The Essential Eight-cyber security mitigation strategy

Before we talk specifically about the The Australian Cyber Security Centre's (ACSC) recommended Essential Eight-cyber security mitigation strategy; let's put the situation in perspective.

Reports are continuing to reveal facts and stats on cyber security that are increasingly alarming for small and medium sized businesses (SMB's). There are more incidents and more dollars being lost than ever before. Let me take you through a few points.

Recently, The Australian Cyber Security Centre (ACSC) published the Small Business Survey Report: How Australian Small Businesses Understand Cyber Security. They received over 1700 responses. Some of the revelations from the survey are:

• $29 billion is lost by small businesses every year
• Nearly 50 per cent of SMB's under-spend on IT security annually
• One in five small businesses that use Windows have an operating system that stopped receiving security updates in January 2020
• Many businesses had incomplete or too little implementation of the Eight Mitigation Strategies

The latest Notifiable Data Breaches report indicates a rise in breaches (as reported under the guidelines for mandatory reporting). In the period July to December 2019, the main categories of reported breaches were:

• 64% - Malicious or criminal attacks (including phishing, theft by insiders or outsiders, social engineering, malware, ransomware)
• 32% - Human error
• 4% - System fault

The same report highlighted the top 5 industries being attacked the most:

• Health service providers
• Finance
• Legal, accounting and management services
• Education
• Personal services

It's no secret that I have a passion for auditing, analysing and developing & implementing strategies for cybersecurity mitigation. If I was to hone in on one 'go to' mitigation strategy, it would be the Essential Eight. It is a relatively easy to understand, 8 point strategy that in its whole, cover's all angles for cyber security.

The 8 essential points are under 3 distinct defensive lines:

Mitigation Strategies to Prevent Malware Delivery and Execution 

• Application control; 
• Configure Microsoft Office macro settings; 
• Patch applications; 
• User application hardening

Mitigation Strategies to Limit the Extent of Cyber Security Incidents

• Restrict administrative privileges; 
• Multi-factor authentication; 
• Patch operating systems

Mitigation Strategies to Recover Data and System Availability

• Effective back-up regime

The first and most blatant revelation here is that standard anitvirus software hardly gets a mention. An effective strategy is more behavioural and tangiable than it is digital and automated. And just like a business's physical premises needs a lot more than just locks on a door, a business's I.T. and data require many angles for effective cyber security.

If you have any concerns or ideas for your cyber security risk mitigation or even if you are not sure what you don't know, please give us a call for a no obligation discussion (on 02 4337 0700) or email me.

.....and here are some parting insights from the above mentioned ACSC survey.....

The most common barriers identified for small business owners to implement good cyber security practices are:

• A lack of dedicated I.T. staff;
• Complexity & self-efficacy;
• Planning & responding;
• Underestimating the risk of cyber security incidents