The growing speed, sophistication, and frequency of cyber attacks in the Australian digital landscape is alarming.
Small to medium-sized enterprises are especially susceptible to the growing threat of digital attacks. The Australian Cyber Security Centre (ACSC) received 76,000 cybercrime reports in the 2021-2022 financial year (one every seven minutes).
Conscious of this growing threat, the ACSC, under the umbrella of the Australian Signals Directorate (ASD), developed a mechanism for Australian businesses to establish a baseline level of protection known as the Essential 8. The ACSC recommends that all Australian companies implement these mitigation strategies.
This blog goes a little deeper into the prevention strategies contained with the Essential 8 framework, how your business can assess its level of compliance with these government standards through a professionally audited Essential 8 checklist, and why the Retrac security offering includes the Essential 8 as a solution for SMEs.
The ASD Essential 8 maturity model allows businesses to assess their current alignment to the Essential 8 security measures and set an implementation goal that they can progressively move towards for greater protection.
The four maturity levels are based on restrictions–the higher the maturity level, the higher the restrictions and security settings.
The four Essential 8 maturity levels
Knowing your ASD Essential 8 maturity model is critical for pinpointing weaknesses in your cybersecurity framework, preparedness, and establishing a foundation for your enterprise to move towards the necessary level of protection.
As a starting point, we recommend that all SMEs aim for level one protection. From this point onwards, there must be internal agreement about where your business needs to sit.
High security is excellent, but a greater number of restrictions can also impact productivity. An analysis of your enterprise needs, capabilities, industry-mandated basic requirements, and data sensitivity level must all come into play.
Industries such as health, finance as well as governmental organisations deal with highly sensitive personal data and have an obligation to ensure a higher level of protection. As these large-scale attacks are on the rise within these industries— establishing Essential 8 controls is more necessary than ever.
After reaching level one, it’s Essential to do a deep dive into your procedures and policies to determine which benchmark is most applicable to your enterprise needs—it can be a big jump from maturity level 1 to level 2.
Regarding the Essential 8 framework, it’s not so much a question of choosing to adopt the procedure but rather understanding, implementing, and adhering to the recommendations.
The Essential eight is updated to reflect contemporary challenges in the digital landscape, and has been adopted by Microsoft as the industry standard.
By aligning your business to the Essential 8 frameworks, we can:
As specialists in Microsoft operating systems and products such as Microsoft 365, we can build on top of the basics, introducing configurations and policies around Essential 8 from the top down. At Retrac, we leverage tools and software that your business may already be paying for but underutilising to achieve a higher alignment to the ASD essential 8 framework.
To get started, we recommend you speak to us so we can arrange an independent assessment with a specialist IT partner that can run an Essential 8 checklist. With the help of this partner, Retrac will then generate a report and get your business to the level you require by making these changes progressively. We can also arrange a DSIP auditor if certified compliance is a requirement.
Alternatively, you can reach out to your current service provider to ask if they employ the cybersecurity measures as outlined in the ASD Essential 8 framework and at what maturity level you’re currently at.
At Retrac, due to our experience with Microsoft, we can look into your licensing level and leverage tools such as Microsoft Compliance Manager to prepare reports and see where you sit on the maturity scale. Additionally, The Retrac security bundle provides customers with optimised and appropriately aligned managed security solutions. Through regular maintenance and the deployment of best practices, we ensure your enterprise security is up-to-date, sitting at the right maturity level for both performance and security.
This means you can focus on what matters most, growing your business.
The Essential 8 framework serves as a guideline and can change due to shifts in the digital space, emerging threats and is subject to updates and changes.
It’s not set and forget. Things will change, and revisiting every quarter is a sound strategy to ensure on-going compliance and maximum security.
An Essential 8 checklist covering the Essential 8 strategies can serve as a starting point. While it may be challenging to get a bearing on your maturity level without a professional audit, even some indication of the adoption level can give an idea of the road ahead.
Explore the Essential 8 strategies and some non-technical questions that can help indicate your enterprise’s alignment level below.
1. Application Control
Application Control empowers you to block all applications, including ransomware, by default on any device. Then, you can selectively allow only the necessary apps while preventing malicious or unnecessary applications.
What measures are in place to control which applications can run on our systems? Have we established a system to prevent unknown applications from running on our devices?
2. Patch Applications
Patching applications involves identifying missing patches and security updates through vulnerability scans. It also ensures timely patch installations and removes unsupported applications addressing vulnerabilities in the security framework.
How often are software applications updated to protect against vulnerabilities?
3. Patch Operating Systems
Patching operating systems means regularly checking for updates, analysing vulnerability data, and rigorously testing new patches to enhance your operating system security.
Do we upgrade our operating system regularly to address vulnerabilities?
4. Microsoft Office Macro Settings Configuration
This framework offers measures to mitigate and prevent potentially harmful macros that cyber attackers could exploit against your organisation.
What safeguards do we have in place to secure Microsoft Office macros? Are we leveraging internal tools to maximise safety measures in office?
5. User Application Hardening
User application hardening focuses on securing web-interacting applications like web browsers, Microsoft Office, and PDF software. It involves configuring settings to block ads, specific sites, and risky content that can lead to attacks.
Are browsers and document software hardened against attacks such as malicious ads and content?
6. Restrict Administrative Privileges
Restricting access to specific applications, files, and data bolsters your organisation’s defenses, ensuring that sensitive data is accessible only to authorised personnel.
Do we limit access and administrative privileges to authorised, pre-approved, and trained personnel?
7. Multi-factor Authentication (MFA)
MFA enhances security by requiring additional identifiers (beyond passwords) before granting access to applications or services.
What steps beyond password control exist to authenticate users and permit access to our systems and accounts?
8. Regular Backups
The Essential 8 emphasises the importance of regular backups for essential data, software, and configurations. It also outlines requirements for managing access, modifications, and deletions of backups.
How often do we update data and test recovery systems in an emergency?
According to the ACSC, “organisations should identify and plan for a target maturity level suitable for their environment. Organisations should then progressively implement each maturity level until that target is achieved“.
As the strategies are complementary, you must plan to reach the same level of maturity across all 8 strategies before considering progression.
As Essential 8 specialists and Microsoft expert partner, we’ll step in to deliver Essential-8-based security solutions for your SME, whether this be an audit of your current set-up, collaborating with your team to build out a plan to reach the right maturity level for your company or educating your team on the proper steps to take for the right maturity level.
Current Retrac customers can rest easy knowing our expertise and commitment to aligning with these government standards are at the forefront of every security measure we take. You’re well positioned to confront any cybersecurity challenges ahead.
Reach out to the team at Retrac to find out how aligned your systems are to the Essential 8 today.