How Can These Australian Security Initiatives Help Your Business?

In recent years, Australian organisations have faced an escalating wave of cyber-threats, underscored by high-profile data breaches and sophisticated cyber-attacks. This troubling trend highlights the critical need for robust cybersecurity measures. Enter the Australian Cyber Security Centre (ACSC)’s Essential Eight and the Department of Education, Skills and Employment (DESE)’s Right Fit for Risk (RFFR) framework.

These serve as a cornerstone for cybersecurity defence, bolstering the Albanese government’s initiatives aimed at improving national cyber-resilience. However, they can be viewed as complementary to rather than a replacement for international standard ISO 27001.

Understanding the Frameworks

The Essential Eight is a set of strategies aimed at providing a baseline cybersecurity posture for organisations. These are designed to mitigate various cyber-threats, emphasising the importance of proactive measures such as application control, patching, restricting administrative privileges, multi-factor authentication (MFA), and regular backups.

According to Edward Farrell, CEO and principal consultant at Mercury Information Security Services, the Essential Eight originated from an analysis of the root causes of cyber intrusions over nearly a decade.

“It was originally the top four that formed part of the 35 mitigations to deal with cyber intrusions,” Farrell tells ISMS.online. “Today, it’s built out into the Essential Eight, which dealt with a plethora of new attacks that they were seeing. So, things like Office macros, breaching MFA, breaching username and password credentials through password guessing, and issues with Java and Flash, as well as the other things.”

RFFR complements the Essential Eight by offering a more tailored approach to managing cybersecurity risks. It focuses on understanding and addressing specific vulnerabilities within an organisation, encouraging a culture of continuous improvement and risk management. Together, these government initiatives help organisations to not only protect against known threats but also adapt and respond to new challenges as they arise, ensuring a robust cybersecurity posture in the face of evolving threats.

Breaches Galore

A recent spate of data breaches in Australia underscores the escalating challenge facing domestic organisations. An Australian information Commissioner report for January to June 2023 revealed a total of 409 breaches, showing a slight decrease from the previous period but underscoring the persistent threat, with malicious or criminal attacks accounting for 70% of these incidents. The health and finance sectors emerged as the top victims.

However, no organisation is safe from potential compromise today. Notable recent incidents include a breach at Woolworths subsidiary MyDeal, affecting an estimated 2.2 million customers, and incidents impacting entities such as Nissan, Wollongong University, Boeing, Sony, Duolingo, Pizza Hut and DP World Australia. These ranged from ransomware attacks and data scraping to theft of sensitive customer and employee information​​​​.

The diversity and frequency of these incidents highlight the importance of implementing robust cybersecurity measures like the Essential Eight and RFFR, to build resilience in the face of mounting cyber risk.

The Albanese Government’s Cybersecurity Push

In response to the evolving threat landscape, the Albanese government has taken significant steps to bolster the nation’s cybersecurity – including a new national cybersecurity strategy.

However, Farrell suggests the need for a more nuanced strategy, tailored to the unique needs of specific Australian organisations and sectors.

“The reality is that we were doing small business cyber-health checks back in 2018…and they really didn’t take off,” he argues.

Essential Eight vs. ISO 27001

The Essential Eight focuses on practical strategies to mitigate cybersecurity incidents, specifically tailored to combat common cyber-threats. Its straightforward, actionable measures are designed for immediate implementation, covering aspects like application whitelisting, patching applications and restricting administrative privileges. It is particularly effective for organisations looking for clear, direct guidelines to enhance their cybersecurity resilience.

ISO 27001, on the other hand, provides a comprehensive framework for managing information security through an Information Security Management System (ISMS). It offers a holistic approach to information security, not limited to cyber-threats but encompassing all forms of information security. ISO 27001 requires organisations to assess their information security risks and implement appropriate controls tailored to their specific needs. This standard emphasises continuous improvement and compliance with a set of specified requirements.

RFFR vs. ISO 27001

RFFR is closer to ISO 27001. It encourages organisations to adopt a risk management approach tailored to their specific operational context. It aligns closely with the risk assessment and management principles of ISO 27001 but is specifically contextualised for the Australian cybersecurity environment. While ISO 27001 provides a broad framework applicable across various industries globally, RFFR zeroes in on the unique cybersecurity risks facing Australian entities.

A Broader Approach

Australian organisations are advised to integrate the Essential Eight, RFFR and ISO 27001 for a well-rounded cybersecurity strategy.

“Frameworks are great if it’s a very neat, tidy environment…whereas I think contextual changes and understanding the domain you’re operating in is going to vary each time,” Farrell argues.

He highlights the importance of adaptability. And the need for organisations to not only implement foundational security measures provided by the Essential Eight but also the broader governance and risk management aspects of ISO 27001 and the contextualised risk strategies of RFFR.

Implementing the Frameworks

Implementing cybersecurity initiatives like the Essential Eight, RFFR and ISO 27001 can be complex, but a focused approach helps navigate challenges. According to Phillip Ivancic, APAC head of solutions at the Synopsys Software Integrity Group, one of the biggest hurdles is maintaining a culture where security controls are consistently applied, even when inconvenient.

“The Essential Eight itself recommends basic steps like maintaining patching, limiting administrative access, and ensuring backups are maintained and tested. All seemingly simple and common-sense controls. However, talking to customers, the biggest challenge they face is maintaining a culture of running these controls day in and day out,” he tells ISMS.online.

“Staff members need to understand their importance, and there needs to be a culture that keeps these basic controls in place even when they are not convenient. It’s simply not a ‘one-off’ piece of work but a framework for ongoing disciplines.”

Putting the likes of Essential Eight and ISO 27001 into practice requires navigating challenges like resource allocation, integration with current systems, evolving threats, and fostering employee awareness. To do so, organisations should conduct thorough risk assessments to set priorities, allocate sufficient resources, adopt a phased approach to manage complexity, cultivate a security-aware culture, and regularly updating security practices to counter new threats.

“For larger organisations, automating vulnerability management through Application Security Posture Management (ASPM) tooling, where manual penetration testing results are automatically compared to scanning tools with prioritised recommendations, is the biggest trend among my customers,” Ivancic adds.

By engaging external expertise and utilising automation for efficiency, organisations can strengthen their cybersecurity defences in a practical and sustainable way. Ongoing education remains vital to ensuring all staff members understand the importance of the security controls, and are disciplined about maintaining them consistently.

The Future of Australian Cybersecurity

As Australia navigates an evolving threat landscape, initiatives like the Essential Eight and RFFR and best practice standards such as ISO 27001 remain cornerstones of a proactive approach to cybersecurity.

Anticipating future government initiatives, Farrell suggests a push towards “enhancing collaboration between the public and private sectors” and a significant investment in “cybersecurity education and workforce development”. These efforts should help to improve the sharing of threat intelligence and information on vulnerabilities, ultimately fostering a more resilient cybersecurity ecosystem across Australia.

Best practice frameworks and standards are also expected to evolve in line with the threat landscape. The challenge, as always, will be to avoid playing catch up with the cybercrime community.