When it comes to mitigating cyber security incidents, there is no single step that organisations can take that will guarantee the safety of their data or system performance. The Australian Cyber Security Centre has recommended eight mitigation strategies that organisation should implement as a baseline defence against targeted cyber intrusions, ransomware and malicious insiders. These strategies are known as the 'Essential Eight'.
The Essential Eight are each designed to make it much harder for cyber threats to compromise your business's data and systems. Moreover, they are also cost-effective when it comes to time, money and effort. Indeed, it is much easier to pro-actively introduce the eight strategies than to deal with the ramifications of a cyber attack, including complying with the mandatory data breach notification laws.
From a legal perspective, there is likely to come a time when a person who has been negatively affected by a cyber breach, through loss of personal data or business functionality, will take action against a company who was cyber attacked, and allege that they firstly owed a duty to its users to prevent cyber attacks and, secondly, they breached that duty by failing to implement basic protection measures.
It is therefore important to make sure that you have, in conjunction with your overall privacy and data security practices, these Essential Eight in place.
The Essential Eight can be summarised as follows:
- Application Whitelisting – Application whitelisting is used to prevent malicious code executing on unauthorised software. It involves identifying applications that are authorised to execute a system and developing rules to ensure only those authorised applications can execute.
- Patching Applications – A 'patch' is a set of changes made to a program or its data in order to update, fix, improve or protect it. Organisations should regularly conduct risk assessments of their programs to ensure they have remediated all known security vulnerabilities.
- Configuring Microsoft Office macro settings – Microsoft Office applications can execute 'macros' in order to automate routine tasks. Unfortunately, these macros can contain malicious code and can be used as part of a cyber intrusion. Organisations must therefore balance the security benefit of disabling all macros with the resulting business impact.
- Application Hardening – Given that applications protecting computer systems against vulnerable functionality are often provided in levels (i.e. the level of application, user level, physical level), it is wise to 'harden' this protection by both increasing levels and ensuring every level has its own unique security method.
- Restricting Administrative Privileges – Individuals who are given administrative privileges are often able to bypass security settings, access sensitive information, and make significant changes to the configuration and operation of operating systems. Limiting administrative privileges creates a more stable and protected operating environment.
- Patching Operating Systems – Organisations should also patch all operating system errors in order to remediate known security vulnerabilities
- Multi-factor Authentication – Cybercriminals often steal legitimate user or administrative credentials in order to compromise a network. It is therefore wise to increase the number of steps required to authenticate the user. This could be done by asking for something the client knows (e.g. pin), something they have (e.g. smartcard) or something they are (e.g. fingerprint).
- Daily Backups – Lastly, in order to maintain the availability of critical data, organisations should backup, on a daily basis, important new/changed data, software and configuration settings. This backup should be retained for at least three months.
And in relation to all of the above, the protections should be extended to the mobile and remote access devices that have access to the network. Having 'fuzzy borders' between your business network, mobile devices and IoT devices increases your exposure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.