ASD's ACSC’s Small Business Cloud Security Guides provide technical examples organisations can use to improve their cyber security and protect against damaging cyber incidents. This page outlines everything executives need to know about the guides including who the guides are designed for, the security benefits they offer and the buy-in required from leadership.
Cyber security incidents can affect any organisation at any time. With the average cyber security incident costing over $39,000 for small businesses, organisations cannot afford to forgo investing in their cyber security. In recognition of the increasing prevalence of cloud computing, the Australian Signals Directorate's (ASD) Australian Cyber Security Centre (ACSC) has published the Small Business Cloud Security Guides. These guides are designed to provide protection against cyber incidents while remaining accessible to organisations which may not have the resources and expertise to implement a more sophisticated strategy.
Why invest in cyber security?
Cybercriminals and state-sponsored actors are using sophisticated techniques to compromise Australian organisations. ASD's ACSC responds to attacks against Australian organisations every day, with the biggest threats including:
- ransomware
- exploitation of security vulnerabilities
- software supply chain compromises
- business email compromise.
Simply installing the latest technology in your organisation is not good enough, cyber security thinking needs to evolve. Failing to invest in your organisation’s cyber security could lead to costly attacks, interruptions to operations, loss of data, reputational damage, legal liabilities and more. Implementing the Small Business Cloud Security Guides will help protect your organisation by making it much harder for cyber incidents to impact your Microsoft 365 capabilities.
Case Study: The Federal Court finds advice group failed to adequately manage cyber security risks
In 2021, the Federal Court delivered a landmark ruling that highlights the obligations organisations hold to manage their cyber security risks.
The ruling related to an Australian Financial Services licensee which suffered several cyber attacks over a six year period. As a result of these attacks, the Federal Court found that the organisation had breached its obligations as an Australian financial services licensee.
In their judgement, the Federal Court noted a number of inadequate risk management practices across the organisation’s network. This included some of its authorised representatives failing to have up-to-date anti virus software, system backups, email filtering or quarantining, and poor password practices. They were ordered to engage a cyber security expert to improve their cyber risk management and pay $750,000 towards the Australian Securities & Investments Commission costs.
While this judgement related obligations as an Australian financial services licensee, it should put organisations of all sectors on notice. Managing cyber risks cannot be an afterthought or an optional extra. It is increasingly being recognised as an essential responsibility of all organisations.
How to use the guides
ASD's ACSC’s Small Business Cloud Security Guides are made up of a series of technical examples which use strategies aligned with ASD's ACSC’s Essential Eight. They’re not designed for organisations looking to meet a specific Essential Eight maturity level. Instead, they have been designed as an easy way for organisations to protect against cyber threats and increase cyber security. These guides should be used as a reference only. Organisations should adjust the advice as required to suit their specific needs
All organisations should implement cyber security mitigation strategies that are proportionate to their risk profile and risk appetite. The Small Business Cloud Security Guides are a good starting point for most small and medium sized Australian organisations that use a Microsoft 365 software as a service environment and have devices configured with Microsoft Intune. To find out more about which ASD's ACSC guidance is the best fit for your organisation, read ASD's ACSC Business Guidance Breakdown in the Small Business Cloud Security Guides – Introduction.
Resourcing considerations
Protecting your organisation from cyber incidents will require a financial and human resources investment. This investment should be a priority for all organisations. Investing in preventative measures is typically far less expensive than responding to a cyber security incident.
The Small Business Cloud Security Guides will require a resourcing commitment from your staff or IT managed service provider to implement and maintain. ASD's ACSC has endeavoured to use low cost or free solutions in this guide where possible, however, many security configuration options are unavailable in entry level Microsoft 365 subscriptions. To follow this guide, organisations will need a Microsoft 365 Business Premium subscription. Employees that require administrator roles will also need an Azure Active Directory Premium P2 subscription.
The eight mitigation strategies
The Small Business Cloud Security Guides applies the principles of the Essential Eight. The Essential Eight are the eight mitigation strategies ASD's ACSC has determined are essential to protect against cyber threats. They were selected as the most effective and highest priority strategies from the ASD's ACSC’s Strategies to Mitigate Cyber Security Incidents. The strategies are underpinned by the ASD's ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents and conducting penetration testing. Table 1, below, summarises each of the mitigation strategies including their benefits and costs.
Next steps
There are actions your IT team need to take before your organisation implements the Small Business Cloud Security Guides. These are outlined in the introduction to the guides. After completing these actions, your IT staff or IT managed service provider will be ready to review each technical example and adapt it to your organisation’s needs.
|
Mitigation strategies |
Benefits |
Impost on organisation | ||
|
Protect against malware |
Limit the extent of cyber incidents |
Recover from a cyber incident |
||
| Application control Reduces the risk of executing malicious programs. |
✓ | Users can only install applications that are deemed secure by Microsoft’s Intelligent Security Graph. | ||
| Patch applications Fixes application security vulnerabilities. |
✓ | IT administrators must manage regular patching. If users rely on unsupported applications, the organisation may need to invest in upgrades or secure alternatives. | ||
| Configure Microsoft Office macro settings Reduces the risk of running malicious macros. |
✓ | Users cannot run macros without demonstrating a business requirement. IT administrators must manage macro permissions. | ||
| User application hardening Restricts the use of application functionality that is insecure. |
✓ | IT administrators must configure application settings. Users cannot use application functions that are deemed insecure. | ||
| Restrict administrative privileges Reduces the risk that accounts with special privileges are compromised or used inappropriately. |
✓ | Users must request approval to temporarily activate administrator roles when required. IT administrators must manage activation of administrator roles. Administrators are prevented from performing higher risk actions when logged into administrator accounts. A limited number of Azure Active Directory Premium P2 licenses are required. | ||
| Patch operating systems Fixes operating system security vulnerabilities. |
✓ | IT administrators must manage regular patching. If the organisation relies on unsupported operating systems, it may need to invest in upgrades or secure alternatives. | ||
| Multi-factor authentication Prevents unauthorised access to systems and accounts. |
✓ | Users are required to provide at least two factors of authentication when certain conditions are met. | ||
| Regular backups Allows restoration of data and settings after an incident. |
✓ | IT administrators must manage regular backups. The organisation may choose to purchase a commercial backup solution. |