November 1, 2019
The Essential Eight: A Practical Guide to Cybersecurity Strategies to Protect Your Business
The digital age is redefining how businesses operate on every level. Technologies such as the cloud, machine learning and mobile devices enable Australian businesses to cut costs and boost efficiency. But these technologies are often a double-edged sword, leaving businesses vulnerable to increasingly sophisticated cyberattacks.
Although there is no ‘single’ solution for mitigating every cybersecurity incident, best-practice strategies can and should be used as a starting point for effective cybersecurity management.
The Essential 8 Model is a government-led cybersecurity initiative produced by the Australian Signals Directorate (ASD) and Australian Cybersecurity Centre (ACSC). Adopting these strategies as general guidelines can serve as a quick method for scaling your enterprise cybersecurity posture, without the immediate need for extensive investment or research.
To help you fully understand how the ASD Essential Eight can benefit your cybersecurity as an enterprise or startup, we have separated the article into four sections:
Introducing the Essential Eight
The Essential Eight are practical guidelines, developed by the Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC), to mitigate cybersecurity incidents that include:
– The prevention of malware delivery and execution;
– Limiting the extent of cybersecurity incidents; and
– Ensuring data recovery and system availability.
According to government website cyber.gov.au, the Essential Eight ‘makes it much harder for adversaries to compromise systems… Implementing the Essential Eight pro-actively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.’
While organisations in particularly high–risk environments may require additional guidance, assessing against the Essential Eight is a basic and affordable guide to preventing cyberattacks or related risks.
Not sure if Essential Eight is a suitable guideline for your business? Take a look at the 5 Top Vendor Cybersecurity Questionnaires for 2019.
Preparing to use the Essential Eight
Before implementing any of the mitigation strategies outlined in the section below, it is very important to consider the following:
Identify which systems require protection.
Which systems store, process or communicate sensitive or easily accessible information?
Identify which adversaries are most likely to target your systems.
Examples include nation-states, cyber criminals or malicious insiders.
Identify what level of protection is required.
In other words, selecting mitigation strategies to implement based on the risks to business activities from specific adversaries.
Implementing the Essential Eight
Here’s an overview of each strategy in the Essential Eight. The strategies have been categorised into the three key areas outlined earlier.
Strategies to prevent malware delivery and execution
1. Whitelist applications
By controlling which programs are run on your company’s corporate network, you can drastically reduce your company’s exposure to malware attacks. This could be in the form of a virus, trojans, spyware, worms, adware – the list goes on. Suffice to say, malware can do serious harm to your computer or network.
Whitelisting applications means that all non-approved applications cannot gain access to your system. Unapproved or malicious programs can include .exe, DLL, scripts (such as Windows Script Host) and installers. Granted, whitelisting every computer in your organisation is a huge undertaking. However, you can do it gradually, starting with high-level and high-risk users, such as your CFO and legal teams.
2. Patch software
Patch applications include things like Flash, web browsers, Microsoft Office, Java and PDF viewers. You should patch or mitigate computers with ‘extreme risk’ (a software flaw that allows ransomware to spread) within 48 hours, using the latest version of applications.
Most systems – including Microsoft Office, Java and Flash – have automatic update reminders, which you should never ignore. To ensure full compliance, you should implement an automated patch management system (which tracks and applies software updates) as soon as possible across your entire organisation.
3. Block untrusted Microsoft Office macros
Macros are a series of commands that automate various tasks, like organising spreadsheets. Unfortunately, macros – including Microsoft Office macros – can also be programmed to run malicious code.
As a result, you should configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros – either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
4. Fortify user applications
Certain apps need extra protection, even when they’re fully up to date. For example, web browsers have Flash plugins, Java scripts and web ads – all of which are popular ways to deliver and execute malicious code on systems. Microsoft Office also contains object linking and package embedding features that make your system vulnerable.
Configure web browsers to block Flash (or, better yet, uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office, such as OLE (object linking and embedding), as well as web browsers and PDF viewers.
Strategies to limit the extent of cybersecurity incidents
5. Restrict access privileges
Administrator accounts are the ‘keys to the kingdom’, so to speak. Adversaries can use these accounts to gain full access to information and systems. With this in mind, organisations should abide by the principle of least privilege. In other words, you should restrict administrative privileges based on user duties.
Those with administrative privileges should also be given extra confirmation steps to complete. At least once a year, using a centralised management system, review everyone’s access to privileges.
Want to stay updated with the latest industry news, tips and insights?
6. Enable multi-factor authentication
Stronger user authentication makes it harder for adversaries to access sensitive information and systems. Multi-factor authentication should be used for VPNs, DDP, SSH and other remote access, and for all users when they perform a privileged action or access important data.
You should use a combination of at least two of the following authentication methods: Passwords with a minimum of six characters, universal second-factor security keys, physical one-time password tokens, biometrics and smartcards.
7. Update operating systems
Security vulnerabilities in operating systems can be used to further compromise such systems. So, much like software applications, patches for operating systems like Windows 10 and macOS should be applied as soon as they’re released.
Developers don’t provide security fixes for products that have reached the end of life. So, always use the latest operating system version and don’t use unsupported versions.
Strategies to ensure data recovery and system availability
8. Back up your systems daily
To ensure information can be accessed again following a cybersecurity incident, such as a ransomware incident, you must back up your systems every day, and store multiple copies on a local drive, a USB drive and in the cloud.
Each backup should be retained for at least three months. You should test restoration initially, annually, and when there are any changes to your organisation’s IT infrastructure.
Want an easier, digital way to implement the ASD Essential Eight?
Preventative maintenance is fundamental when it comes to effective cybersecurity management. As stated earlier, the Essential Eight offers a broad, but relatively comprehensive starting point for Australian businesses in this regard.
If each strategy is implemented correctly, you’ll be able to avoid the crippling costs associated with a major cyber breach or related incident. At 6clicks, we have the ultimate tool to effectively assess and improve your cybersecurity posture.
6clicks is a powerful and easy-to-use online risk assessment, risk management and compliance platform connecting businesses and service providers.