How to Protect Your Not-for-Profit with the Essential 8 Controls in 2024
Cyber security threats become more prevalent as Not-for-Profits increasingly rely on technology to manage their operations. Fortunately, the Australian Signals Directorate (ASD) created a set of cyber security controls called Essential 8 to help Australian businesses and nonprofits mitigate the most common cyber threats and navigate the digital space more securely.
Since November 2023, these controls have been updated to suit the current landscape better and improve response times to diminish risks. In this article, Zubair Khan, Bremmar’s Cyber Security Technical Consultant, will explain the Essential 8 controls, how they work, why they benefit Not-for-Profits and how the changes make the controls even more helpful.
The Essential 8
The controls consist of different maturity levels, each becoming more robust than the last. “By implementing these controls, human services organisations can significantly reduce their risk of becoming victims of cyber attacks”, explains Zubair. “Although the Essential 8 framework is not currently mandated for all organisations, it is highly recommended that nonprofits of all sizes implement at least Maturity Level 1 of the controls to start their cyber security journey”, he affirms. “The Essential 8 Maturity Level 2, on the other hand, is a mandatory requirement for all Australian non-corporate Commonwealth entities subject to the PGPA Act (as per PSPF Policy 10)”, completes Zubair.
According to the Microsoft Digital Defense Report 2023, basic security hygiene, such as Multi-Factor Authentication (MFA), protects organisations against 99% of attacks. However, applying and enforcing the cyber security policies correctly is crucial to guarantee stakeholder buy-in. “Having MFA on one application and not the other, for example, does not complete the control of implementing MFA”, explains Zubair.
Still, according to Microsoft’s report, fewer than 15% of Non-governmental organisations have cyber security experts on their staff. That’s why partnerships with companies such as Bremmar, with more than 15 years of experience in the NFP sector, are critical to organisations trying to protect their data.
- Patch applications: applications should be updated with the latest security patches to fix any vulnerabilities attackers could exploit.
- Patch operating systems: Operating systems must be updated with the latest security patches to fix any vulnerabilities attackers could exploit.
- Multi-factor authentication: This control requires users to provide more than one piece of evidence to verify their identity when accessing systems or online services.
- Restrict administrative privileges: Organisations must limit the number of users with administrative rights on systems and ensure they only use them when necessary.
- Application control: This control prevents the execution of unapproved or malicious programs on systems.
- Restrict Microsoft Office macros: The use of macros in Microsoft Office documents should be restricted to prevent malicious code from running on systems.
- User application hardening: This control configures web browsers and PDF viewers to block or limit the functionality of features that attackers could use to compromise systems.
- Daily backups: This control ensures that data is backed up regularly and stored securely to enable recovery in case of a cyber incident.
Changes to the Essential 8 in 2024
The Essential 8 controls will undergo some changes in 2024 as part of the Australian Government’s new 2023-2030 Cyber Security Strategy (published in November 2023).
“The cyber security threat landscape is ever evolving, and there are always more risks and attackers. As a countermeasure, the Australian Cyber Security Centre (ACSC) is continuously publishing changes and updates to improve the controls”, says Zubair.
Some of the recent changes revisit the use of the MFA control, requiring the type of authentication to include something you have and something you know. “A mobile device plus a passphrase, for example, fits the control”, explains the consultant. “Another significant change is the frequency at which vulnerabilities must be addressed in the organisation”, he completes.
The timeframe for patching vulnerabilities in high-risk software has changed from one month to two weeks for Maturity Level 1. However, according to the ASD, when vendors assess a vulnerability to be of a critical nature – both on applications and operating systems – (e.g. it facilitates authentication bypasses that grant privileged access or facilitates remote code execution without user interaction), organisations should patch, update or otherwise mitigate vulnerabilities within 48 hours.
Swift actions are critical in minimising the impact of security incidents. However, the consultant emphasises that the organisations must, in parallel, create a roadmap to implement the controls properly. “Organisations should decide on which maturity level to aim for – the minimum being Maturity Level 1 for most – as it is also a commercial decision – the cost to maintain and implementation should be balanced against certain risk factors”, affirms Zubair.
Such changes aim to improve the effectiveness and efficiency of the Essential 8 controls and align them with the six cyber shields that will be implemented by the Australian Government until 2030.
1 – Strong businesses and citizens
Citizens and businesses are better protected from cyber threats and can recover quickly following a cyber attack.
2- Safe technology
Australians can trust that their digital products and services are safe, secure and fit for purpose.
3- World-class threat sharing and blocking
Australia has access to real-time threat data and can block threats at scale.
4 – Protected critical infrastructure
Australia’s critical infrastructure and essential government systems can withstand and bounce back from cyber attacks.
5 – Sovereign capabilities
Australia has a flourishing cyber industry, enabled by a diverse and professional cyber workforce.
6 – Resilient region and global leadership
Australia’s region is more cyber resilient and will prosper from the digital economy, continuing to uphold international law and norms and shape global rules and standards in line with its shared interests.
Implementing the Essential 8 controls can provide many benefits for Not-for-Profits, maintaining a pristine reputation being one of the major ones.
“The biggest risk to organisations is their reputation. Suppose an attacker gains access to the system and obtains notifiable data. In that case, the business must notify customers that it has been breached, which could damage their image and result in financial loss”, explains Zubair.
Following the controls results in Improved security posture, Enhanced compliance, Increased customer trust and Reduced costs and losses due to a cyber attack.
To start their Cyber Security journey and implement the Essential 8 controls, Not-For-Profits can follow a few simple steps, such as assessing their current cyber security situation. Bremmar’s self-assessment tool can be a valuable resource, as organisations receive a report summarising their maturity level across all areas of the Essential 8 model.
“We can assist organisations in implementing and maintaining these controls. Our team has experience in each area and is focused on keeping up to date with changes from the ACSC while helping you achieve the maturity layer you need continuously”, says Zubair.