Everyone needs a strategy, right? What are you doing to protect your business against cyber threats, and the real possibility of someone stealing or destroying your data. An attack could come in any number of ways, a data breach and the theft of critical data or possibly a ransomware attack and the destruction of important files. Many companies, especially in the SMB space don't even have the security basics in place and it can be difficult even knowing where to start. It's simply not enough these days to put a firewall and anti-virus program in place and sit back and relax. Believe me, I'd love it if that was the case, I’d be gladly taking a nap right now.
So where do you start?
A good place to start is by establishing a baseline, an essential set of strategies that makes it much harder for someone to compromise your systems and impact your critical data. It’s about getting the basics right first. The Australian Signals directorate (ASD) have just the thing with their Essential 8 strategies.
Who are the ASD and what is the Essential 8?............Great questions, I'm glad you asked.
The ASD is an intelligence organisation that advises the government on cybersecurity. The ASD has a list of strategies to mitigate cybersecurity incidents, it’s top 4 strategies have been mandatory for federal agencies since 2014. In 2017 the ASD released their top 8 essential strategies, building on these top 4. The strategies are becoming well known in the private sector and at Board and C levels.
The eight strategies are split into three categories, the first are strategies to prevent malware delivery and execution:
Configuring Microsoft Office macro settings
The second set of strategies are to limit the extent of a Cybersecurity incident:
Restricting administrative privileges
Patching operating systems
The third category contains a strategy to recover data and system availability:
Before considering implementing these strategies it’s important to understand what needs to be protected in terms of data and systems, what level of protection is required and who you're protecting against. Ideally every business would run a risk assessment to determine where they are most at risk and use this information to build their plans around the implementation of mitigation strategies. This is however not realistic and won’t happen for many companies. At a minimum, taking time to understand the environment and plan the implementation will help ensure efforts are focused in the right direction.
The ASD have built a maturity model around the Essential 8, with levels 0 through 4 for each strategy. They recommend aiming at maturity level 3 as a baseline. However, depending on the risk levels and threats to the business, level 4 might be more suitable and necessary for certain systems. Conversely, money may not be well spent aiming for a high level on low risk systems and data.
I'm not going to provide detail on the strategies today, but will cover them in more detail in future blog posts. I'll pass on my learning from past implementations, any gotchas and touch on products to consider. Hopefully these future posts can be of some value, especially for the SMB market, as in many cases solutions are targeted at the bigger end of town and knowing what to implement can be difficult.
Next stop we'll cover application whitelisting. Stay tuned.
Colin has over 20 years consulting experience working with organisations ranging from small business to large enterprises. He has consulted in the United Kingdom, Canada and Australia. He specialises in Microsoft based technology solutions, disaster recovery implementations and information security.