Government organisations in Australia face unique challenges in safeguarding critical citizen services.
Over the past 5 years alone, we have witnessed increasingly frequent and serious cyber breaches. Attacks on organisations from Service NSW to Medibank to the Parliament of Australia itself demonstrate just how vulnerable Australian data can be without robust cyber defences.
At the recent Tech in Government conference, our Principal of Security Consulting & Advisory, Tony Campbell, talked to a range of Government-based individuals to understand what their biggest challenges are. What became clear is that the adoption of the Essential Eight framework, in line with the recent Australian Cyber Security Strategy, is still a big hurdle for many Australian government agencies.
“Many organisations are struggling to meet the heavy demands of security legislation like the Essential 8 mandate. There’s a pervasive lack of faith in the efficacy of awareness programmes and phishing simulations, with most seeing them as mere compliance exercises. Additionally, a worrying number of organisations aren’t conducting proper cyber fire drills, failing to test their incident response plans with PR, marketing, the board, and executives.” – Tony Campbell, Kinetic IT
A quick recap of the Essential Eight
The Essential Eight is a set of cyber security strategies designed by the Australian Cyber Security Centre (ASCS) to help organisations protect themselves against various cyber threats. It includes eight key strategies that can be implemented to improve security posture.
Each strategy has different maturity levels, with Level 3 being the highest – and the level of security mandated by the Australian Government for the public sector.
RELATED CONTENT: Guide to the Essential Eight cyber security framework
Within the Essential Eight framework, the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre have outlined these specific controls as a baseline for cyber security:
- Application control: Ensure only approved applications can run to prevent malicious software from executing.
- Application patching: An automated patch management solution like Microsoft SCCM can keep all applications up to date and secure.
- Restrict administrative privileges: Implementing privileged access management makes it easier to control and monitor admin accounts, keeping the bad stuff out.
- Patch operating systems: Keep operating systems up to date to close vulnerabilities that attackers can exploit.
- Configure Microsoft Office macro settings: Disable or restrict the use of macros to prevent malware infections.
- User application hardening: Configure applications to resist exploits, such as disabling unneeded features.
- Multi-factor authentication: Login security protected by solutions like Duo Security adds a vital layer of protection against password theft.
- Regular backups: Ensure data is regularly backed up and easily recoverable to protect against data loss.
RELATED CONTENT: 8 cloud security tips to keep your data safe in the cloud
Understanding the Essential Eight for your organisation
One of the most common questions asked about the Essential Eight is: ‘How do we meet the requirements of Level 2 and Level 3 Essential Eight controls?’
Implementing and maturing these eight technical security controls may not always be practical for every organisation. Large organisations with extensive IT and cyber teams can manage myriad controls and operational overhead, but smaller teams face significant resource constraints.
We can’t stress this enough — committing to Level 3 is a tough ask of your team, and while the outcome is a significant boost to your security, it can bring considerable impact to operations.
It’s more important to understand what the security targets mean for your organisation before investing in higher maturity levels. Sometimes, security controls outside E8 might be more valuable.
RELATED CONTENT: What are the most secure MFA methods?
A pragmatic approach to the Essential Eight
Understanding the Levels of Maturity
While reaching Level 1 maturity across all eight controls offers a decent baseline of protection, advancing to Levels 2 and beyond demands significant operational changes and compromises to user capabilities. For example, disabling unassigned macros is critical but resource-intensive and can disrupt routine business operations.
You really want to consider the benefits of a control, and how it aligns with your business security strategy, before diving into the implementation.
Consider your organisation’s size & resources
Many small to medium sized organisations grapple with limited resources and may not have dedicated security expertise in-house. This can make it tricky to implement and sustain higher maturity levels, but it doesn’t mean those higher levels are out of reach.
Smaller organisations can benefit from working with a technology partner that has the depth and expertise to determine what maturity levels are needed, the best pathways to implementation, and how to engage and upskill your first line of defence: your people.
Large organisations face their own challenges as well. Ensuring compliance across a mixed enterprise environment, especially one that isn’t predominantly Microsoft-based, can be technically invasive and complex.
For these organisations, it can be beneficial to seek expert guidance on how to coordinate controls across varied platforms, to achieve the highest standard across the board. Perhaps Service Integration is the first step if you’re a large organisation with a complex IT environment.
RELATED CONTENT: Cyber hygiene: 4 easy tips to keep your data safe
Realistic expectations & strategic decisions
It’s important for boards and senior management to understand the investments required to achieve and maintain higher maturity levels for the Essential Eight. They need to ask themselves whether aiming for higher levels is feasible and beneficial; are they willing to make trade-offs with other security programs in favour of the Essential Eight?
Considering your specific security environment and risk landscape, it’s crucial to assess whether the goals of the Essential Eight align with your organisation’s broader security strategy. Sometimes, it might be more pragmatic to achieve solid Level 1 maturity across the board and then selectively advance certain controls where they offer the most value and impact.
This approach ensures that security investments are optimally aligned with the organisation’s risk profile and business objectives.
RELATED CONTENT: Critical GovTech Insights for CIOs
Recent data breaches highlight the gaps
Recent data breaches impacting millions of Australians demonstrate how Australia is still in its infancy when it comes to strong cyber security. Among the high-impact breaches are the likes of Medisecure, Optus and Medibank.
While the Essential Eight mandates are the first step for all organisations, they do not guarantee protection against sophisticated cyber threats. That’s why it’s vital to not only comply with the mandates, but to go beyond them and ensure that you’re continuously improving your security measures.
There is no one size fits all approach when it comes to cyber security.
But what we learned from Tech in Gov is that there are common barriers that government employees face, and it’s our job to find more strategic, integrated approaches that can help government organisations bolster their cyber defenses.
Because at the end of the day, the stronger we all are, the better protected Australians will be.
Learn more about how Kinetic IT can help your agency strengthen its cyber security.
Contact us today.