Cyber Security – The Essential Eight Mitigation Strategies

Cyber Security – the Essential Eight mitigation strategies

Cyber Security Awareness Month occurs each year in October – but here at The IT Agency, we practise cyber security every day of every month, 365 days a year.

Being honest, prior to reading this article, how many of you were genuinely aware of a month dedicated to Cyber Security Awareness?  It’s a global mission whose basic idea originated in the US, as a joint effort between government and industry to provide information and resources to help individuals and businesses stay safe and interact more securely online.

Throughout the early years the principle awareness raising focus was largely directed at advising everyone to update their antivirus software as a matter of routine – e.g. it’s Autumn/Spring, remember to update your IT security when putting your clocks back/forward.

Over the years, acting on feedback from individuals, businesses, government departments and organisations operating within the IT Security sphere, each year’s focus has been narrowed and the month split into individually themed weeks – e.g. Small Business, Cybercrime or education, among others.

Today, we’re all, to a greater or lesser degree, conscious of, not only the concept of cyber security but at least some measures we could and should be taking to protect our homes and businesses from cyber-attack.  The IT Agency aims to expand that appreciation in this, the 17th annual Cyber Security Awareness Month, by outlining four of the main areas of understanding from an Australian perspective:

  • Cybercrime
  • Phishing
  • Essential Precautions
  • Australian Government Spending

Cybercrime

Although generally aware that cybercrime exists, unless we’ve personally been directly affected in some way, how much do we really know about the impact it has on Australian business and society as a whole?  Consider the implications of this graphic pulled from a report on the results of a Small Business (SMB) survey conducted by the Australian Cyber Security Centre (ACSC) which is part of our government’s Australian Signals Directorate…

© Australian Cyber Security Centre

That’s 1 cybercrime reported every 10 minutes.  6 every hour – 24 hours per day.  144 reported cybercrimes every single day.  At an estimated cost of $300 million per year to SMBs (for the Australian economy overall, that figure is far higher).  And that represents only reported cybercrime.  Who knows how much cybercrime goes unreported and, consequently, unaccounted?

Who’s paying for these losses?  We all are.  As business owners we’ll lose money and possibly reputation, while our costs, e.g. business insurance and security, are likely to increase.  As consumers we’ll all pay more for the goods and services supplied by businesses across the board, not just those who’ve been the victim of cybercrime. Cybercrime, however remote it seems, affects us all.

Among the key findings identified within the survey report are some interesting observations relating to how SMBs understand and protect themselves from cybercrime.  For instance, two thirds of respondents had actual first-hand experience of a cyber security incident and four out of five stated that cyber security was ‘important’ or ‘very important’.  Yet half of all respondents admitted to having only an ‘average’ or ‘below average’ understanding of cyber security, to operating with ‘poor’ cyber security practices and to spending under $500 on their cyber security measures each year.

That’s an apparent disconnect between (a) what the majority of SMBs consider to be important, (b) their actual level of understanding of the problem, and (c) what they’re prepared to actually do, along with how much they’re willing to spend, to protect themselves and their business from the problem.

The report goes on to highlight some of what it calls “barriers to implementing good cyber security practices” within SMBs, including:

  • Not enough trained IT specialists within organisations and multiple conflicting priorities for those there are
  • Business owners unable to identify weaknesses within their own systems, often not knowing even where to begin doing so
  • Ineffective business-wide planning and training to reduce the risks of cybercrime and an inadequate response when an incident does occur
  • Failure to understand risks and impact associated with a cyber incident, along with a tendency to underestimate the recovery period from such an incident

Raising awareness of these, often contradictory attitudes and priorities is a valuable tool for encouraging the Australian SMB community to take a greater interest in learning more about the issue of cybercrime and its effects on small business.

The full ACSC survey report can be found here.

One final statistic coming out of the survey – 1 in 5 of responding SMBs did not know the term ‘phishing’.

 

Phishing

Are you the 1 in 5?  If you don’t really understand what is meant by the term ‘phishing’ then you’re in exactly the right place – after all, it’s Cyber Security Awareness Month and this whole article is dedicated to raising your awareness.

Phishing is the term given to attempts at stealing your confidential information, usually through a fraudulent, or scam (not to be confused with spam), message – often as an email or a text message to your phone.

Typically, scammers send an email which, at first glance, looks like it’s from a legitimate organisation, e.g. a bank or telephone company.  It may be along the lines of advising you that your password has been compromised and providing you with a link to follow where you’ll be able to change your password.  The link is false and what’s really happening is you’re inadvertently providing the scammers with your legitimate password and giving them access to your account.

Scammers send hundreds of thousands, if not millions, of these emails every day and it only takes a few unwary or careless recipients to make it a worthwhile exercise for them.  This is organised crime and they wouldn’t do it if it wasn’t profitable.  It’s up to all of us to be aware of the issue and to be watchful of the messages we receive from whatever source.

Cyber security in all its forms is a subject The IT Agency has written about at length over the years and a review of our catalogue of articles is well worth a few moments of your time – you’ll find some specifically covering phishing here.

Even if you consider yourself to be part of the other 4 in 5 – i.e. you’ve heard of the term ‘phishing’ and know what it means … do you know how to spot a phishing scam?

Why not test yourself?

The Australian Cyber Security Centre (ACSC) have compiled a short test to raise awareness of how phishing works and what you, your employees and your family should be on the lookout for.

Test yourself here.

Get each member of your staff (and your family) to take the test too – it’s a useful addition to your business’ cyber security training programme.

 

Essential 8

Cyber security is a broad term covering many different tools and strategies that can limit your exposure, reduce your risk and help maintain your business continuity in the event of attack.

There is no single action that any business can take to protect itself.  True protection comes only when a complementary suite of security tools is put in place – but which combination works best?

Of course, every situation is different and what may be best for one business may not necessarily be best for another.  However, the ACSC have developed what they call the Essential Eight Mitigation Strategies – a prioritised list of strategies considered the baseline in helping businesses protect their IT systems against a wide range of adversaries:

  • Application whitelisting
  • Patching applications
  • Application hardening
  • Restricting administrator access
  • Disabling macros
  • Turning on MFA (Multi Factor Authentication)
  • Daily backups
  • Patching Operating Systems

The IT Agency recommends the principals of the Essential Eight for everyone and it forms part of the core managed services packages we provide our clients.

It’s worth reiterating that the Essential Eight is not a 100% guarantee of security, it represents a baseline – a foundation upon which other, complementary strategies are built to provide even greater protection – which is likely to be more cost-effective for SMBs than dealing with the results of a cyber security breach.  Prevention is better, and cheaper, than cure!

 

Application Whitelisting – specifically name approved applications to prevent unauthorised applications from executing.

Patching Applications – use the latest versions of applications such as Flash, MS Office, PDF viewers to minimise risk of security vulnerabilities being exploited to install and execute malicious code on your system.

Application Hardening – configure web browsers to block Flash, ads, Java and certain MS Office features (e.g. OLE) as they’re favourite routes through which malicious code is executed on your system.

Restricting Administrator Access – restrict and regularly review who has administrator privileges and why they have them.  Do not use Admin accounts for basic yet risky tasks such as reading email or browsing the web.  Limits the chance of an attacker gaining control of the entire IT system.

Disabling Macros – block macros from the internet and allow only those from a trusted source, to prevent installation and execution of malicious code on your system.

Multi Factor Authentication – ideal for remote access and users accessing sensitive or critical information, makes it much more difficult for adversaries to gain access to data and systems.

Daily Backups – of important, new or changed data, software and user configurations at least daily.  Copies stored offsite.  Trial restore from backup scheduled regularly.  Enables business to get up and running as quickly as possible in the aftermath of an incident.

Patching Operating Systems – patch existing system versions within 48 hours of patch availability.  Upgrade to latest version as soon as possible within a planned upgrade lifecycle.  Do not use unsupported versions of software.  Limits possibility of attack through known vulnerabilities in an operating system.

Implementing the Essential Eight will greatly help protect your IT systems from the most common types of attack – malicious emails, phishing, compromised system and ransomware.

 

Working from Home (WFH)

With more of us WFH for the foreseeable future, consideration must to be given to cyber security of both personal IT hardware and networks, and those used for business. Is the home IT security setup robust enough for business needs?

Listed below are some basic WFH security tips:

  • vary your passwords for different sites and systems
  • secure sensitive files and lock your computer
  • avoid illegal content
  • watch out for pop-ups
  • think before you click
  • enable security features

The IT Agency can provide help and advice with:

  • securing your remote office
  • defending against business email compromise (BEC) and email account compromise (EAC) attacks
  • defending against Phishing scams
  • implementing the Essential Eight recommendation from the ACSC

Australian Government Spending

Earlier in the article we highlighted the annual losses attributed to cybercrime reported by SMBs – $300 million.  That’s bad, but it’s a drop in the ocean compared to the $29 billion – or 1.5% of our GDP – the Australian economy loses annually as a result of cyber-attacks on homes, businesses and government.

Reacting to cyber-attacks on our economy, systems of government, educational organisations, and our businesses and homes, the Australian government recently committed to spending $1.35 billion over the next 10 years to strengthen the Australian Signals Directorate’s ability to identify and counter such threats.

A further $1.67 billion over the same period has been allocated to increase the ability of Australian homes and businesses to defend themselves against the surge in cyber-attacks and cybercrime.

The government understands the cyber security threats the nation faces.  As individuals and business owners, we must use initiatives such as Cyber Security Awareness Month to improve our understanding of the threats.  The more informed we become, the better able we are to implement the essential cyber security measures required to help protect our own homes and businesses.

 

More information?

You’re not alone.  The IT Agency are cyber security experts. We’ve written expansively on the subject many times; you’ll find our articles here.  If you need more information or help with the cyber security setup for your business, contact us on (02) 8317 4730.

Cyber Security Awareness Month is the ideal time to review how secure, or otherwise, your home or business is from cyber-attack.  Don’t wait to be the next victim, call The IT Agency on (02) 8317 4730 and protect your business.

  •  
  •  
  •  
  •