The essential eight - they're not a team of superheroes, but they will keep your business safe
Yes, ‘the essential eight’ might sound a bit like a group of battle-hardened comic characters but really they’re a group of powerful strategies that create a safety net for all things cyber when used effectively.
For anyone running a computer system in their business, proper cyber security is priceless. Set up by the Australian Signals Directorate back in 2017, each step in the model helps to secure systems connected to the internet.
Peter Shobbrook, security specialist at Canberra’s OPC IT, says when it comes to having a secure workspace the essential eight are, well, essential.
“This model works to limit the ability of attackers to access a system and, if a cyber criminal does manage to get through, reduce how much damage they can inflict,” he says.
“Steps are also designed to complement each other for broad and detailed coverage.
“Many of these strategies are very simple, yet time and time again we see people avoiding them in the moment for the sake of convenience.”
Peter is on the frontline through his role at OPC IT and stresses how important it is to take cyber security seriously. As part of a company that has supported secure technology in Canberra since the 1980s, he has the skills and resources at his disposal to stop cyber attacks before they happen.
The best place to start building your defence, Peter says, is with the essential eight:
1. Patch applications. Ensure that all applications are updated when an update becomes available. Unpatched applications can leave systems vulnerable to attack.
2. Patch operating systems. Keep all internet-connected technology up-to-date with the latest security patches.
3. Multi-factor authentication (MFA). Instead of just using a password, MFA adds an extra layer of protection by asking for additional verification to confirm a user’s identity, like a temporary code sent to a mobile or a fingerprint scan. Even if one factor (like a password) is compromised, there’s another layer of security to help protect accounts and data.
4. Restrict administrative privileges. Only give elevated privileges (changing base settings, downloading software etc) to the accounts that need them.
5. Application control. Ensure all applications that run on a business’s computers are known and approved before they can be installed.
6. Restrict Microsoft Office macros. Block Microsoft Office macros from running on any device unless absolutely necessary. Macros are embedded in Microsoft Office documents to carry out tasks automatically, but they can be exploited to deliver malware or compromise the security of a system.
7. User application hardening. Use the apps and settings recommended by the Australian Signals Directorate to securely configure business computers.
8. Regular backups. Make sure all essential data is properly backed up, and test backups to make sure they work.
Understanding what the above steps mean is one thing – implementing them is another. How ‘mature’ a cyber security system is depends on how many of them are in motion, but having them all set up might not be for every business.
The Directorate categorizes maturity in tiers, from zero, showing significant weaknesses and availability to attack from various sources, to three, mature enough to secure against actors targeting specific systems using sophisticated technology.
It’s a lot of information – to avoid becoming overwhelmed, Peter’s advice is to take things one goal at a time.
“Start by putting the simplest steps in place, like multifactor authentication, and work your way up from there,” he says.
“If you’re connected to the internet, it’s highly likely you deal with some sort of confidential data. Security changes across industries too – the baseline for a retail store, for example, will likely be lower than a bank.
“The size and nature of a business affects how they could be targeted by cyber actors, so think carefully about the level of maturity that will protect your operation best.”