Cyber security fundamentals: Are you covering the basics?

Written By Lachlan Nicolson

Company directors have a responsibility to manage cyber security risk. But where do they start?

Cyber Security Fundamentals

Australian company directors have a responsibility, under both statutory and common law (Corporations Act 2001), to effectively govern the management of cyber security risk and build cyber security resilience.

Section 180 of the Corporations Act (Cth) imposes a civil obligation in relation to care and diligence which requires directors to guard against key business risks. Cyber risk has been recognised by the WEF as “the most immediate and financially material sustainability risk that organisations face today”.

Small or large, profit or non profit, every director owes responsibility to making stronger cyber security practices a priority.

The Fundamentals in practice

The Australian Cyber Security Center (ACSC) has published 37 strategies to mitigate cyber security incidents. A component of these strategies is the Essential Eight Maturity Model, which is often referred to as a baseline benchmark or maturity model for organisations to meet.

In short, the mitigation strategies of the Essential Eight are as follows (in recommended order):

  • patch applications

  • patch operating systems

  • multi-factor authentication

  • restrict administrative privileges

  • application control

  • restrict Microsoft Office macros

  • user application hardening

  • regular backups.

To implement the Essential Eight, organisations should plan for a target maturity model that is suitable for their environment, then progressively implement each level until the target is reached.

At ShadowSafe, we treat the Essential Eight as fundamentals of a baseline cyber security posture. Our cyber security audits, SME service packages and SOC 2 consulting all reference or refer to the Essential Eight as a baseline maturity model.

Are you covering the basics?

Directors know they need to oversee the building of a cyber-secure environment in their organisation. But where do they start?

ShadowSafe recommends directors start with 'implementing the basics', which can include the following building blocks:

≫ Stocktake your IT assets and services

Compile an inventory of all your business IT assets and services, including hardware and software systems. Creating a list will help you maintain and keep track of your present endpoints (devices).

≫ Stocktake your data

Get visibility of where your data is being stored across different information systems, including cloud storage and applications, and who has access to the data.

≫ Implement access controls

Implement access and authorisation controls using the principle of least privilege (the minimum access required for staff to do their role).

≫ Enable Multi Factor authentication

Enforce the use of Multi Factor Authentication (MFA) where possible, on all accounts, to significantly reduce the likelihood of account compromises. 

≫ Patch and protect

Ensure all your software and hardware is up to date with automatic updates and cloud-managed antivirus on endpoints.

≫ Backup data

Regularly back up data (multiple times a day) to an isolated location for business continuity in case of an IT failure, physical or cloud ransomware that causes data loss.

While not exhaustive, these basic strategies can substantially strengthen an organisations cyber security capabilities.

covering the basics of cyber security

Partner with professionals to create a plan and implement best practices

The elevated cyber threat environment can be a constant overwhelm for directors and leaders. Working with professional partners, such as ShadowSafe, can help ensure you are implementing the right strategies, frameworks and policies to effectively manage cyber risk and build a resilient business.

ShadowSafe can help your business implement the fundamental basics, as well as:

  • Conduct practical employee training that improves cyber awareness and resilience

  • Harden systems from advanced attacks and monitor for intrusion detection

  • Develop a cyber incident response plan

  • and more...

Speak to our team today on 07 3185 1777.


Lachlan Nicolson

Previous

What is an Attack Surface?
Next

Who is responsible for cyber security in a business?