Have you heard of the Australian Government's 'essential 8'? If you're responsible for IT in your business, then hopefully you have. But if you haven't, here's the short explanation...
The essential 8 has been developed by the Australian Signals Directorate arm of the Australian Government. It's purpose is to set a baseline 'standard' of cyber-security that businesses should have in place in order to minimize the risk of a data security breach.
It's important to understand that the essential 8 is a best practice guide and you should treat it as a minimum requirement for your business. They recommend you implement 8 mitigation strategies in order to:
- prevent malicious software (malware) successfully entering and executing within your business
- limit the number of cyber-security incidents that occur in your business
- recover any lost data and make sure your systems are available
Taking it one step further, they have created a maturity model with 3 maturity levels that you can benchmark your business against. From 1 to 3, businesses should try and achieve a level 3 maturity in order to be fully aligned with each of the 8 strategies.
Remember, under the Privacy Act the Notifiable Data Breaches scheme means you now have to declare any breach to the Government and notify anyone whose information may have been exposed. Aside to protecting your data, the essential 8 does well to ensure you're never in a position where you have to declare a breach to the Government nor your clients.
8 is not enough
We believe that while the essential 8 is a good start, there's several other areas of cyber-security that a business should implement to ensure their risk of a breach is as low as possible. With over 80% of data breaches affecting small & medium businesses, you can't be complacent. The reality is your business WILL be a target (if not already) and the likelihood of a breach is high if you aren't investing some effort into your cyber-security strategy. Set-and-forget just isn't enough.
So if you apply the essential 8 as your base, we recommend you overlay it with:
- regular security assessments
- dark web research - are your credentials for sale?
- a password management policy including Multi-Factor Authentication (MFA)
- security training for all users
- advanced incident detection & response
- mobile device security
- cloud-based gateway security
This list may look a bit daunting, however much of it can be implemented very easily. But to start, we encourage you to learn more about the essential 8 and implement as much as you can in your business. We're of course happy to help with anything you need, but understanding this baseline is a good start to strengthening cyber-security (and minimizing risk) in your business.
If in doubt, please feel free to email firstname.lastname@example.org or call us on 02 4254 5444.