In its report to Parliament in March, the Australian Cyber Security Centre (ACSC) stated that “Commonwealth entities continue to improve their cyber security; however, ongoing effort is required to maintain the currency and effectiveness of cyber security measures.
The ACSC continues to help entities improve their cyber security posture and resilience – including by implementing the Essential Eight, tailored to the risk level faced – and continues to help entities maintain their cyber security once they reach the right posture.”
It is right that Commonwealth entities should be under this scrutiny regarding their cybersecurity readiness, especially in the current circumstances. At a time of crisis like this, it is easy to focus on the massive health and economic challenges facing our society, and to take our eye off some of the other risks.
I find it even more encouraging that the ACSC acknowledge that despite the massive investment in cybersecurity from Commonwealth entities, in 2020 there is still room to ‘continue to improve’ those measures, and that an ‘ongoing effort is required’.
The report states that ‘the baseline adoption of the Essential Eight across the Australian Government still requires further improvement to meet the rapidly evolving cyber security threat environment. The ACSC Cyber Security Survey found current implementation of the Essential Eight must improve to meet the rapid changes taking place in the broader cyber security threat landscape.”
It’s a good lesson, and it does pose the question for the rest of us, about how ready we really are, and if we are simply content with our past decisions? Or, are we still striving to improve our cyber resilience and to continue challenging our readiness? Because that’s just what the cybercriminals are doing. They are still searching for new ways to infiltrate your organisation, and to do you harm.
Other government agencies, not-for-profits and indeed the entire private sector, large and small should be reflecting on the same questions and considering how prepared they really are.
A great place to start, is the ‘Essential Eight”. All leaders should reflect on the questions posed, and if you’re not sure, it’s your responsibility to ask the questions. Don’t leave it in the too hard basket and unfairly shift the burden to your Infosec or IT teams. These are existential risks for your organisation, and they deserve an open and honest, robust discussion, balanced with an equally thorough and collaborative response.
As daunting as cybersecurity may be, they are eight fairly simple concepts that technical and non-technical executives should understand.
In 2019, the ACSC responded to 427 incidents affecting Commonwealth entities, 18% of which relate to ‘Malicious email: An email sent with the malicious intent to gain unauthorised access to a network, account, database or website.’ Experts recommend a multi-layered, defence in depth approach to cybersecurity, and that is especially true with email. No one vendor can stop all threats, so don’t leave your business exposed. If your using Office 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. As a cybersecurity expert, leading a company that has defended businesses against malicious email threats since 2001, I know the risks and have seen the devastation firsthand.
We know that nine out of 10 businesses are being impacted by phishing, even when most have an email security solution in place. Don’t assume that’s as good as it gets. Don’t accept that risk. Explore other solutions to layer your email defences and to protect your brand, your people and your data.
We are all grappling with the current pandemic, and the enormous health and economic stresses that it brings to bear. It can certainly be overwhelming. However, I implore you, do not let the weight of our current situation distract your team from the perils of cybercrime. At a time when things are so fragile and, in the balance, the last thing that your organisation needs is a breach.
As Microsoft CEO, Satya Nadella reminds us, “One trillion dollars is lost every year because of cyber.” It is a wide ranging, indiscriminate scourge, and sadly at times like this the bad guys will be looking to profit from your distraction.
This is a summary of the Essential Eight, and you can read more here in full on cyber.gov.au.
Mitigation Strategies to Prevent Malware Delivery and Execution
- Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
- Patch applications. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
- Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
- User application hardening.Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
- Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
- Patch operating systems.Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don't use unsupported versions.
- Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
- Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
If you or your team have any further questions about your cybersecurity readiness, especially with respect to multi-layered email security, please reach out to my team for support at firstname.lastname@example.org.