Cyber Security incidents can have a detrimental impact on Australian businesses. With the increased reliance on internet-enabled services, companies are more vulnerable than ever. This has made them ideal targets for financially motivated cybercriminals with the issue being compounded, as many small businesses need more resources or time to create a comprehensive cybersecurity plan.
In the last twelve months, there has been an increase in the number and sophistication of cyber threats in Australia. The Australian Cyber Security Centre (ACSC) received over 76,000 cybercrime reports over the 2021-2022 financial year, an increase of nearly 13% from the previous year. For small businesses, the cost has also increased, costing on average over $39,000 per cybercrime reported. The cost of a cyber incident is not just monetary. It can cause irreparable damage to your consumer trust and compromise customer, business, and employee data.
For small and medium-sized businesses, it is essential to have cyber security mitigation strategies to help decrease the instances and impact of cyber incidents. The Australian Cyber Security Centre recommends the Essential Eight Framework to mitigate the risk of cyberattacks on Businesses.
What is the Essential Eight?
The Essential Eight is a framework recommended by the Australian Cyber Security Centre to help organisations protect themselves against cyber-attacks. It is designed to protect Microsoft Windows-based networks and systems. However, its principles can be applied to several situations and devices. In addition, it includes several mitigation strategies to reduce the risk of cyber threats significantly. This makes it the ideal starting point for many small and medium-sized businesses. The Essential Eight outlines several steps you can incorporate into your organisation’s existing systems to improve security and stability.
When implementing the Essential Eight, the first step is determining the maturity level you need. There are four levels, Level Zero through to Level Three. A Maturity Level of Zero signifies that an organisation has weaknesses or holes in their cyber security strategy. Grades One through Three recommend security measures of increasing strength and complexity to improve an organisation’s cybersecurity.
How to incorporate the Essential Eight into your business
If your business does not employ the Essential Eight, we recommend starting with Level One. Below are the critical components of this framework.
Apply application control
Application Control prevents unauthorised applications from being installed or run on a company computer. It’s a zero-trust security approach designed to protect against malware and untrusted applications. For example, in a Medical Centre, this could involve allowing access to only your practice management software, such as Best Practice or Medical Director, and related tools.
A practical method of implementing application control is to use Windows Defender Application Control (WDAC). This tool is included in Microsoft 365 Business Premium, a component of all GCIT-managed service plans.
Patch management ensures that all systems are up to date with available security patches promptly. Patches are necessary to close vulnerabilities or bugs in your software. This would involve updating programs such as Microsoft 365 with the latest updates.
Most business-specific software will deliver communications when updates are available. However, it’s the responsibility of the Business owner or IT Service Provider to ensure these are applied promptly. Patches and updates should be applied within two weeks of release or within 48 hours if a security exploit exists.
Configure Microsoft Office macro settings
Microsoft Office applications can create and execute macros to automate routine tasks. A macro is a sequence of automated actions that can replace mouse clicks and keystrokes to complete complex tasks. While these can be helpful tools, macros can also contain malicious code used by attackers to run harmful code or download malware.
We can manage the risks of Office macros using Attack Surface Reduction Rules in Microsoft Defender for Business, a Microsoft 365 Business Premium component.
User application hardening
Application Hardening involves reducing vulnerabilities in the applications your company uses. In the context of the Essential Eight’s Level One maturity model, Application hardening refers to security settings in the web browser. Specifically:
- Web browsers do not process Java from the internet.
- Web browsers do not process web advertisements from the internet.
- Internet Explorer 11 does not process content from the internet.
- Users cannot change web browser security settings.
These settings can be implemented using Security Baselines in Microsoft Intune, another inclusion in Microsoft 365 Business Premium.
Patch operating systems
A patch is a security update that fixes vulnerabilities. Like Application Patching, timely Operating System patching ensures your operating system has all current security updates installed.
Patches need to be constantly monitored to ensure systems are up to date. Security updates can be deployed per workstation using Microsoft Update settings. However, your IT provider can also manage them with a Remote Monitoring & Management (RMM) tool. Like many IT service providers, GCIT offers services to control Operation System patching through our RMM tool.
Restrict administrative privileges
Administrative Privileges allow a user to create, delete and modify files, settings, programs and other user accounts. A user with administrative privileges can significantly change an IT environment’s configuration and security posture. Administrative rights also allow users to elevate their operations and access sensitive information. Without restrictions on user accounts, malware and malicious code can cause much more damage, especially if the user that triggered it is an admin.
Restricting admin privileges also creates a more stable and predictable workspace, as fewer users can make significant environmental changes. Your IT Provider should regularly audit your environment’s permissions through consistent access reviews. They should also use the just-in-time access approach, ensuring users have the least possible privileges to perform administrative tasks for only the needed time.
Implement multi-factor authentication
When a user logs in to an account, multi-factor authentication requires multiple forms of authentication to prove their identity. This may come in the form of a password plus a generated code sent via SMS, email or authenticator app, or a secondary device that is already logged in and may need to approve access. An example is Apple’s multi-factor authentication which allows users to sign into their accounts using a password. They can then approve this action on an authorised apple device such as an iPhone.
Multi-factor authentication is one of the most effective security measures a business can implement. When implemented correctly, it can make stealing credentials that can cause further malicious activities considerably more difficult. Microsoft reports that multi-factor authentication prevents 99.9% of identity-based cyberattacks. This effectiveness, combined with its ease of use, makes multi-factor authentication a vital first line of defence for any organisation.
Create regular backups
Businesses need to ensure they back up business-critical information. Backups are not just for quick recovery in the event of a disaster but can also be an operational requirement for some industries. For instance, general practices require it to achieve accreditation from the Royal Australian College of General Practitioners (RACGP).
Backup is the process of copying files or databases to ensure their preservation in the event of equipment failure, security and cyber breaches or other disasters. Businesses should check their backup system regularly, including testing its ability to recover data. The loss of critical data can impose a high financial and operational cost on your business. However, having a business continuity plan with a reliable and frequently tested backup procedure can mitigate some of these effects.
Protecting your business from cyberattacks is one of the most important steps to improve your business’s stability, improve customer trust, and ensure continued operations. However, it’s important to note that the steps outlined above cannot entirely remove the threat of a cyberattack. Still, they can mitigate the risk and hopefully decrease any attack’s severity and long-lasting impacts.
At GCIT, we are specialists in providing Cyber Security services to numerous businesses across Queensland and New South Wales. Our Award-winning cybersecurity experts can take the stress out of IT Security and make sure your data is secure.
Contact GCIT to find out how we can help your business or organisation protect against cyberattacks.