Date posted: 28/01/2021 5 min read

Australian cyber cops’ cybersecurity essentials

The Australian government wants cybersecurity high on a board’s list of responsibilities, so what do directors need to know?

In Brief

  • As part of the Australian Cyber Security Strategy 2020, government wants the business sector to improve its cybersecurity protections.
  • The lead Australian agencies for cybersecurity have outlined Eight Essentials that businesses should implement.
  • Board members may eventually be held responsible for an organisation having adequate cybersecurity.

Cyber attacks from increasingly sophisticated actors threaten organisations across every sector. Whether it is a large ASX 100 company or a local bakery, organisations of all sizes need to take steps to limit the dangers posed by cyber threats or they will potentially face the consequences.

The ACCC’s Scamwatch has received more than 5170 scam reports mentioning the coronavirus to the end of January 2021, with more than A$6,280,000 in reported losses since the outbreak of COVID-19.

Common scams include phishing for personal information, online shopping and superannuation scams, and fake billing.

Fake billing involves scammers faking invoices from a business or supplier that an organisation usually deals with, and adding different account details. The payment then goes to the scammer rather than the legitimate business.

New responsibilities for company directors

Responding to growing online threats, the Australian government released its Australian Cyber Security Strategy 2020 in August last year and committed to investing A$1.67 billion over the next 10 years to achieve its vision of creating a more secure online world for all Australians.

As part of the strategy, the government is incentivising businesses to better protect themselves, their customers and their products from known cyber vulnerabilities.

“The government is incentivising businesses to better protect themselves, their customers and their products from known cyber vulnerabilities.”

One proposal being considered is that company directors have a legal duty to ensure a reasonable standard of cybersecurity.

At the moment, though, most board members are not well versed in cybersecurity, nor understand the impact it can have on their business. And many security leaders have approached security as a purely technical challenge, rather than also considering usability and ease of adoption for the organisation and employees.

What are the Essential Eight mitigation strategies?

To mitigate the effects of a cyber attack, the lead Australian agencies for cybersecurity – the Australian Cyber Security Centre (ACSC) and Australian Signals Directorate (ASD) – have recommended organisations implement these Essential Eight strategies as a cybersecurity baseline.

For board directors, this Essential Eight is a useful framework to assess a company's maturity level for cyber protection.

The Essential Eight are:

To prevent malware delivery and execution:

  • Use application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts and installers.
  • Patch applications and always use the latest version of applications.
  • Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’,
  • Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet as these are popular ways to deliver and execute malicious code on systems.

To limit the extent of cybersecurity incidents:

  • Restrict administrator privileges to operating systems and applications based on user duties (admin accounts are the ‘keys to the kingdom’ for hackers).
  • Patch operating systems.
  • Use multi-factor authentication (MFA) for remote access.

To recover data and system availability:

  • Make daily back-ups of important data and software settings.

Two key cybersecurity weapons

Two mitigation strategies can be especially potent for cybersecurity: multi-factor authentication and patching of software.

A recent advisory from the ACSC and ASD about a sustained targeting of Australian government and business networks states that: “During the course of its investigations the ACSC has identified two key mitigations which, if implemented, would have greatly reduced the risk of compromise by the [actor’s] tactics, techniques and procedures identified in this advisory – patching of software and the use of multi-factor authentication (MFA) across all internet-accessible remote access services, including web and cloud-based email, collaboration platforms, virtual private network connections and remote desktop services.”

MFA is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and stealing sensitive information. It is proven to limit the extent of cybersecurity incidents, such as phishing, man-in-the-middle attacks and malware.

The value of a cyber audit

Many businesses already engage in essential audits to monitor risks within their organisation and a cyber audit shouldn’t be ignored, especially with how COVID-19 restrictions have forced an increased reliance on technology.

As well as benchmarking an organisation against the Essential Eight strategies, a cyber audit helps company directors understand the cyber risks a business faces and to develop appropriate strategies to deal with such threats.

Having a clearly defined cybersecurity management plan in place, which leverages proven mitigation methods, will not only keep clients, employees and suppliers safe; it will also give board directors and CEOs greater peace of mind.

Read more:

Passwords are not enough: the case for multi-factor authentication

More accountants are protecting data using multi-factor authentication, a trend organisations and experts are keen to encourage.

Read more

What today’s CFOs need to know about cyber risk

Cyber risks are financial risks, so today’s CFOs should see working with IT on a cybersecurity strategy as part of the job.

Read more