In a wake-up call for corporate Australia, the Australian Securities and Investments Commission (ASIC)’s latest
The report offers an in-depth analysis of the current state of cybersecurity in Australia. This is especially relevant given that in recent times millions of people have been impacted by security incidents, such as breaches at Latitude, Optus, and Medibank.
It also highlights the challenges small and medium-sized enterprises (SMEs) face, particularly those grappling with resource constraints.
Our examination of insights aims to equip small organisations with practical strategies, enhancing their defences in an ever-changing threat landscape. These strategies are particularly tailored for businesses utilising Microsoft 365 cloud services, enhancing their defences in a rapidly shifting digital landscape.
Challenges Faced by Small Organisations
The ASIC report paints a clear picture of the cybersecurity maturity gap between different-sized organisations. Small organisations often find themselves at a disadvantage, particularly in areas like supply chain risk management, data security, and consequence management. This disparity calls for focused support to help these businesses navigate their unique cybersecurity challenges[1]:
- 34% aren’t in line with any cyber security standard,
- 44% skip over assessing third-party risks,
- 33% have trouble with multifactor authentication,
- 41% are lagging in updating their applications,
- 45% aren’t regularly scanning for vulnerabilities, and
- 30% are missing essential data backups.
These challenges highlight a critical need for strategies tailored to enhance the cyber resilience of small businesses.
Insights from an IRAP Assessor’s Perspective
When evaluated through an Infosec Registered Assessors Program (IRAP) perspective, the stark differences in cybersecurity maturity across organisations become apparent. Smaller businesses often grapple with:
- Misunderstandings about what cybersecurity involves,
- Gaps in specialised cybersecurity knowledge,
- Overreliance on in-house skills, missing out on external expertise, and
- Challenges in keeping up with tech advancements like AI and cloud computing.
The overarching message is consistent: small organisations should enlist external expertise to bolster their cybersecurity resilience.
The Importance of Proactive Cybersecurity Measures
A reactive approach to cybersecurity will not provide a successful outcome – a proactive approach is more than advantageous. It is essential.
The Australian Signals Directorate (ASD) Cyber Threat Report 2022-2023[2] underscores this, revealing that for small businesses, the average cost of cybercrime has risen to $46,000, a significant 14% increase from the previous year. This cost starkly highlights the value of investing in cybersecurity controls to govern, protect, detect, and respond to cyber incidents. This figure does not fully capture the potential reputational damage or the long-term erosion of customer trust that can stem from a cyber breach. And once lost, reputation is incredibly hard to regain.
The return on investment is clear and we are emphasising an urgent call to action for all businesses.
To succeed they must establish a well-rounded, multi-faceted digital threat strategy. We recommend a three-pronged strategy.
One: Cyber Security Principles
The core of a strong cyber defence lies in the Cyber Security Principles[3]. These aren’t just guidelines; they’re your strategic compass for boosting cybersecurity:
- Govern: Focus on identifying and managing those security risks.
- Protect: Put in place measures to lower those risks.
- Detect: Stay sharp and spot cybersecurity events.
- Respond: Be quick and efficient in handling and recovering from incidents.
Two: Cyber Maturity Model
This model, derived from the Australian Government’s Information Security Model (ISM) cyber principles, is a roadmap for organisations to evaluate and enhance their cybersecurity maturity. It helps organisations integrate cybersecurity into their broader risk decisions and foster engagement with external cybersecurity communities through the provision of a framework to manage and mitigate information security risks.
Organisations should steadily work through each maturity level, assessing and fine-tuning as they go. This step-by-step approach allows for careful evaluation of new controls, monitoring for unintended consequences, and addressing issues as they arise. It also ensures that employees can adapt smoothly to changes in their work environment and procedures.
Three: Essential Eight Mitigation Strategies
The Essential Eight Maturity Model (E8MM)[4], developed by the ASD, guides organisations in effectively implementing cybersecurity measures. Tailored for various operational environments, the E8MM defines four maturity levels – each level is designed to mitigate an escalating degree of cyber threat sophistication and targeting.
For the context of this article, we focus on Maturity Level 2. This level strikes a balance between robustness security and manageable implementation, making it a practical choice for organisations aiming to enhance their defences while being mindful of resources. Note: Check that you have a compatible Microsoft 365 subscription. Meeting E8MM controls requires a subscription to Microsoft 365 Business Premium (or equivalent).
Mitigation Strategy | What and why | How |
---|---|---|
Application Control |
Checks programs against an approved list, blocking those not on the list. Prevents unapproved programs, including malware, from starting, hindering attackers’ access or data theft. |
Can be achieved by using Microsoft Windows Defender Application Control (WDAC) via Microsoft Intune and integration with Defender for Endpoint for event monitoring. WDAC manages application execution on Windows devices, allowing only approved software and blocking unapproved scripts and apps. For more information see Implementing Application Control and Essential Eight application control. |
Patch Applications |
Timely application of security fixes or mitigations, avoiding out-of-support applications. Protects against exploitation by attackers, preventing complete system takeover. |
Maturity level 2 can be achieved through two components. One is technology, by using Microsoft Intune or Defender for Endpoint, to ensure patches are applied within the target deployment timeframe, and the other is a process for vulnerability management. For more information see Patching Applications and Operating Systems and Essential Eight patch applications. |
Configure Microsoft Office Macro Settings |
Restricts macros to essential use cases and monitors their usage. Prevents automated malicious commands, reducing malware installation risks. |
Can be achieved by using Microsoft Intune and integration with Defender for Endpoint for antivirus scanning and event monitoring. Recommend disabling macros for users without a valid business need, and performing annual review of trusted publishers and utilising Intune’s Policy Sets for streamlined deployment. For more information see Restricting Microsoft Office Macros and Essential Eight configure Microsoft Office macro settings. |
User Application Hardening |
Configures key programs for enhanced security. Strengthens program defences, making it harder for malicious websites to install malware. |
Can be achieved by using Microsoft Intune and integration with Defender for Endpoint for alerts and logs to detect unauthorised PowerShell execution attempts. Deploy Intune configuration policies to remove unwanted features, implement ACSC hardening guidance for web browsers (e.g., disable Java, limit web ads), and implement Attack Surface Reduction (ASR) rules. For more information see Technical example: User application hardening and Essential Eight user application hardening. |
Restrict Administrative Privileges |
Controls access and usage of administrative accounts. Secures critical system controls, making it tougher for attackers to gain extensive system access. |
The following categories of controls is required to achieve the desired result for the maturity level – Identity governance (e.g., validate user access requirements), Least privilege (e.g., limits access to only what is required), Account restrictions (e.g., reduce exposure), Administrative devices (e.g., separate environment for admin activities), and Logging and monitoring (e.g., detect compromise). These can be achieved by using Microsoft Intune and integration with Defender for Endpoint for alerts and log. For more information see Restricting Administrative Privileges and Essential Eight restrict administrative privileges. |
Patch Operating Systems |
Applies timely security updates to operating systems. Shields against attacker exploitation, preventing system takeovers. |
Maturity level 2 can be achieved through two components. One is technology, by using Microsoft Intune or Defender for Endpoint, to ensure patches are applied within the target deployment timeframe, and the other is a process for vulnerability management. For more information see Patching Applications and Operating Systems and Essential Eight patch operating systems. |
Multi-factor Authentication |
Validates logins with additional checks beyond passwords. Increases login security, significantly reducing the risk of credential misuse. |
Can be achieved by using Microsoft Entra ID. Organisations will need to define acceptable Authentication methods (i.e., Microsoft Authenticator, FIDO2 Security Key), Authentication strengths (e.g., phishing-resistant MFA, MFA), Authentication Policies via Conditional Access. For more information see Configure Essential Eight MFA conditional access policies. |
Regular Backups |
Ensures frequent, disconnected backups of crucial data and settings. Facilitates data recovery after incidents like ransomware attacks. |
Microsoft provide a Shared Responsibility Model to assist organisations in understanding what responsibilities are held by Microsoft, and which remain the responsibility of the organisation. Customers always retain responsibility for information and data. Retention policies and labels, via Microsoft Purview, provide a means to control how data is retained in Microsoft 365. Duplicating information from MS365 services may take a significant amount of time and storage – In a 50-user organisation, there is approximately 56.5TB worth of data to maintain (50TB [OneDrive], 5TB [Exchange], 1.5TB [SharePoint]). Maturity level 2 can be achieved through two components. One is technology, by using existing Microsoft services (e.g., OneDrive) or Azure Backup, and the other is a process for Business Continuity and Disaster Recovery. For more information see Technical example: Regular backups and Why Pursue ACSC Essential Eight User Backup Guidelines?. |
Collectively, these principles, models, and strategies offer a comprehensive approach to cybersecurity, equipping organisations to anticipate and effectively respond to cyber threats.
Conclusion
Navigating the complex world of cybersecurity can be daunting, especially for small organisations. But with the insights from the ASIC 2023 report as a guide, enhancing cybersecurity strategies becomes a more manageable journey.
If you’re seeking expert advice and support in strengthening your cybersecurity posture, the Pacific Aerospace Consulting cybersecurity team is here for you. Our suite of services can assist to fortify your digital defences and arming you with the tools and know-how to stay resilient in the face of cyber threats.
References
- Australian Securities & Investments Commission (2023). Report 776 Spotlight on cyber: Findings and insights from the cyber pulse survey 2023.
- Australian Signals Directorate (2023). ASD Cyber Threat Report 2022-2023
- Australian Cyber Security Centre (2023). Cyber Security Principles. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-principles
- Australian Cyber Security Centre (2022). Essential Eight Maturity Model. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model