In 2017, the Australian government laid out cybersecurity guidelines for all public and private sector agencies. Their eight cybersecurity attack mitigation strategies, called "The Essential 8," provide an excellent blueprint for security best practices for organizations worldwide. When implemented correctly, the Essential 8 provide every company with a solid, common-sense cybersecurity framework.
Amaxra examined the Essential 8 when it was recently cited by a speaker at a cybersecurity conference (it was also a point of pride since Amaxra's CEO and myself, Amaxra's CIO, are both Australian). These eight mitigation strategies help to systematically examine your corporate IT infrastructure, ensure that every component is correctly configured, and that you have instituted a baseline-level of cybersecurity at your organization. It's also a scalable cybersecurity framework that applies to organizations small to large.
As you read through the Essential 8 cybersecurity strategies, think about which ones you already employ, which are on your "to-do" list, and which you maybe hadn't already considered:
1. Execute only whitelisted apps and files
Every business IT setup should only allow approved and trusted applications to run on corporate-owned devices and managed networks. Any apps that are NOT trusted and approved by your corporate IT are put on your cybersecurity "blacklist" and unsafe. Blacklisted apps get automatically blocked while any "whitelisted" apps are safe for use.
Take an inventory of all the apps used across your organization. From this list you can determine which apps are used often, are produced by reputable companies, and updated regularly (e.g. apps from Adobe, Apple, Microsoft, Oracle, and similar companies). These applications are now considered on your whitelist. So, any files coming into your business from the web or email that don’t conform to your whitelist can be automatically blocked or quarantined.
2. Set apps to automatically patch
Because hackers and other criminals are always looking for weak spots in your IT systems, software developers routinely "patch" these cybersecurity holes in their apps. Now that you have a whitelisted set of applications, you should enable automatic download and install security updates for all your whitelisted apps. Adobe, Microsoft, and other enterprise app developers regularly release patches to address cybersecurity vulnerabilities as they are discovered. While some IT professionals at very large enterprise companies will choose to manually download and run compatibility test security patches before distributing them to the entire organization, most small to midsized businesses (SMBs) can automatically install security patches without any issues.
3. Harden your browsers and apps for all users
In our increasingly "cloud first" world, the web browser is an essential business tool. However, hackers know this and are always trying to exploit vulnerabilities in Apple Safari, Google Chrome, and Microsoft Edge browsers. The quickest and simplest way to guard against these browser-based vulnerabilities is to disable the ability for any browser on your corporate network to run Adobe Flash and Java from within the browser.
In addition, you can block all websites that do not use HTTPS, disable your users from adding browser plug-ins, ban certain domains/countries websites', and deleting cookies every time a user quits their browser. Because hackers know about whitelists, they can try to trick users into using embedded code hidden inside files that are typically found on IT whitelists. You can guard against these attacks by turning off certain features in your whitelisted apps, such as Object Linking and Embedding (OLE) Microsoft Office apps. While these measures may seem a bit extreme, they are very effective.
4. Disable macros on all Microsoft Office apps
A huge timesaver for anyone who spends most of their day in Microsoft Excel, an Excel macro is a programmable procedure that executes a set of commands in a spreadsheet or workbook. Unfortunately, hackers often embed dangerous malware into Excel macros then post them on legitimate-looking websites in the hopes someone who really needs to get a report done will download and run their hacked macro to save time. Macros are not just limited to Excel, as there are numerous macros for Microsoft Word and other Office suite apps.
Microsoft knows this is an issue and has improved cybersecurity for running macros in Office 365 apps. However, it is always better to be safe than sorry. Either disable macros within all Office apps or configure macros to be disabled on files not created or owned by users within your organization.
5. Update your operating systems
Do not believe in the myth that you do not get viruses on a Mac. Spending an extra $500 on a MacBook rather than a Windows 10 laptop because Macs "do not get hacked" is an expensive lesson I hope nobody reading this blog ever learns. Every operating system (OS) has vulnerabilities and you should configure all devices on your network to automatically patch their operating systems. The simplest and quickest way to accomplish this on a corporate level is a Microsoft 365 subscription. When your business has Microsoft 365, every existing computer with an outdated version of Microsoft Windows gets a free in-place upgrade to the latest version of Windows 10 Pro. Microsoft 365 subscribers not only get a constantly-updated (and more secure) operating system in Windows 10 Pro, every person in your organization also can install all of the Office 365 apps on multiple devices (including your iOS and Android phones and tablets).
It is also smart to check your corporate network for firmware updates to devices such as routers, switches, and Wi-Fi access points. In most cases, these updates can be rolled out automatically.
6. Enable multi-factor authentication (MFA)
As more employees are working remotely, MFA is a must for all systems access to your local network. Multi-factor authentication can be easily added to Microsoft 365 and Office 365 users in just a few clicks in the cloud-based Admin Center portal. This will force all users accessing shared apps and resources on the corporate network to authorize their identity using the Microsoft Authenticator app on their smartphone, a challenge-response code sent via SMS, or even biometric data via Windows Hello.
Amaxra has used MFA since it was available for our cloud-based IT and we find it to be the easiest and quickest way to significantly increase the security of your network.
7. Restrict administrator roles and access controls
People with IT administrator access should only have this top-level security access for administrative IT tasks. By granting "admin access" to a device on your network means that user can make changes to other users' accounts, the apps installed on their devices, etc. It should be obvious that admin access on a network can be a security vulnerability when in the wrong hands. That's why it's important to limit granting admin access to only those who need them and document the reasons why. Amaxra finds the easiest way to work with user access settings for devices on a corporate network is in the Microsoft 365 Admin Center portal because it's both a centralized entry point for managing your users and device access. A cybersecurity best practice is to review IT system administrator roles (and the reasons for making them an administrator) on a quarterly basis.
Amaxra also has a clearly-defined process for removing certain account privileges upon an employee's exit from the company. Along those same lines, we suggest making daily data backups so your organization can quickly recover just in case there is an incident when someone is on their way out.
8. Backup as much as possible every day
To expand on the last point, what happens if a disgruntled employee, malicious hacker, or just someone in your organization makes an innocent mistake and wipes out all your corporate data? Do you have a "clean" backup of that data that can be instantly accessed? Have you calculated how much time/money you will lose until you get to your data backup?
Amaxra recommends performing automatic daily backups of new information (added to your existing information) at a minimum. Keeping these daily "snapshots" of your device configurations, apps, and data ensures that if they are locked, damaged, or deleted, that they are recoverable. Our corporate backup strategy uses a cloud-based and very cost-effective solution that integrates with our companywide Microsoft 365 deployment.
Essential for your company's information security
Which of the Essential 8 strategies have your organization already implemented? Implementing these individual strategies provide enhanced cybersecurity protection to key components and operations at your organization. Although you can mix and match any of the Essential 8 strategies, they are designed to work together—protecting your organization with a comprehensive, multi-level approach. Our recommendation for any organization wanting to leverage the power of the cloud while maintaining a strong cybersecurity profile is a Microsoft 365 solution.
Amaxra experts have successfully deployed cybersecurity solutions for SMBs up to large enterprises. We can help integrate any or all of the Essential Eight cybersecurity strategies for your organization. If you're planning to deploy Microsoft 365 before the end of May 2019, then Amaxra will give you a 15% discount on all users in your organization for a year.
Contact me at firstname.lastname@example.org or call 425 749 7471 if you have any questions or comments on this blog.