Over the last decade, the risks to businesses have changed. As well as the pressures of increased competition from globalisation, hackers are now using new threats to steal data and blackmail breached companies, release data as a way of exposing businesses, or cripple operations by attacking network infrastructure.
In response to this rise of cyber risk, the Australian government released their first cybersecurity strategy in 2016. Better late than never, this plan included a number of fully funded initiatives that aim to protect everything—from national infrastructure to small businesses. As part of that strategy, the Australian Cybersecurity Centre (ACSC) develops annual threat reports, detailing and highlighting the most common and prolific forms of cyber attacks.
DIY with ACSC and ASD
Defeating these ever-present cybersecurity threats is extremely challenging. While it may feel impossible to combat so many different types of threats, you can mitigate the risk of attack and minimise damage by knowing your enemy—in this case, hackers—and utilising the right techniques.
One of the agencies that works closely with the ACSC is the Australian Signals Directorate (ASD). The ASD is an intelligence agency within the Australian Government’s Department of Defence, which is responsible for collecting and analysing foreign intelligence and providing assistance with information and communications security. The ASD has published an extensive manual on how to mitigate network security risks, and although this document is exhaustive, they’ve distilled their key advice into the Essential Eight.
4 + 4 = the essential 8
Although you may think the name lends itself to eight points, it goes a little deeper than that—but not much. The document provides four pieces of advice for mitigating the risk of an attack and four suggestions for limiting the impact of an attack, which are:
- Whitelist applications so only authorised programs can run on your network. For instance, consider a solution like HP’s Sure Start, which ensures only authorised firmware runs on printers.
- Patch applications to ensure the latest updates are installed on your IT equipment.
- Update operating systems that release regular patches for system software to protect against the latest threats.
- Disable untrusted macros, like those within Microsoft Office documents—they can be used to download malware, often bypassing other protections you might have.
- Harden applications so they can’t carry out potentially harmful actions.
- Restrict administration privileges by limiting how much control a user has—doing so will minimise damage if an account is compromised.
- Use multifactor authentication to ensure a stolen password can’t be used to compromise an account.
- Outline a robust backup strategy to recover normal operating conditions in case of an incident.
Reduce risk with clear communication
Communication is also critical. You should always maintain a “no blame” attitude, so users feel comfortable reporting when they think they may have been the victims of a fraud or scam.
You should also go out of your way to ensure cybersecurity threat information is presented in a meaningful way to your users. For example, talking about ransomware in terms of encryption and bitcoin is less useful for businesspeople compared to talking about the time it takes to get their system up and running and the dollar cost of ransomware-based interruptions.
What’s the best starting point?
Identify and determine your most critical assets. Think of these as the data and systems that would have a significant impact on your business’s ability to operate if they were to fail.
Once identified, list what applications and people can access them—and ascertain their level of access. Does everyone need to be able to delete data, or is it enough for them to just be able to read it? Make decisions on what access is really needed and start locking down access, so people can only access what they need to do their jobs.
Always update and educate
Keep all operating systems and other software up to date. If you can’t take systems offline for regular updates, you’ll need to look at how you can update systems without disrupting operations. It is possible: Large cloud providers never go offline to update software, for instance, but it does take time.
Invest in education for users and technical staff. Your trainings need to be regular and easy to understand—an annual cybersecurity training session is not enough. A more effective approach is to design a monthly series that delivers small chunks of information users can easily digest.
Ensure every single device is secured
Network security isn’t just about users with computers, smartphones, and tablets. Every device connected to your network needs to be secured—that includes printers, scanners, cameras, and climate control systems. Keep their system software up to date and monitor their network communications, so unusual activity can be detected immediately.
Managing cybersecurity threats is not a one-off project; it’s an ongoing program, where businesses need to regularly monitor threats and update strategies to eliminate potential risks. Use these tips to your advantage, and start securing your business today.