Achieving intermediate cyber security

Keeping your information safe from cyber security threats can be complex, with new threats and new solutions emerging all the time. For many organisations, working with a good IT support provider is one of the best ways to make sure your computers and website are safe.

Achieving intermediate-level cyber security should be a key target for every not-for-profit. Assessing your security against the Australian Cyber Security Agency’s Essential 8 mitigation controls will tell you where your organisation is along the road to being protected.

In broad terms, intermediate cyber security protection can be broken down into five main areas:

User access & authentication

• Ensuring MFA is effectively configured on Microsoft 365/Google Workspace & sensitive internet-facing systems
• Requiring strong passwords, and educating staff on choosing and using securely (e.g. choose a passphrase of four or five words, don’t use the same password for multiple services or systems, change immediately if compromise is suspected) 
• Eliminating or minimising & effectively managing shared user accounts (e.g. using a password vault)
• Implementing processes exist to manage account breach risk – e.g. alerts, lockouts and/or log review, changing passwords immediately if compromise is suspected
• Ensuring Admin rights are minimised, require approval, are time limited & access is protected (via MFA, VPN, SSH, etc.)
• Scheduling periodic system access reviews

Information classification & security

• Classifying stored information into security categories (e.g. sensitive, confidential, public)
• Defining systems and repositories that can be used for each information category
• Educating staff about how and where to securely store different data types
• Where backups are required to protect information, taking steps to ensure they are reliable and secure, e.g. a significant restore test is performed annually

Device and network management

• Implementing appropriate centrally-monitored firewall and antivirus protection
• Secure encryption and password protection of all user devices (PCs, laptops, phones and tablets)
• Capacity to remotely wipe sensitive data if a device is lost or stolen
• Centrally managed patching and updating, with critical patches deployed rapidly
• Perimeter firewall and Wi-Fi configuration minimises security risk

Policies, risk management & compliance

• Activating key security policies, covering end user acceptable use of technology, information security policy and practice, and cyber security incident response 
• Conducting annual security tests to identify risks, e.g. phishing tests, network penetration tests if relevant, assessing system and device protections against the ACSC’s Essential Eight
• Implementing an effective security risk management process, prioritising & remediating identified risks
• Taking appropriate steps to meet all legal, regulatory & contractual obligations

User education

• Effectively covering staff obligations, security risks of BYOD, good password practice, sensitive information & who to contact for help in the staff induction process and in annual refresher training
• Using quizzes or phishing tests to check knowledge at least annually
• Providing specific training & processes to support high-risk staff (accounts, CEO, CFO, IT, etc.) – e.g. phone call required to verify bank account changes