Securing your business can be a complex task. Among the numerous security priorities and configuration options, it can be difficult to know where to begin. These guides adapt ASD's ACSC’s Essential Eight mitigation strategies and outline an example of how each can be implemented to secure Microsoft 365 capabilities. The technical examples are designed to offer significant protection against cyber incidents while remaining accessible to organisations with limited resources and cyber security expertise.
Adapting the Essential Eight for the cloud
The Essential Eight are designed to protect Microsoft Windows-based internet-connected networks. This guidance has used the principles of the Essential Eight and adapted them to environments using Microsoft 365. The guides use the principles of the Essential Eight to help organisations increase their cyber security, they are not designed to help an organisation reach a particular maturity level. Therefore organisations should consider these guides an adaptation of the Essential Eight, rather than a strict Essential Eight implementation.
Required subscriptions
The Small Business Cloud Security Guides are designed for organisations using a Microsoft 365 software as a service environment with devices configured with Microsoft Intune. The technical examples use low cost or free solutions where possible, however, many security configuration options are unavailable in entry level Microsoft 365 subscriptions. To follow these technical examples, an organisation will require subscriptions to Microsoft 365 Business Premium (or equivalent), this is the subscription tier where many of Microsoft’s security configuration options are introduced. A limited number of administrators will also require an Azure Active Directory Premium P2 subscription.
Required expertise
These guides are designed to be accessible to organisations with limited resources and cyber security expertise. Organisations should be capable of following the technical examples if they have an employee who is comfortable using Microsoft 365 admin portals. The technical examples should also be accessible to any organisation with the support of an IT Managed Service Provider. It may be appropriate to train staff on how to administer Microsoft 365 through their training website.
Required privileges
Administrator privileges are required to implement these guides. Each technical example lists the administrator privileges required to follow it.
Enable security defaults
These technical examples build upon Microsoft’s security defaults. Before you begin, enable security defaults in the Azure portal. Refer to Microsoft’s guidance for detailed instructions.
Enrol your devices in Intune
The technical examples in these guides use Mobile Device Management (MDM) to manage Windows endpoints. To follow these technical examples, all compatible devices must first be enrolled in an MDM. Microsoft has published guidance on enrolling Windows devices in Intune.
Adapt this guide to your organisation’s environment
There are several ways to secure Microsoft 365, the Technical Examples in these guides demonstrate just one approach. Every organisation will have unique factors to consider when determining their cyber security strategy. For example, their unique risk profile, operational needs and risk appetite. These guides are not intended to be prescriptive; organisations are encouraged to adapt them to meet their unique requirements. When considering your organisation’s unique requirements, be mindful of legislation that may apply to your industry. For example, there are obligations that have been legislated for organisations that deal with personally identifiable information and organisations in the critical infrastructure sector.
Adopt a risk-based approach
Your organisation’s cyber security strategy should be informed by its risk profile and appetite. Before you implement these guides, consider if they sufficiently mitigate the risks to your organisation and are compatible with your organisation’s operational requirements. Some parts of the guides may not be relevant to your organisation or may not be possible to implement in full. Some parts of the guides may also have an unacceptable impact on your organisation’s operations. If you are not able to implement the guides in full, consider what risks your organisation is willing to accept and what risks require mitigation through other compensating controls.
The Department of Industry, Science, Energy and Resources has developed a Cyber Security Assessment Tool that can assist organisations to consider their cyber security risks.
If your organisation requires other compensating controls, you can find further guidance on our website. Other compensating controls are listed in ASD's ACSC’s:
- Small Business Cyber Security Guide
- Exercise in a Box
- The Essential Eight
- Strategies to Mitigate Cyber Security Incidents
- Information Security Manual.
Technical example scope
The technical examples in these guides are focused on securing Microsoft 365 and Intune managed endpoints. Many organisations will use programs or platforms that are outside of the Microsoft ecosystem and the scope of these guides. In addition to implementing this guidance, consider what cyber security mitigation strategies are best suited to protect any other programs or platforms that your organisation uses. Many of the principles in these guides can be applied to other parts of an organisation’s IT environment. For example, multi-factor authentication, patching applications, patching operating systems and regular backups are widely applicable mitigation strategies.
While the Essential Eight provide significant protection against cyber incidents, they are not an exhaustive list of cyber security controls. For many organisations, these guides should be considered a starting point to securing Microsoft 365 capabilities that is built upon in line with organisational needs.
Note: The settings outlined in these guides may change from time to time, please consult Microsoft documentation for equivalent controls.
ASD's ACSC Business guidance breakdown
Businesses should implement cyber security mitigation strategies that are proportionate to their risk profile and risk appetite. ASD's ACSC has published guidance for businesses of varying sizes and with varying risk profiles. The table below summarises the target audience for ASD's ACSC’s flagship business guidance. Use this table to determine if the Small Business Cloud Security Guides are a good fit for your organisation, or if alternative guidance is more suitable.
| Guidance | Audience |
|---|---|
| Small Business Cyber Security Guide | Small businesses, particularly small businesses that have limited cyber security expertise and relatively low cyber security risks. |
| Small Business Cloud Security Guides | Small to Medium organisations that use software as a service capabilities or cloud-managed endpoints and are exposed to typical cyber security risks. |
| Essential Eight and Strategies to Mitigate Cyber Security Incidents | Organisations that use Microsoft Windows, internet-connected networks. Particularly large organisations or organisations of any size that have elevated cyber security risks. For example, organisations that store or process financial information or sensitive personal information. |
| Information Security Manual and Cloud Security Guidance | Large organisations and government departments. Particularly organisations that have elevated cyber security risks. For example, organisations that store or process financial information or sensitive personal information. |
| Hardening Microsoft Windows Workstations | Organisations that are aiming to increase their workstation protections or use Windows workstations that are not sufficiently covered via a cloud-based endpoint manager. |
Join our Partnership Program
Also consider joining our Partnership Program. ASD's ACSC Partnership Program enables Australian organisations and individuals to engage with ASD's ACSC and fellow partners, drawing on collective understanding, experience, skills and capability to lift cyber resilience across the Australian economy.