With the risk of cyberattacks on the rise for Australian businesses, the Australian Cyber Security Centre (ASCS) has developed a framework for organisations to protect their data, systems, accounts, and devices. The key mitigation strategies are called the Essential Eight, and they are recommended as a baseline for building cyber resilience in your business.

Here are 10 questions to ask your IT provider or Managed Service Provider (MSP) to ensure effective implementation of the Essential Eight strategies.

1. Do You Understand My Threat Environment?

In order to determine and help manage your cybersecurity risks, it’s critical that your MSP has an understanding of possible threats to your organisation’s systems and operations. As a first step, your IT provider should identify points of weakness in your organisation, and consider the different methods and technologies that cyber criminals can use to access systems and devices, such as malware, hacking, and phishing. This can be achieved through a threat assessment tailored specifically to your business, as well as active vulnerability management (which are covered in two of the Essential 8 areas, specifically Patch Applications and Patch Operating Systems).

2. How Are You Recording the Effectiveness Of Controls Implemented?

Once your IT provider has implemented the Essential Eight, they’ll need to ensure that these are working effectively across your organisation. We usually refer to this as an ‘Assurance Program’. This usually involves regularly testing a sample of controls continuously over time to provide assurance to the business that everything is implemented as expected. If a control is assessed as ‘ineffective’, it should be fixed, or a compensating control must be implemented to meet the requirements for the maturity level. If your MSP is actively using the de.iterate platform, then this should be all taken care of.

3. How Will You Ensure Ongoing Monitoring of Controls?

One of the biggest issues for the Essential Eight is that the framework may not be able to keep up with the dizzying speed at which cyber threats and techniques evolve. Maintaining compliance with the Essential Eight requires ongoing monitoring and updating of security measures in response to new and emerging cybersecurity risks. Again, if your MSP is actively using the de.iterate platform, this should be all taken care of.

4. Do You have Sufficient Visibility Over Systems and Services?

Poor visibility of activity occurring on their systems can be a major challenge for organisations trying to improve their cybersecurity posture. It’s important that your IT provider is logging and watching your systems and services so they can detect and respond to potential attacks by cybercriminals. It should be noted that ‘logging’ is specifically mentioned in four of the Essential 8 control domains.

5. Have You Recorded What Data We Hold and Where It Is Stored?

Your organisation’s data is its most precious commodity. To effectively meet Essential 8 guidelines, your IT provider should know what data is important to your organisation. It should also know what is categorised as sensitive and non-sensitive so that they can adequately advise you on appropriate multi-factor authentication and data backup procedures.

6. Which Essential Eight Maturity Level is right for us?

To effectively implement the Essential Eight, the ACSC has developed the Essential Eight Maturity Model, comprising three levels each with their own security controls and strategies. Your IT provider can use this model to understand your organisation’s cybersecurity risk profile and identify which level is right for you.

7. Have You Identified Which Essential Eight Strategies Are Applicable?

While the Essential Eight is designed to help organisations increase cybersecurity, it is limited in scope – as a standardised solution, the framework may not necessarily align with the specific needs and risk profile of your business. What’s more, the strategies were designed for Microsoft Windows and may not be relevant to other operating environments. By determining which strategies are not applicable to your organisation, your IT provider can focus their energies in key areas and work on implementing alternate controls where necessary.

8. Are Systems and Applications Being Securely Administered?

Your IT provider has privileged access with the ability to make significant changes to operating systems or applications, through which cybercriminals can attempt to carry out attacks. That’s why it’s crucial that these privileged accounts are managed in a secure manner, in line with guidelines from the ACSC.

9. Do You Need Any Additional Resources or Support?

Your IT provider will require sufficient time, expertise, budget, and resources to implement the security controls associated with each of the Essential Eight – and this can be particularly challenging for smaller businesses. If your organisation lacks automation, there will also be a lot of time-consuming manual effort involved. Additionally, the IT team may come up against employees’ resistance to changes that impact their daily workflows, so you may need to provide extra support to overcome these barriers.

10. What is your Cyber Response Playbook, and What Scenarios Does it Cover?

The main objective of all Essential Eight strategies combined together is to prevent a cybersecurity incident from occurring. However, if there is a cyberattack, your IT provider needs to have a well rehearsed cybersecurity incident response plan. As they’ll have to make critical decisions under significant time pressure. It is also super important that you understand your role within that plan. So, it’s best practice to familiarise everyone involved in the plan in advance. Remember, effective preparation for a cyberattack can make a huge difference in mitigating its impacts.