Cyber Security and The Essential Eight — keeping your digital infrastructure secure

Listen to AustCyber’s podcast ‘OzCyber Unlocked’ here: https://bit.ly/3B4dTDc

Since the start of the pandemic, global digitisation has accelerated at breakneck speed, and cyber attacks are impacting both businesses and individuals more than ever before. Critical to safeguarding Australia against these threats, is a consideration of what’s dubbed the ‘Essential Eight’ — the Australian government’s top eight cyber security strategies that when implemented effectively, equip digital infrastructure with the best chance of becoming cyber secure.

Jennifer Stockwell, National Cyber Security Principal at Telstra believes implementing the Essential Eight, as a minimum, will make it much more challenging for adversaries to compromise systems. “What we’re trying to do is harden the environment to over 85 percent of the techniques used in targeted cyber intrusions,” she said.

Keith Howard, Group CISO at the Commonwealth Bank of Australia is of similar opinion when it comes to the importance of the Essential Eight. He said, “There are three points that are relevant and necessary for most organisations to be across. First, is educating organisations on how threat actors are generally looking to compromise. Second, is articulating the implications of a ransomware attack. Lastly, it’s about reinforcing that the Essential Eight is a risk management framework, something that enables you to go after the largest risk.”

For Andrew Pade, the General Manager of Cyber Defence Operations at the Commonwealth Bank of Australia, the majority of cyber threats he witnesses can be addressed by the Essential Eight. Any organisation can implement the strategies using the tools that come with the products that are running in their environment. “Essentially, anyone in any organisation can understand that all security threats are chain events and so the Essential Eight is a way of managing and blocking attackers along that chain, even to the point of recovery, which is the eighth strategy,” he notes.

It’s also important to highlight that implementing the Essential Eight in an old environment is difficult because they were never set up to run in a way that we’re needing them to run now. They were never designed to meet the modern security standards, and so retrofitting them on older systems does come with its own set of challenges.

Mr Howard draws attention to another challenge associated with implementing the Essential Eight — the baseline organisations choose to establish is an incremental and ongoing investment they need to make, not something of a ‘set and forget’ nature. “There is so much you can choose to do in terms of cyber, and should do. It’s very important to prioritise the Essential Eight, given they have the potential to mitigate 85 percent of common attack factors.”

Stockwell said at Telstra, they’re using the maturity levels of the Essential Eight to meet the risk posture that has been agreed with the board to track and to demonstrate how they’re going to implement it. “Telstra is a very large and complex organisation with legacy systems and a very challenging threat landscape that is only increasing with nation-state and cyber criminal activity,” she said.

In large organisations, the challenge can be targeting different maturity levels for different classes of assets, which is a strong focus at Telstra. “Another challenge is holistically applying all of the Essential Eight strategies in parallel, rather than one at a time — you want to ensure you leave no doors open for attackers to come in,” Stockwell said. “We’ve seen a shift in adversary capabilities and tactics recently where they are more willing to try and gain a foothold into less significant parts of the network or other parts of the supply chain and move laterally. It’s not just about Telstra getting it right, it’s about how we help all of our supply chain and adjacencies get it right too,” Stockwell concluded.

Mr Howard is a supporter of demystifying cyber. “It’s very tempting to put your head in the sand when cyber is mentioned. There are a few basic things everyone can do to protect themselves; whether they’re individuals, micro-businesses or SMEs”. Mr Howard believes having complex passwords, offline backups and an education around phishing emails are a few things that will elevate anyone’s safety when it comes to cyber security.

For Suzy Clarke, Executive General Manager of Security at Xero, breaking down the barriers around cyber security and using plain language to enable people to understand the risks and solutions is really important.

Mr Pade agrees with the need to educate before people truly grasp the importance of the Essential Eight. “We need to be doing the basics. Patching is never exciting, but it’s important to get to a point where we see the Essential Eight as the basics of what we all need to do — then there’s additional things we can add on top of that,” he concluded.

Learn more about the Essential Eight in AustCyber’s podcast ‘OzCyber Unlocked’: https://bit.ly/3B4dTDc.