Every interface your organisation has with the outside world is theoretically vulnerable to data breaches and cyber attacks. These breaches and attacks can be damaging to your organisation, your clients and your reputation. Dealing with the consequences and fixing the problem can be expensive and time-consuming. So it’s worth thinking about how to protect your organisation.
Cyber security can be divided into 5 distinct domains, each of which requires its own response. You can assess your organisation's response using the table below.
1. Information classification & security
How your organisation classifies and stores its information, especially information that is sensitive, private or confidential.
2. User device management
How all networked devices in your organisation are protected, managed and monitored.
3. Network threat detection & alerting
How your organisation’s networks are firewalled and protected with anti-phishing, antivirus and intrusion protection features as well as alerts for suspicious activity.
4. Policies, user education & compliance
An organisation’s cyber security policies cover acceptable use of technology, incident response, staff education, testing schedules and regulatory compliance.
5. ACSC Essential 8
The Australian Cyber Security Centre’s Essential 8 is a series of minimum security strategies organisations should implement to protect themselves against a range of online risks.
|Information classification & security||We aim to keep sensitive data secure, but have limited formal controls that cover people, process and technology||
We've classified the information we store into different categories (e.g. sensitive, confidential, public, etc).
|We have been independently assessed and confirmed as compliant against an information security standard such as ISO 27001.|
|User device management||Our PCs have appropriate firewall and antivirus protection, but it is not centrally managed or monitored.||
User devices (PCs, tablets, mobiles) have appropriate, centrally monitored firewall and antivirus software.
|As well as all intermediate requirements, any user devices which do not comply with organisational policies (encryption, remote wipe, etc) are blocked from connecting to organisational information stores.|
|Network threat detection & alerting||
Network firewalls protect our internet connections.
|Network firewalls and staff PCs are centrally managed with monitored alerting during business hours, with antivirus and appropriate intrusion protection features.
Advanced phishing protections are enabled for high-risk staff such as the CEO, CFO and accounts payable.
Suspicious user account activity (e.g. overseas logins) creates appropriate action.
Insecure network protocols that don’t support MFA (SMTP, IMAP etc) are disabled.
|A contemporary Security Information and Event Management (SIEM) system collects and analyses security information from all devices and accounts, identifying risks, and required actions.|
|Policies, risk management & compliance||Limited (if any) IT security policies exist and compliance is not well managed.||Key security policies exist covering information classification, use of personal devices, keeping organisational information safe, privacy and cybersecurity incident response.
Regular security tests (phishing, network penetration, etc) are conducted to identify weaknesses.
User accounts and logins are not shared between people
Single sign-on (SSO) enables users to securely authenticate with most core systems by using just one set of credentials.
Security risks are identified, prioritised, reviewed by executive management and actioned.
|Bi-annual compliance testing identifies potential security risks.
Security education is reinforced regularly and available on demand, in a way that engages staff effectively and gives them the skills to secure organisational information.
|User education||We rely upon staff to educate themselves.||
Staff receive appropriate security training that includes how to keep organisational data safe (save information in the correct area, spotting a phishing email, etc) when they first start.
|Staff consider security as one of their key responsibilities and actively consider how to keep organisational information safe.|
|ACSC Essential 8||We have not yet assessed ourselves against the ACSC’s Essential 8.||We fully meet Maturity Level One in at least six of the eight mitigation controls, the two exceptions being Application Controls and preventing privileged users from reading email/browsing the Web.||We are at Maturity Level 3 in all Essential 8 mitigation controls.|