If you’re starting from or near scratch, cyber security can seem daunting. But if we think of it as risk management rather than risk elimination, there are some effective first steps that can greatly reduce your exposure to breaches.
So what are the most basic, fundamental security measures to get your organisation to a minimum standard of adequate protection?
Step 1: Multi-factor authentication for each of your core systems
- 99.9% of attacks can be blocked with multi-factor authentication
- Most data breaches involve weak, default or stolen passwords
- 73% of passwords are duplicates
- 81% of breaches are caused by credential theft.
Enabling multi-factor authentication dramatically reduces your cyber security risk and should be completed quickly to minimise the potential for data breaches.
Step 2: User education
Staff who don’t know what they should be doing are more likely to make innocent mistakes. It is very important that staff are made aware of what information is sensitive or critical and where it must be stored. Without staff training, email can be a point of vulnerability. Phishing continues to be the most common and highly effective means by which information is compromised. If something looks wrong, staff should feel encouraged to call it out rather than ignore it. Read more.
Step 3: Essential Eight
As the old saying goes, an ounce of prevention is worth a pound of cure. To help organisations big and small, the Australian Cyber Security Centre (ACSC) has developed a customisable list of mitigation strategies to help protect against a range of risks, the Essential Eight. Reviewing these mitigation strategies in the context of your organisation and determining actions you could take is necessary to reduce the impact of cyber security incidents.
The ACSC website also offers advice and resources for small and medium-sized entities, including a range of step-by-step guides to setting up basic protections and a small business cyber security guide.
Step 4: Make cyber security risk management and governance a priority
An organisation’s defence is as strong as its weakest link. That’s why cyber security is an issue for the whole organisation to own, starting with the executive team. It is important that cyber risk is recognised as an organisational risk.
If left just to the IT team, others within the organisation can lose awareness of the importance of their role in upholding good cyber security practices – which is why laying good foundations always beats simply throwing money at the IT budget. As well as developing appropriate policies and guidelines, your organisation may find value in an independent security review or intrusion test of your environment. Our top cyber security governance recommendations can be found here.
The following webinar recordings have more information on cyber security: