Don’t Become a Statistic: A Guide to the Essential 8

Posted on

The Essential 8 framework. Heard of it? If not, you might be at risk. 

Your cybersecurity is the only thing standing between your business data and cybercriminals. The Australian government has developed the Essential 8, a framework of cybersecurity measures, to protect businesses like yours from these attacks. 

Read on to learn why implementing the Essential 8 is crucial to your protection. Plus, we’ve included three measures in the Essential 8 framework, and two extras, which you can use today  to give yourself some immediate peace of mind. 

Why Cybersecurity is Important

If you’ve put your cybersecurity on the back burner recently you aren’t alone. The Notifiable Data Breaches report from July – December 2021 shows that:

  • Serious data breaches are up by 6%
  • Malicious or criminal attacks account for 55% of all breaches
  • 85% of breaches steal personal and contact information

These statistics show two worrying trends. First, data breaches are becoming more common. Second, over half of them are deliberate attacks by real people, rather than accidental sharing. 

You might be thinking, “so what if they get it, my data isn’t that important.”

Unfortunately, these attackers aren’t just accessing your systems out of curiosity. In truth, they don’t care about you at all. You are just a way for them to target other people, like your employees and clients. For the 85% of businesses that have personal and contact information stolen, their lost data leads to fraudulent payments, identity theft and even blackmail.

Are You at Risk?

Any level of cybersecurity neglect makes you vulnerable. The longer you ignore the problem, the more vulnerable you will be. 

Technology is always evolving. This means attackers are continually evolving their methods as well. Unfortunately, the longer you wait to take action, the more ground you need to make up to modernise your systems and stay ahead of cybercriminals. 

The important thing to remember is that it is never too late! Attackers succeed because business’s lack security, but with proper protection, you can put them on the backfoot 

You can do this by increasing your business’s Maturity Level. 

The Maturity Levels

Maturity Levels determine how well protected you are, how desirable your business is to a cyberattacker, and how sophisticated that cyberattack would likely be. 

There are four Maturity Levels, from 0 – 3.

  • Maturity Level 0: minimal or no security, at risk of any attack
  • Maturity Level 1: average security, at risk of being caught in widespread breaches, software exploits and phishing attacks 
  • Maturity Level 2: Good security, at risk of industry-specific attacks with sophisticated tools and tradecraft tailored to their industry
  • Maturity Level 3: High security, at risk of specialised attacks with custom made tools and social engineering

Read a detailed breakdown of each Maturity Level. 

Every business should aim to be at a Maturity Level 1. But the shocking truth is that the vast majority of small to medium sized businesses are at a Maturity Level 0 – without even realising! If all you’ve got is an antivirus installed, that would have protected you in the past, but your security needs to be more robust now. 

The nature of data breaches is also changing. They used to be a concern for mostly larger businesses, but small to medium businesses are increasingly being targeted by ransomware. 

Ransomware, which now accounts for 23% of all breaches, is a form of malware that downloads itself onto your network or devices and locks you out of your data. You are then asked to pay a ‘ransom’ to the attacker to get your data back.

Small to medium businesses are far more likely to pay these ransoms because they don’t have the same access to countermeasures that large companies and corporations do. Sadly, there is no guarantee that paying the ransom will save your data, or stop the attacker from blackmailing you again. 

Learn more about how to avoid, recognise and mitigate ransomware. 

With threats like ransomware making small to medium businesses high value targets, you cannot afford to put off moving to a Maturity Level 1. 

But how can you protect yourself?

The Essential 8 Explained

The Essential 8 is a mitigation framework designed by the Australian Cybersecurity Council (ACSC) to protect businesses from cyberattackers. 

The Essential 8 recommend security measures to be taken in the following areas:

  1. Application control
  2. Patch applications
  3. Configuring Microsoft Office Macro settings
  4. User application hardening
  5. Restrict administrative privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Regular backups

*Note the Essential 8 are designed for Microsoft Windows internet connected networks. If your business is based on a cloud service many of these strategies still apply, but you should supplement them with these resources

Each security measure has a series of escalating mitigations depending on the Maturity Level you are trying to reach. These need to be implemented by a cybersecurity professional. Ask your IT company if they are able to complete the process, or if they can recommend a cybersecurity specialist. 

Read the required Essential 8 security measures for each Maturity Level. 

3 DIY Steps to Get a Head Start on the Essential 8

While implementing the entire Essential 8 framework is a job for professionals, there are three basic steps you can take right now to start protecting yourself. 

Automatic Updates

Turning on automatic updates might just be the simplest security measure you can take that produces the best results. 

One of the most common ways attackers compromise systems is through exploiting outdated software. By turning on automatic updates you can make sure you never have outdated software without ever worrying about forgetting to update.

It’s a good idea to turn this on across all of your devices and applications. It’s often as simple as changing a setting. If you are using Microsoft 365, you can enable automatic updates in just three steps!

Multi-Factor Authentication

Even strong passwords can be vulnerable to breaches. That’s why multi-factor authentication has become an essential part of modern cybersecurity. 

Rather than using a single device to log in, multi-factor will use multiple devices to authenticate you, hence the name. A common example would be logging into an account on desktop, and being sent a code to your phone via SMS. You then type the code into your desktop device, and you are logged in. 

What that process is doing is adding a second layer of protection to your account. If your desktop is compromised, the attacker would also need to compromise your phone to gain access. 

There can be more layers, and different devices, depending on the level of security you need. If you use Microsoft 365 you simply need to configure it.

If your business uses a 3rd Party Line of Business (LOB) app, ask your app providers if they support multi-factor authentication and can help you set it up. 

Regular Backups

Arguably the most important protection measure to take against data breaches is ensuring regular backups of your company data. As we discussed earlier, attacks are on the rise. To take the power away from hackers and make sure they don’t lock you out of your own data, you need a regular backup solution. 

First of all, any backup solution is better than no solution. But some are definitely more reliable and safer than others. For example, If you are using USB drives and swapping them out regularly, you may want to consider upgrading your solution sooner rather than later. As the last line of defence, a secure and robust backup solution is not only money well spent but also provides peace of mind for you and your team. 

Backing up your data means making sure it isn’t all stored in one place, like your desktop computer. Instead, you need to keep copies of it in multiple locations, preferably not to ones that are linked by the same network, like your phone and your computer. 

While you may think your USB drive is safe, if your computer has been compromised, devices or accounts linked to that computer can also be compromised. 

Many cloud-based software offer automatic, routine backups. Your data is stored on cloud servers which have strong cybersecurity, and is usually stored on multiple servers tied to separate geographical locations. 

Make it a top priority to contact your IT provider today to discuss and understand your backup solution. If you are unsure or need help please reach out and one of our experienced team members will be able to help. Contact us today. 

Two Bonus DIY Measures 

While these aren’t officially part of the Essential 8, it is best practice for businesses to have them. In addition to keeping you safe, both of these measures can save you time in the day-to-day running of your business. 

Email Spam Filter

Are you receiving tens, if not hundreds of useless emails everyday? 

A spam filter can remove the junk emails, and leave the important ones in your main inbox. Not only will this save you time, it will also protect you from any phishing emails that could put you at risk. You can choose from a number of different spam filters, or contact an IT company to have one installed. 

Learn about a Central Coast business who was receiving huge numbers of spam emails. 

Password Manager

Do you have the same password for everything? Maybe with a few different numbers at the end for some variety?

If you do, don’t feel bad. You certainly aren’t alone. Many people use the same password because it’s easy to remember. With a password manager, you don’t have to remember any passwords at all, and it is more secure. 

Password managers sync across your devices and use generated passwords to log you into your accounts. These passwords are different each time and are made up of random characters which are much harder to hack. 

This saves you from having to remember passwords, and from the annoyance of having to change them 

You can get password manager software yourself, or ask an IT company to install it for you. We recommend LastPass, and use it ourselves when we implement the Essential 8 for clients. 

Contact an IT Service

If you are concerned about your cybersecurity, contact your IT company and ask them if they can implement the Essential 8. If they can’t, contact another company or ask them if they can recommend a cybersecurity specialist. Don’t wait until you become a data breach statistic. 

If you don’t have an IT company to assist you, consider OneCloud IT Solutions. We see the Essential 8 as a fantastic starting point, but we also take further measures to make sure you are completely protected. 

We’ll conduct a complete audit of your current cybersecurity strengths and weaknesses. That way, we’ll know exactly what’s required to keep your business safe. 

Contact us to organise a cybersecurity inspection, or visit our website for more details