Cybersecurity threats are at an all-time high and expected to intensify as we head into a new world of work, with a greater reliance on technology. Now, more than any other time in history, businesses need to have implemented, at the very least, baseline security measures, in order to be protected. As we near the end of 2021, and as our customers start gearing up for a more cyber resilient 2022, it can only be of benefit to review baseline cyber threat mitigation strategies to ensure we’re running a tight ship.
The Essential Eight offers a technical guideline in Australia, and internationally, the U.S. National Institute of Standards and Technology (NIST) provides leaders and industry experts with the Cybersecurity Framework (CSF). I’ll briefly talk about both perspectives in this article, in the hope of providing some food for thought for businesses looking to review their cybersecurity practices.
To begin with, let’s look at the ‘Essential 8 Pillars of Cybersecurity’ prescribed by the Australian Cybersecurity Centre (ACSC) that offers a checklist of controls for mitigating cyber attacks. It is recommended by the ACSC and ASD that all businesses implement the essential eight, as it is largely considered to be one of the most effective ways to protect networks from a cyber threat. These are taken from a much larger set of 37 recommendations, which you can find here: https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents
Briefly, here they are:
- Application control or whitelisting. To control the execution of unauthorised software. It’s designed to protect against malicious code or malware. When implemented robustly, it ensures only approved applications (g., executables, software libraries, scripts, installers, compiled HTML, HTML applications, control panel applets and drivers) can be executed.
- Patching Applications. To remediate known security vulnerabilities within a timeframe commensurate with a business’s exposure to a security threat, as advised by the ACSC. For example, once a security vulnerability in an internet-facing service is made public, it can be expected that malicious code will be developed by adversaries within 48 hours. In fact, there are cases in which adversaries have developed malicious code within hours of newly discovered security vulnerabilities.
- Configuring Microsoft Office Macro Settings. This is to block untrusted macros, which can contain malicious code resulting in unauthorised access to sensitive information as part of a targeted cyber attack.
- Application Hardening. To protect against vulnerable functionality, it’s important that you have only what you need when it comes to applications. Application hardening, to put it simply, involves various processes like fixing vulnerabilities and wiping out any non-essential administrators from systems.
- Restricting admin To limit unnecessary access to systems. Threat actors often use malware to exploit security vulnerabilities in workstations and servers, and restricting administrative privileges makes it more difficult for an adversary’s malicious code to elevate its privileges, spread to other hosts, hide its existence, persist after a reboot, obtain sensitive information or resist removal efforts.
- Patching operating systems. This is crucial and involves software and operating system updates that address any security vulnerabilities within a product or program.
- Multi-Factor Authentication. An added layer of security for each online platform or account that you may access (that requires a username and login). The first layer is a combination of a username and password, and then MFA is an extra security blanket that further validates your identity via another device or service and makes it difficult for a third party to access your data.
- Daily Backups. To maintain availability and reduce the loss of business-critical
Along with the essential eight strategies, the ASD has also outlined three maturity levels to help companies determine their status and how they can improve. The maturity levels are defined as below:
- Maturity Level One: Partly aligned with the intent of mitigation strategy.
- Maturity Level Two: Mostly aligned with the intent of mitigation strategy.
- Maturity Level Three: Fully aligned with the intent of mitigation strategy.
The NIST Framework
The NIST CSF takes a less technical approach than the Essential Eight and offers a broad view to threat mitigation by covering 5 critical areas or cores that are imperative to cybersecurity. These are: Identify, Protect, Detect, Respond and Recover.
NIST is less prescriptive and can be adapted to suit various technologies and industry sectors, and offers a wider, non-technical stakeholder perspective on cyber risk management. You can learn more about the NIST Cybersecurity Framework here: https://www.nist.gov/cyberframework
Implementation of the NIST Cybersecurity Framework is measured across the following tiers:
- Risk Management Process. Functionality and repeatability of cybersecurity risk management.
- Integrated Risk Management Program. Measures the extent to which cybersecurity is considered in risk management decisions.
- External Participations. Tracks the degree to which the organisation monitors supply chain risk and engages with sharing information with outside parties.
From the outset, taking a non-technical approach means that this is an important framework for organisational leaders to consider when building their cyber resilience strategy. Businesses are encouraged to consider their own requirements and risks, and then use this to make informed cybersecurity decisions. The framework helps to identify and address cost-effective improvements.
The Essential Eight and the NIST Framework are complementary and working together will put businesses in good stead to protect themselves from attacks. Both work hand in hand.
Easier said than done?
In an ideal world, all businesses would have implemented these controls already with the assumption that they have the resources, time and technical knowledge to do so. However, we know and understand that it’s not realistic. In fact, a recent IT News article talked about the government mandating the Essential Eight for all federal departments and agencies, and revealed that “less than 3/10 Commonwealth entities self-assess that they are compliant with even the ASD Top Four” (Shadow Cyber Security Assistant Minister, Tim Watts). Self-assessment can be a rigorous and complex task for any business, albeit necessary. All we can do is continue to assist our customers with their cybersecurity strategies and encourage best practices so that their businesses are protected.
Have we really covered it all?
After reading this, I can’t help but offer a 9th ‘Essential’, that I strongly believe all businesses need to implement as part of their cybersecurity mitigation strategy.
- Email Security.
We know the statistics, 9 out of 10 cyber threats originate from email, and email is the primary vector in the delivery of a cyber threat. My team blocks thousands of malicious emails that threaten to halt businesses with one innocent click of a link. It doesn’t take much to understand why it’s such a dire threat. We live and breathe emails on a daily basis, if not, hourly, and cybercriminals have exploited and studied this social behaviour in-depth. Therefore, it is imperative that advanced, specialist email security solutions, like MailGuard, are part of a cyber strategy aimed at building cyber resilience for business customers.
I’m sure you will support me when I say that email security should form part of a baseline cybersecurity mitigation strategy. We see thousands of businesses being impacted by threats. In the last financial year alone, $81.45 million (AUD) was lost due to Business Email Compromise alone, a rise of 54% from the previous year. The numbers are staggering, and enough proof to make email security essential. Wouldn’t you agree?
Keeping businesses protected
Nine out of 10 cyber-attacks start with an email, even when most businesses have an email security solution in place. Precisely because email is a critical tool and arguably the most important means of communication among many businesses, it is imperative for businesses to consistently review their email security strategies to ensure they’re doing all that they can to stay safe. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to complement Microsoft 365. For more information about how MailGuard can help defend your inboxes, reach out to my team at email@example.com.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.