The Essential Eight - A Cyber Security Strategy For Australian Businesses

Running a small business is an exciting journey, but with increased reliance on technology, it's essential to protect yourself from cyber threats. Just like securing your physical shop, you need a strong shield for your digital assets. In information technology (I.T), enterprises follow frameworks and adhere to specific standards which are both nationally and internationally recognised. Whilst there are many I.T frameworks, there are three that are highly recommended by cyber security specialists:

• ISO 27001/2: Developed by the International Organization for Standardization (ISO), 27001 is the primary international standard for Information Security Management Systems (ISMS), whilst 27002 provides guidance on it’s implementation. The core concept is to help organizations identify and address information security risks through a structured risk assessment process. It does this by segmenting information security into 14 key areas, and once a business is certified, it is internationally recognised as implementing best practices for information security. Unfortunately, obtaining this certification is expensive as it is thorough and comprehensive, but not necessary for a lot of small businesses.

• NIST Cybersecurity Framework: Developed by the National Institute of Standards and Technology (USA), this is a flexible, risk-based framework that helps organizations of all sizes manage and reduce cybersecurity risks. Unlike ISO 27001, it doesn't provide strict requirements for certification. It is easier to understand from a non-technical perspective and utilises a risk-based approach. The framework has five main core functions: Identify, Protect, Detect, Respond, Recover, and is implemented in tiers based on a business’ cyber maturity. This is a framework and not a standard so it does not require an external assessment but therefore does not give the business a certification.

• ASD’s Essential Eight: Developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), this is an easy to understand, easy to implement mitigation strategy to help protect Australian enterprises. Due to it’s lack of depth and complexity, it’s not a “one and done” framework to follow for all businesses; however it is an excellent foundational for further cyber security implementation as an enterprise expands and seeks certification from a standard such as ISO27001 mentioned above. It is a very useful mitigation strategy for small businesses and does not require the funds and resources that other frameworks do, this is why Local Defence Brisbane follows this mitigation strategy.

The Essential Eight: Your Cybersecurity Toolbox (Non-Technical Explanation)

Think of the Essential Eight as a set of tools to strengthen your business's defences against cyber attacks:

1. Patch Applications: Software updates are essential. They fix security loopholes, just like patching a leaky roof prevents rainwater from damaging your shop's interior.

2. Patch Operating Systems: Keep your operating systems (like Windows or macOS) up-to-date. These patches fix cracks and gaps in your digital defences.

3. Multi-Factor Authentication (MFA): Passwords are not enough. MFA adds an extra layer, like requiring a fingerprint scan along with your password to access critical systems.

4. Restrict Administrative Privileges: Limit administrative access to your systems. Not everyone needs a key to the back office; restrict admin privileges for better control.

5. Application Control: Control what software runs on your computers. It's like creating an exclusive guest list to keep out uninvited programs that could harbour vulnerabilities.

6. User Application Hardening: Simplify and streamline your software. It's like removing unnecessary clutter from your shop floor to improve safety – the less there is, the fewer places bad actors can hide.

7. Configure Microsoft Office Macro Settings: Macros can be useful, but they can also be exploited by cybercriminals. Manage these settings to close potential entry points for attacks.

8. Regular Backups: Think of backups as your business disaster recovery plan. If a cyberattack, system failure, or even accidental deletion occurs, having regular backups lets you get back on your feet quickly.

Small Business Cybersecurity Made Simple

The Essential Eight may seem daunting, but remember:

• Start Small: Focus on implementing even a few of the Essential Eight strategies. Every step improves your security posture.

• Seek Guidance: The ACSC has excellent resources for small businesses on their website, or you can consult a cyber security specialist.

Don't Let Cyber Threats Hold You Back!

Proactive cybersecurity protects your business's reputation, customer data, and financial stability. By understanding and gradually implementing the Essential Eight, you build a strong foundation for digital success.

Need Help Implementing the Essential Eight?

At Local Defence Brisbane, we help small businesses build robust cybersecurity practices. Contact us for a consultation and create a cybersecurity strategy that lets you focus on growing your thriving business.