The Essential Eight
The cornerstone of any cybersecurity review is an Essential Eight assessment. We can then determine what additional steps need to be taken to strengthen your business security.
The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight. The Essential Eight are designed to protect Microsoft Windows-based internet-connected networks.
It is therefore accepted as the gateway to reviewing a business from security perspective. Based on the outcome of an Essential Eight review, it may be determined to take additional steps to strengthen your business IT systems.
What to expect from an Essential Eight audit
We like to start all security reviews with an Essential Eight audit because it is the best benchmark for assessingcyber-readiness.
Depending on your IT management model, this could involve us working with your existing IT company or anin-house staff member. We ask a lot of questions but nothing that an average user with basic knowledge of your system can’t handle. If you take a look at the chart we added to the next page, you will see the criteria we target.
Essential Eight / Cyber Security Audits are design to be non-confrontational and we don’t advise using them to assign blame. The intention is to identify risks to your business and take remedial action to increase the resilience of your IT systems. We want everyone on board, from management down. Cyber security impacts the whole organisation, so encouraging all staff to contribute will always lead to better organisation wide outcomes. When people all think the same way, you can foster a change in mind set that leads to a more secure IT system and security driven culture.
At the conclusion of an audit, we will compile a detailed report that gives you a risk profile and often, a series of recommendations on what fixes are required. You can either engage with our technical team or your own IT support to take the steps provided.
Most businesses need to take out Cyber Security insurance these days, but it is important to understand that insurance companies are unlikely to pay our claims where they can materially prove deficiencies in your IT systems.
Most insurance companies are requesting that you answer a number of key questions prior to being granted cover. Be careful not to just tick boxes, because if you have a cyber event that warrants insurance, they are going to do a deeper forensic examination before they award the cover.
Legislatively, the amendments to the SOCI Act require that specific critical infrastructure assets must report certain types of cyber security incidents. If you become aware that a critical cyber security incident has occurred, or is occurring, AND the incident has had, or is having, a significant impact on the availability of your asset, you must notify the Australian Cyber Security Centre (ACSC) within 12 hours after you become aware of the incident.
If you do nothing else this year in terms of IT, we recommend that you do an Essential Eight audit.