Building on the ‘Essential Eight’ with a people-centric approach to cybersecurity
Increased digital engagement, widespread remote working, and greater use of IoT (internet of things) are expanding attack surfaces and exposing many cybersecurity postures as inadequate. Organisations often combat threats by placing too much emphasis on technology alone and too little emphasis on people and their behaviour. A sole focus on technology is not the solution to this complex problem. People are an organisation's biggest single vulnerability, so any cybersecurity posture needs to be people-centric.
As part of my role at Proofpoint, I speak to many different CISOs within the private and public sector across our region each week. Some are very advanced in their cyber posture and maturity and know they can't rest on their laurels. However, CISOs in many other organisations have much work to do to drive the required cyber uplift. So, where do they start?
No doubt, organisations have invested heavily in cybersecurity controls. But these investments are commonly focused only on preventing breaches, have limited access controls, and are often designed based on an assumption that sensitive data is accessed from office locations – not work-from-home/work-from-anywhere or other remote sites, as is more often the case.
Crucially, many companies cannot detect breaches quickly, and this, coupled with a constrained ability to speedily recover from an incident, places organisations in a perilous position. No wonder that the impact caused by such breaches is so high. This can leave organisations with operations down, legislative breaches, financial loss and brand damage.
Organisations can address these challenges by gradually developing a cybersecurity posture which assumes that breaches will occur and ensures that organisations can recover quickly and with minimal impact.
Essential Eight provides checklists but additional frameworks are needed
There are multiple frameworks that can be used to ensure that cybersecurity postures are able to adapt and morph in response to changing threat and regulatory environments, while remaining aligned with accepted levels of risk. Within Australia, the 'Essential Eight' is one such framework.
The Essential Eight is an Australian cybersecurity framework developed by the Australian Signals Directorate (ASD). Considering the rapid digitalisation leading to expanded attack surfaces, the Australian government aims to significantly improve the cyber resilience of Australian organisations. The government mandates the use of the framework for federal government entities. The government also hopes that the private sector will widely adopt it.
The framework covers a series of technical controls relating to eight key areas, namely: application control; application patching; Microsoft Office macro settings; application hardening; restriction of administrative privileges; operating system patching; multi factor authentication; and regular backups. Organisations can measure their maturity levels against each of these eight areas and line up their desired maturity level with their risk management goals.
The framework offers significant benefits in that it provides clear technical goals, a range of mitigations that can align with desired cybersecurity postures and allows quick compliance checks. Importantly, many of the recommended controls permit policies and processes to be implemented by changing settings and configurations rather than making sizeable investments in new technologies.
Organisations that want a simple checklist approach to cybersecurity and have skills to implement recommended controls, can use the 'Essential Eight' to identify major gaps in their cybersecurity posture and make changes aligned with their risk tolerance. But merely following a checklist is not necessarily the key to building a well-protected organisation.
Essential Eight framework is not a 'silver bullet'
Although the 'Essential Eight' is a useful framework, it is not a "silver bullet," and ideally needs to be used in conjunction with other frameworks and guidelines such as NIST and MITRE ATT&CK. It does have a strong focus on prevention, which of course is especially important. But many recent attacks have shown that organisations need to change their posture to one that assumes breaches will occur and emphasises people-centred controls.
It is impossible to always prevent attacks linked to zero-day vulnerabilities such as Log4j and advanced persistent threats like nation state attacks. For this reason, organisations need to incorporate controls that can minimise the damage caused by breaches. These controls include but are not limited to micro-segmentation that restricts lateral movement, rapid detection of breaches and a proportionate automated response, and greater focus on security awareness and behaviours.
In Australia, there has been a series of high profile, large, data leaks involving sensitive customer data. These leaks are expected to lead to increased penalties for failure to adequately protect data. Now is the time for Australian organisations to step back, assess their risks and risk tolerance, evaluate their current controls, identify the gaps, and put people and processes in place to implement an adaptable posture – aligned with acceptable risk levels in new, more distributed technology environments
Cybersecurity technology investments should come after determining a desired set of policies and processes. The role of technology is to implement these policies and processes. Too often, companies buy technology reactively, after they encounter a threat and fail to pay appropriate attention to people and policies. Understanding attitudes and behaviours, identifying and focusing on people who pose the biggest risk, is fundamental to any cybersecurity posture. To be most effective, companies must pivot their thinking and strategies, putting people at the centre.
Australia faces a chronic skills crisis in most industries. This crisis is worsening in the cybersecurity business. Accessing needed cybersecurity skills is becoming almost impossible for some. This accelerates the need for non-technical staff to play a bigger role in cybersecurity and for much greater and better automation.
The Essential Eight framework is useful as a technical checklist, but checklists are not always focused on the risks at hand. It should be used in conjunction with other frameworks and guidelines while placing greater emphasis on making people more security-conscious and aware of the risks they and their organisations face. When combined with such a people-centric approach to cybersecurity, Essential Eight can serve as a valuable weapon in the defender's arsenal.