The Essential 8: Cyber Security for Small and Medium Businesses in Australia
Introduction
Overview of Cyber Threats
Cyberattacks have rapidly become one of the most significant threats to businesses worldwide, with Australia experiencing an alarming increase in the frequency and sophistication of these attacks. From ransomware to phishing scams, no business is immune. While larger corporations often have the resources to invest in robust cyber security infrastructure, small and medium-sized businesses (SMBs) face unique challenges. Hackers target SMBs due to their lack of layered cyber security defences.
According to the Australian Cyber Security Centre (ACSC), a cybercrime is reported every seven minutes in Australia, and many of these incidents affect SMBs. With limited resources, these businesses often struggle to defend themselves against increasingly complex cyber threats, leaving them vulnerable to devastating attacks.
Vulnerabilities in SMBs
While large corporations can afford dedicated IT and cyber security teams, SMBs are typically at a disadvantage when it comes to resources and expertise. Small businesses tend to manage their IT and cyber security needs in-house, relying on limited knowledge or general IT support to secure their networks and data. This often leaves gaps in their defences, as cyber security is highly specialised and requires continuous monitoring and updates to remain effective.
On the other hand, medium businesses frequently engage external IT service providers to handle their technical needs. However, without clear direction from business owners and management, these outsourced teams may not prioritise cyber security adequately, focusing instead on operational issues like software updates or server maintenance. This can leave medium businesses similarly exposed to cyber risks. The involvement of business leadership in understanding and directing cyber security efforts is critical for both small and medium businesses.
Why Cyber Security is Critical for SMBs
The Consequences of Cyber Incidents
For SMBs, the consequences of a cyber incident can be catastrophic. Data breaches, ransomware, or business email compromise attacks can result in:
- Financial Losses: Cyber incidents can cost businesses hundreds of thousands of dollars, whether through lost revenue, stolen funds, or the costs of recovery and remediation. According to reports, the average cost of a data breach for small businesses in Australia can range from tens of thousands to several million dollars.
- Reputational Damage: A single cyber breach can significantly damage a company’s reputation. Customers may lose trust in a business that cannot safeguard their personal information, leading to lost business and a tarnished brand image.
- Operational Disruption: A cyberattack can bring daily operations to a standstill, whether through the destruction of critical data or the shutdown of essential systems. This downtime can be particularly devastating for SMBs, who may not have the redundancy or resources to recover quickly.
Many SMBs that experience a significant cyber incident never fully recover. A staggering percentage of small businesses go out of business within six months of experiencing a cyberattack, making it essential for these businesses to take proactive steps to mitigate risks.
Common Misconceptions
One of the most dangerous misconceptions in the SMB community is that cybercriminals only target large corporations. In reality, SMBs are equally—if not more—vulnerable to cyberattacks. Hackers often see smaller businesses as low-hanging fruit, assuming that they will have fewer defences and a lack of formal cyber security strategies.
Additionally, many SMB owners believe that their business is too small or niche to attract the attention of hackers. However, cyberattacks are often automated and indiscriminate. Cybercriminals use automated tools to scan the internet for vulnerabilities, and any business that falls within their parameters is a potential target, regardless of size or industry.
Introducing the Essential 8 Framework
What is the Essential 8?
To help Australian businesses strengthen their cyber security defences, the Australian Cyber Security Centre (ACSC) developed the Essential 8, a set of baseline mitigation strategies designed to protect organisations against cyber threats. This framework outlines eight essential measures that businesses of all sizes can implement to improve their cyber security maturity and reduce the risk of falling victim to common cyberattacks.
The Essential 8 is designed to be simple, practical, and cost-effective. It recognises that not all businesses have the resources to implement complex cyber security solutions and offers a scalable approach to building defences over time.
Purpose of the Essential 8
The Essential 8 framework is built around the idea of defence-in-depth, meaning that no single measure can completely protect an organisation, but together, these eight strategies can significantly reduce the risk of cyber incidents. By focusing on common entry points and vulnerabilities, the Essential 8 provides a roadmap for businesses to prioritise cyber security efforts.
The strategies are designed to:
- Prevent Malware Delivery and Execution: Stop malicious code from being downloaded and executed within business systems.
- Limit the Extent of Incidents: Implement controls to limit the damage caused by a cyberattack.
- Recover Data and Systems: Ensure data is backed up and can be recovered in the event of an attack.
The Essential 8 is not just for large organisations; it is particularly well-suited to SMBs as it provides a clear, manageable set of steps to improve cyber security posture. Importantly, the Essential 8 allows businesses to focus on the most critical areas first, before gradually increasing their cyber security maturity over time.
By adopting the Essential 8, SMBs can take control of their cyber security strategy, reduce vulnerabilities, and ensure they are better prepared to withstand cyberattacks.
Breaking Down the Essential 8
The Essential 8 framework is composed of eight cyber security controls, each playing a critical role in defending against common cyber threats. Here’s a simple explanation of each:
1 | Application Control | Application control prevents unauthorised or malicious applications from running on your systems. By whitelisting only approved applications, businesses can significantly reduce the risk of malware or other harmful software being installed. |
2 | Patch Applications | Software vulnerabilities are a common way cybercriminals exploit systems. Keeping applications patched and up to date ensures known vulnerabilities are closed, making it harder for hackers to exploit outdated software. |
3 | Configure Microsoft Office Macro Settings | Macros in Microsoft Office applications (like Word or Excel) can be used by attackers to deliver malware. Disabling or tightly controlling macro settings reduces the risk of malicious code being executed. |
4 | User Application Hardening | Certain software, especially web browsers, can be hardened to reduce their attack surface. This means disabling or limiting risky functionalities, such as Flash, Java, or ads, which are often exploited by attackers. |
5 | Restrict Administrative Privileges | Administrative accounts provide elevated access to systems. Limiting these privileges to only necessary personnel and ensuring that they are used sparingly can greatly reduce the damage an attacker can do if they gain access. |
6 | Patch Operating Systems | Just like applications, operating systems can have vulnerabilities. Regularly applying patches and updates ensures that these weaknesses are fixed, keeping your systems secure. |
7 | Multi-Factor Authentication (MFA) | MFA adds an extra layer of security by requiring users to verify their identity with something they know (password) and something they have (e.g., a mobile phone). This significantly reduces the risk of account compromise. |
8 | Regular Backups | Backups ensure that in the event of data loss, ransomware, or a breach, critical data can be restored. Regular backups should be automated and stored securely, ideally offline or offsite. |
Prioritising the First 4 of the Essential 8
For SMBs with limited time, skills, or budget, focusing on the first four controls of the Essential 8 can mitigate a substantial portion of cyber risks. These four controls are the most effective in defending against common cyberattacks, such as ransomware and phishing, and provide a strong foundation for security.
Practical Tips for Implementation:
Use Automated Updates | Where possible, enable automatic updates for applications and operating systems to ensure that vulnerabilities are patched quickly and without requiring manual intervention. |
Disable Unnecessary Macros | Unless macros are essential to your business operations, disable them by default. If macros are needed, configure your settings to allow only digitally signed or trusted macros. |
Leverage Cloud-Based Services | Cloud-based services can help manage application control and patch management more easily, even with limited internal resources. Many cloud services offer built-in application whitelisting and automated updates. |
Outsource Where Necessary | If the business lacks in-house expertise, consider outsourcing the implementation of these controls to an IT service provider, but ensure they are directed by someone who understands the business’s cyber security priorities. |
Challenges and Solutions for SMBs
Time, Skill, and Budget Constraints
One of the biggest challenges SMBs face is the lack of time, expertise, and budget to fully implement all the cyber security controls in the Essential 8. Cyber security can often seem overwhelming, especially for small businesses where IT is managed by a single person or a small team. Medium businesses may outsource their IT, but without clear direction, these service providers may not focus on cyber security as a priority.
Outsourcing and Delegation
For many SMBs, outsourcing certain cyber security tasks to managed service providers (MSPs) is a viable option. However, it’s crucial that business owners or managers have a basic understanding of cyber security and the Essential 8 framework so they can guide their MSPs effectively. MSPs should be given clear instructions to prioritise cyber security in line with the business’s needs.
Alternatively, SMBs can delegate certain tasks internally by upskilling staff through training programs or cyber security awareness initiatives. This can help ensure that the business is not entirely reliant on external providers and that internal staff are aware of the risks and the importance of following security protocols.
Free and Low-Cost Tools
Even with budget constraints, SMBs can start improving their cyber security posture by leveraging free or affordable tools. Some examples include:
- Open-source Security Software: There are various open-source tools available for application control, malware detection, and patch management. For example, tools like OSSEC (for intrusion detection) and ClamAV (for antivirus protection) offer effective solutions for free.
- Cloud-Based Security Solutions: Cloud services such as Google Workspace or Microsoft 365 include built-in security features like automatic updates, multi-factor authentication, and application control, often at no additional cost to existing subscribers.
- ACSC Resources: The Australian Cyber Security Centre (ACSC) offers a range of free resources, including guides, tools, and templates, to help businesses implement the Essential 8. Their website also includes advice on how to start with cyber security without breaking the budget.
Beyond the First 4: Steps to Full Essential 8 Compliance
Long-Term Cyber Security Goals
Once the first four Essential 8 controls are implemented, businesses should gradually integrate the remaining controls: restricting administrative privileges, patching operating systems, enabling multi-factor authentication, and regular backups. As resources grow, these controls will further strengthen the business’s defence against advanced cyber threats, providing a more comprehensive cyber security posture.
Developing a Cyber Security Culture
Cyber security should become part of the company’s culture. Regular training and continuous education for all employees are essential to ensure everyone understands their role in maintaining security. Simple actions like recognising phishing attempts or updating passwords can have a significant impact when ingrained in daily operations.
The Role of Business Owners in Cyber Security
Strategic Oversight
Business owners and senior managers must actively lead cyber security initiatives, whether managing IT in-house or through external providers. Clear oversight ensures that cyber security remains a priority and aligns with the company’s broader business strategy.
Cyber Security as a Business Investment
Rather than viewing cyber security as a cost, business owners should see it as an investment in the company’s longevity. Protecting digital assets, customer data, and business operations from cyber threats will save money and protect the company’s reputation in the long run.
The Value of Cyber Security Training for SMBs
Skills Development for IT and Non-IT Employees
Having internal staff with cyber security knowledge, even if they aren’t specialists, helps SMBs respond more effectively to threats. Training both IT and non-IT employees to understand basic cyber security concepts can reduce vulnerabilities across the business.
Tailored Cyber Security Education for Business Owners
Business owners should invest in learning the fundamentals of cyber security, enabling them to make informed decisions and direct their IT teams or MSPs more effectively. Understanding the risks and solutions allows business leaders to protect their assets proactively.
Developing Cyber Security Skills with Asset College
Asset College’s Certificate IV in Cyber Security is an ideal program for business owners and employees looking to develop practical, real-world cyber security skills. This qualification equips participants with the essential knowledge needed to secure their business’s digital assets and protect against cyber threats.
For SMBs, this qualification provides hands-on training that can be directly applied to improving cyber security measures. From understanding the Essential 8 framework to implementing best practices in security, this course is designed to help businesses build a solid defence against common cyber risks.
Conclusion
By exploring Asset College’s Certificate IV in Cyber Security, businesses can stay ahead of evolving cyber threats and safeguard their operations. Whether you’re just starting with the Essential 8 or looking to deepen your knowledge, this course offers the skills needed to ensure long-term security and success.