Compliance with Essential Eight cybersecurity has more business benefits than you might think
It used to be that the two certainties in life were death and taxes. For organisations at least, there is now a third — compliance with cybersecurity laws and regulations.
Unlike death and taxes, though, there's a silver lining. Done properly, cybersecurity compliance can significantly improve an organisation's security posture, minimise the risk and costs associated with a data breach, and improve operational efficiencies to provide a positive return on investment.
In Australia, the trend towards increased cybersecurity compliance is obvious. Over the last few years, we have seen the introduction of mandatory reporting for data breaches and organisations are required to comply with the Australian Cyber Security Centre's (ACSC) Essential Eight Strategies to Mitigate Cyber Security Incidents.
The ACSC recommends that all Australian organisations implement the Essential Eight, which, it says, can be more cost-effective in terms of time, money and effort than responding to a large-scale cybersecurity incident. With ransomware attacks reported weekly or more frequently, even non-regulated organisations are starting to heed the ACSC's advice.
Almost a decade before ransomware attacks became such a common and devastating blight on society, the Essential Eight recommended next-generation cyber-mitigation strategies to protect against targeted attacks. Back then, the Australian government was concerned primarily with sophisticated nation-state attacks. Fast forward to the present day, and criminal ransomware gangs are using the same tactics, techniques and procedures.
Privileged access management front and centre
Privileged access management (PAM) is front and centre in the Essential Eight. This is most obvious in the requirement to restrict administrative privileges to operating systems and applications based on user duties.
But another cyber mitigation strategy pioneered by the Essential Eight — which the ACSC refers to as 'application control' — is also a type of PAM. The strategy calls for organisations to prevent execution of unapproved/malicious programs, including .exe, DLL, scripts such as Windows PowerShell, and installers.
Gartner refers to this sort of application control capability as privileged elevation - delegation management (PEDM). This enables intelligent listing of functions on computer endpoints and the revocation of local admin rights.
With these two PAM-based strategies, organisations significantly reduce the opportunities for malware to run on and gain control of endpoint systems.
Other elements of the Essential Eight also have a PAM component. Scanning solutions should be integrated with the centralised password vault where privileged credentials are secured. Otherwise, organisations face increased operational overhead to update credential access for vulnerability scans — or failure to meet privileged access requirements.
A PAM solution also simplifies the implementation of multi-factor authentication (MFA). The Essential Eight requires organisations to implement MFA for VPNs, RDP, SSH and other remote access. A PAM solution funnels authentication to these services through a central point so MFA can be implemented with a single integration rather than hundreds.
Cybersecurity solutions with a return on investment
Obviously, cybersecurity compliance involves costs. And, with the Essential Eight, there have been concerns about the costs associated with lost user productivity. Organisations that have tried to restrict administrative privileges or implement application control without the right solutions have often struggled. Often it's because they force users to change their behaviour and make it more difficult to do their jobs.
Cybersecurity should never just be a cost to the business, but also offer a return on investment. For example, with a PAM solution, users can log in once rather than logging into a large number of privileged accounts. They are also relieved of the burden of managing the passwords for each account.
When implementing application control, which somewhat unfairly has a reputation for 'admin rights being ripped away' from end-users, the right PEDM solution can make a huge difference to productivity.
Instead of a blanket approach to withdrawing admin rights, access to systems and applications can be controlled on a case-by-case basis. A PAM and/or PEDM solution should elevate access rights on demand. This allows users to run with admin privileges for short periods, subject to additional controls.
This means end-users don't need to worry about complex password policies — instead, they can benefit from increased convenience accessing applications and cloud-based services and less cyber-stress.
The result is a win-win-win — compliance with cybersecurity standards, an improved security posture, and more productive users who are less burdened by cybersecurity policies.
It may be unavoidable but, unlike death and taxes, compliance with the Essential Eight does have some advantages from a business perspective.