to no explanation.
- Remove and replace the applications which are not supported and subscribe to the alerts when new patches are available.
- Consider implementing vulnerability management through dedicated applications.
- Remember to check your firmware and software as well as your routers, switches, firewalls, and load balancers.
3. Restrict Administrative Privileges – As the name says, applying limits to who can access administrative pages is another vital part of protecting your company. Cybercriminals use these accounts to gain access to information. Actions such as accessing, and managing systems, applying software patches, and installing legitimate software should be restricted to only those needing them.
Consider these privileges like the keys to your home. Not everyone who works for you needs to have the opportunity to enter your realm. At the same time, you should be aware that some conflicts may arise after limiting administrative access. This is especially true for those who have had access in the past and maybe disgruntled when you remove it. For those who must have some limited access adding a logging system to track activities on restricted accounts can help you oversee the account activities.
4. Patching Operating Systems – A patch in your operating system will fix your security vulnerabilities. While patching applications is vital, all applications need to run on an operating system. Making sure that yours is well maintained is essential to your security as well as the ease of operations.
- Start by scanning your network with one of the many available applications that search the patch levels of computers and can provide a report to let you know which needs patches.
- Obtain the necessary patches for your system and test them.
- Deploy the new patches.
- Consider non-Windows operating systems.
- Be certain to enforce the idea of patching with your staff
5. Disable Untrusted Microsoft Office Macros – While macros are great time savers that take care of many tasks, they are also a convenient avenue for exploiting and executing code. While the notion of disabling all macros may come to mind, do not make that your first course of action. You can keep safe (and useful) macros by digitally signing them and locking the application to delete all but unsigned macros. Also, you may want to think about macros from applications other than Microsoft Office.
6. Use Application Hardening – The method of application hardening will work towards restricting access to well-known attack vectors. The process is vital for several reasons—chief among them; many applications are installed with defaults. The defaults enable numerous services, options, and capabilities that make your system vulnerable. To help with the process,
- Disable insecure and unused services
- Limit privileged access to the applications
- Take stock of what you have and eliminate what you do not need whenever possible
- Close network ports unless required
- Change default usernames and passwords
7. Employ Multi-Factor Authentication – Using a Multi-Factor Authenticating (MFA) system is advisable, given the degree of cybercrime. The process is not new but is not used to its full extent, as many people struggle with basic authentication.
However, it is worth the effort to get your staff onboard. Requiring passwords, biometric scans, and Smart Ids adds stronger protection to your data.
Generally, multi-factor authentication will consist of three elements:
- Something you know – A password or bit of information no one would guess. (Be wary of passwords with commonly used details like your first pet’s name, your first car, or the name of the street where you grew up. Often, you will see social media posts that appear to be nostalgic gathering information for hacking. So, when you see a post of a cute dog with the caption, “My first dog was Prince. Can you remember yours?” do not respond. And stop using this type of information as your password.)
- Something you have – A key card or a token that gives you access to otherwise restricted areas
- Something you are – Biometric data
8. Run Daily Backups – When it comes to backing up your data, you have several choices but no excuses. The many different ways of backing up your data include,
- Magnetic media
- Optical media
- Cloud-based storage such as iCloud
- Disaster Recovery (DR) sites
An important point to remember is that in addition to backing up your data, you must make sure that you can get to the backups. Otherwise, you run the risk of not being able to use it if the data is incomplete, corrupt, or inaccessible. You should run regular tests to make sure things work as expected.
- Prioritise your backups – You want to start with the most critical information.
- Evaluate what data is necessary and what is not – You do not need to backup every bit of information, and doing so will waste valuable space and also risks vital points being overwritten.
- Do not assume everything is alright – Many astute businesspeople have fallen into the trap of believing all is well because drama is absent.
- Be sure to check for anything business-related on laptops or local drives and workstations.
Staying on top of your company’s cybersecurity is critical, given the prevalence of cybercrime. Unfortunately, implementing and maintaining the essential eight maturity model can be a full-time project. At ICT Group, our team of experts can manage your cybersecurity and implement the essential eight.
For more information or to schedule an appointment with one of our experts, feel free to contact us. We can take care of your cybersecurity so you can take care of business.