1. Guides
  2. Cyber Security
  3. Cyber security: What it is and why it matters

Cyber security: What it is and why it matters

The basics on why it's so important to protect your organisation's information.
Cyber security overview

Every interface your organisation has with the outside world is theoretically vulnerable to data breaches and cyber-attacks. These breaches and attacks can be damaging to your organisation, your clients, and your reputation. Dealing with the consequences and fixing the problem can be expensive and time-consuming. So, it’s worth thinking about how to protect your organisation.

Cyber security can be divided into 5 distinct domains, each requiring its own response. The table below can help you assess your organisation's response.

1.    User access and authentication

Ensure only authorised people (users) have access to the organisation’s systems, applications, and data.

2.    Information classification and security

How your organisation classifies and stores and handles its information, especially information that is sensitive, private, or confidential.

3.    Device and network management

How all end-user devices (computers and mobile devices) and network equipment in your organisation are protected, managed, and monitored. This includes how your organisation’s networks are firewalled and protected with anti-phishing, antivirus and intrusion protection features and alerts for suspicious activity.

4.    Policies, risk management, and compliance

An organisation’s cyber security policies, standards, and compliance processes ensure information security is managed and appropriately governed. It includes acceptable use of technology, incident response, testing schedules, and regulatory compliance.

5.    User education

An organisation’s cyber security policies cover acceptable use of technology, incident response, staff education, testing schedules and regulatory compliance.

 

Category Basic Intermediate Advanced
User access and authentication We have:
  • Effectively configured MFA on Microsoft 365/Google Workspace & sensitive internet-facing systems.
  • Minimised administrative access.
  • Eliminated or minimised shared user accounts & effectively managed.
  • Review system access on a scheduled basis.

We:

  • Require strong passwords.
  • Have processes to manage account breach risk – e.g. alerts, lockouts and/or log review.
  • Minimise admin rights, require approval, time limited & protected (via MFA, VPN, SSH, etc.)
     
 We use single sign-on to access important IT systems/applications (a secure, core authentication service).
Information classification and security We:
•    Considered data backup and configured as appropriate/where necessary for all important information stores.
•    Perform a simple data recovery test annually.		 We have:
•    Defined information categories (sensitive, confidential, public, etc.) and implemented (e.g. sensitive data is encrypted).
•    A system register that records approved information categories for each system.
•    Reliable and secure backups, and meet retention / recovery requirements.
We perform a significant restore annually.		 Technical controls restrict staff from storing or transmitting sensitive data incorrectly.
Data retention requirements are known and addressed in line with organisational needs and compliance obligations.
 
Device and network management We have:
  • An accurate list of organisational devices.
  • Only use vendor-supported operating systems & applications.
  • Reliably patched device OS & applications through manual or automated processes.
  • Changed default infrastructure admin passwords.
 User devices have appropriate, centrally monitored firewall & antivirus software.
Sensitive information is securely encrypted & can be remote-wiped.
Patch management is undertaken centrally. 
Critical patches are deployed rapidly. 
Perimeter firewall and Wi-Fi configuration minimises security risk.		 We:
  • Have a process to identify, prioritise & manage technical vulnerabilities.
  • Effectively use a vulnerability scanner is used effectively.
  • Block devices that don’t comply with policies (encryption, patching, etc.).
  • Build and maintain devices to best practices standards (least privilege access, secure baselines, logging, etc.)
Policies, risk management, and compliance Policies cover staff obligations & organisational cyber security protections.
A cyber security improvement plan exists.
The executive reviews cyber security protections, risks, and issues at least twice annually.		 We have:
  • Performed an assessment against the ACSC’s Essential Eight, and key risks addressed.
  • An effective security risk management process.
  • Annual security tests that identify & remediate risks.
  • Defined a security incident response process.
  • Reasonable steps are taken to meet legal, regulatory & contractual obligations.
 The organisation has been independently assessed and confirmed as compliant against an information security standard such as ISO/IEC 27001.
User education

We have:

  • Induction & annual refresh training that effectively covers staff obligations, security risks BYOD, good password practice, sensitive information & who to contact for help.

Quizzes or phishing tests check knowledge annually.
Specific training & processes support high-risk staff (accounts, CEO, CFO, IT, etc.) – e.g. phone call required to verify bank account changes.

Training is engaging, tailored by role, available on demand & effective. A strong security culture exists – staff actively consider it their responsibility.

Read more

Why cyber security is so important

Rate this guide

Average: 4.9 (13 votes)

Status message

Thanks for rating this guide.

CAPTCHA

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Related posts

Man at laptop
Guide
Basic
Cyber Security Essentials
Cyber security can seem daunting, but if you consider it risk management rather than risk elimination, here are some effective first steps to reduce your exposure to cyber attacks.
Computer with VPN onscreen
Guide
Basic
The current cyber security threat landscape
A look at recent trends in the cyber security landscape reveals that the pandemic has exacerbated threats to organisations – and not-for-profits are not immune either. The cyber security landscape is constantly evolving, but some things never change.
Privacy is the foundation of trust
Guide
Basic
Privacy as the foundation of trust
Not-for-profits provide services to and assist those who are sometimes the most vulnerable members of our society and as such, have a profound duty of care to protect their information.
woman logs into VPN on laptop
Training
Basic
Cyber security training
Investigate our training offerings to help improve the security of IT within your organisation.