HSA July 2023
M E M B E R A D V I C E The Security Audit No Pub Should Ignore The “Essential Eight” cyber security audit is a benchmark that every hotel should test themselves against. It will quickly tell you where your business has digital weak points that could be hacked. There are many cyber security testing tools online - but the Essential Eight Cybersecurity Framework is the “gold standard” for Australian businesses. Key reasons: 1. It’s independent and it’s free. It was developed by the Australian Signals Directorate (ASD), which is the government’s top agency to defend against cyber attacks. 2. It is designed for business. 3. It gives you a numerical rating across eight areas. 4. The results provide you with a clear pathway to improve. At Boylen, we tried a range of online tests for Essential Eight and chose a self-audit on the First Focus website. We used it to rate our security but we used our existing IT supplier to toughen our defences. How to Save Money on the Audit The average business owner or manager can’t complete the Essential Eight on their own. It’s too technical. We have IT specialists on our full-time staff, so we were able to answer questions quickly. If you don’t have IT staff, you will need to meet your provider and ask them these technical questions. But you should sit in on the process so you understand what’s going on with your security at a high level. Some businesses offer high-priced, all-in-one solutions. They’ll spend several days in your business, test a variety of computers on your premises and so on. But we believe that your IT supplier should be able to verbally give you yes or no answers in a meeting, which will enable you can complete the Essential Eight assessment in an hour or two. Where your IT advisor will make their money is in providing solutions -because you are guaranteed to find flaws that need attention. Other Audits The problem with some of the testing tools online is that they set the bar too low. For example, Boylen completed the government’s Cyber Security Assessment Tool and we rated at the top level – “Champion”. But we knew we weren’t! This was confirmed when we completed the Essential Eight. THE “EIGHT” EXPLAINED The Essential Eight covers eight fundamental areas of cybersecurity that every business should focus on. These strategies are designed to mitigate a range of common cyber risks and are based on extensive research and analysis of real-world cyber attacks. 28 | Hotel SA | www.ahasa.asn.au Back to Contents
M E M B E R A D V I C E “The Essential Eight covers eight fundamental areas of cybersecurity that every business should focus on.” As a business owner, you probably won’t understand each section. But you should have a top level grasp of the concepts. 1. Application whitelisting: This control involves only allowing approved applications to run on your systems, thereby preventing the execution of unauthorized or malicious software. By creating a whitelist of trusted applications and blocking all others, you can significantly reduce the risk of malware infections and unauthorised access. 2. Patching applications: Keeping your software up to date is crucial in preventing cyber attacks. This control involves regularly applying patches and updates to your applications, operating systems, and firmware. Patching helps address known vulnerabilities and weaknesses that can be exploited by attackers. 3. Configuring Microsoft Office macro settings: Microsoft Office macros are a common vector for spreading malware. This control involves configuring your Microsoft Office applications to disable or restrict the execution of macros, unless they are from trusted sources. By doing so, you can minimize the risk of malware being delivered through malicious macros. 4. Restricting administrative privileges: Limiting the number of users with administrative privileges can significantly reduce the impact of a security breach. This control involves implementing the principle of least privilege, where users are only given the minimum access rights necessary to perform their job functions. By doing so, you can prevent attackers from gaining full control of your systems even if they manage to compromise a user account. IMPLEMENTING THE FIRST FOUR CONTROLS OF THE ESSENTIAL EIGHT FRAMEWORK Now that we have a good understanding of the first four controls of the Essential Eight Cybersecurity Framework, let's delve into how you can effectively implement them in your organization: 1. Application whitelisting: Start by conducting an inventory of all the applications running on your systems. Identify the ones that are essential for your business operations and create a whitelist of approved applications. Implement a robust application control mechanism that prevents the execution of any unauthorized software. Regularly review and update your whitelist as needed. 2. Patching applications: Establish a patch management process that ensures timely updates for all your applications, operating systems, and firmware. This process should include regular vulnerability assessments to identify and prioritize patches based on the level of risk they pose. Automate patch deployment wherever possible to streamline the process and minimize the window of exposure to vulnerabilities. 3. Configuring Microsoft Office macro settings: Configure your Microsoft Office applications to disable macros by default. Only enable macros for trusted documents or specific business processes that require their use. Educate your employees about the risks associated with macros and provide clear guidelines on how to handle macros from external sources. Regularly remind your employees to exercise caution when opening attachments or enabling macros. 4. Restricting administrative privileges: Conduct a thorough review of the administrative privileges assigned to user accounts in your organization. Identify accounts with unnecessary administrative rights and revoke them. Back to Contents www.ahasa.asn.au | Hotel SA | 29
- Page 1 and 2: THE OFFICIAL PUBLICATION OF THE AUS
- Page 3 and 4: Shortcut to Stories JULY 2023 Click
- Page 5 and 6: F R O M T H E P R E S I D E N T Wat
- Page 7 and 8: F R O M T H E C E O Watch Video T
- Page 9 and 10: P U B S W I T H H E A R T Having an
- Page 11 and 12: Studio Nine Architects Celebrates 2
- Page 13 and 14: O N E F O R T H E R O A D W I T H V
- Page 15 and 16: R E G I O N A L M E E T I N G S Bac
- Page 17 and 18: P U B L I C A N P R O F I L E Allen
- Page 19 and 20: P U B L I C A N P R O F I L E Winne
- Page 21 and 22: Alfresco Spaces have expanded to SA
- Page 23 and 24: M E M B E R A D V I C E safety cons
- Page 25 and 26: I N D U S T R Y N E W S SA Pub Burg
- Page 27: W O R K P L A C E R E L A T I O N S
- Page 31 and 32: R A V O ’ S B U S H T E L E G R A
- Page 33 and 34: I N D U S T R Y N E W S Sneak Peek
- Page 35 and 36: CORPORATE PARTNERS 2023/24 D I A M
M E M B E R A D V I C E<br />
“The Essential<br />
Eight covers eight<br />
fundamental areas<br />
of cybersecurity<br />
that every<br />
business should<br />
focus on.”<br />
As a business owner, you probably<br />
won’t understand each section.<br />
But you should have a top level<br />
grasp of the concepts.<br />
1. Application whitelisting: This<br />
control involves only allowing<br />
approved applications to run on<br />
your systems, thereby preventing<br />
the execution of unauthorized or<br />
malicious software. By creating<br />
a whitelist of trusted applications<br />
and blocking all others, you<br />
can significantly reduce the<br />
risk of malware infections and<br />
unauthorised access.<br />
2. Patching applications: Keeping<br />
your software up to date is<br />
crucial in preventing cyber<br />
attacks. This control involves<br />
regularly applying patches and<br />
updates to your applications,<br />
operating systems, and firmware.<br />
Patching helps address known<br />
vulnerabilities and weaknesses<br />
that can be exploited by<br />
attackers.<br />
3. Configuring Microsoft Office<br />
macro settings: Microsoft Office<br />
macros are a common vector<br />
for spreading malware. This<br />
control involves configuring your<br />
Microsoft Office applications to<br />
disable or restrict the execution<br />
of macros, unless they are from<br />
trusted sources. By doing so,<br />
you can minimize the risk of<br />
malware being delivered through<br />
malicious macros.<br />
4. Restricting administrative<br />
privileges: Limiting the number<br />
of users with administrative<br />
privileges can significantly<br />
reduce the impact of a security<br />
breach. This control involves<br />
implementing the principle of<br />
least privilege, where users are<br />
only given the minimum access<br />
rights necessary to perform<br />
their job functions. By doing<br />
so, you can prevent attackers<br />
from gaining full control of your<br />
systems even if they manage<br />
to compromise a user account.<br />
IMPLEMENTING THE<br />
FIRST FOUR CONTROLS<br />
OF THE ESSENTIAL EIGHT<br />
FRAMEWORK<br />
Now that we have a good<br />
understanding of the first four<br />
controls of the Essential Eight<br />
Cybersecurity Framework, let's<br />
delve into how you can effectively<br />
implement them in<br />
your organization:<br />
1. Application whitelisting: Start by<br />
conducting an inventory of all<br />
the applications running on your<br />
systems. Identify the ones that<br />
are essential for your business<br />
operations and create a whitelist<br />
of approved applications.<br />
Implement a robust application<br />
control mechanism that<br />
prevents the execution of<br />
any unauthorized software.<br />
Regularly review and update<br />
your whitelist as needed.<br />
2. Patching applications: Establish<br />
a patch management process<br />
that ensures timely updates for<br />
all your applications, operating<br />
systems, and firmware. This<br />
process should include regular<br />
vulnerability assessments to<br />
identify and prioritize patches<br />
based on the level of risk<br />
they pose. Automate patch<br />
deployment wherever possible<br />
to streamline the process<br />
and minimize the window of<br />
exposure to vulnerabilities.<br />
3. Configuring Microsoft Office<br />
macro settings: Configure your<br />
Microsoft Office applications<br />
to disable macros by default.<br />
Only enable macros for trusted<br />
documents or specific business<br />
processes that require their use.<br />
Educate your employees about<br />
the risks associated with macros<br />
and provide clear guidelines<br />
on how to handle macros from<br />
external sources. Regularly<br />
remind your employees to<br />
exercise caution when opening<br />
attachments or enabling macros.<br />
4. Restricting administrative<br />
privileges: Conduct a thorough<br />
review of the administrative<br />
privileges assigned to user<br />
accounts in your organization.<br />
Identify accounts with<br />
unnecessary administrative<br />
rights and revoke them.<br />
Back to Contents www.ahasa.asn.au | Hotel SA | 29
Change language