The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help organisations mitigate cyber security incidents caused by various cyber threats. These can be used by any organisation and can be accessed here – Strategies to Mitigate Cyber Security Incidents. This is supported by the Strategies to Mitigate Cyber Security Incidents – Mitigation Details publication, which sets out implementation guidance for the mitigation strategies including ‘business email compromise’ and threats to Industrial Control Systems.
The companion Essential Eight Maturity Model publication, which was updated in November 2023, advises how to implement mitigation strategies in a practical and phased approach. It also guides on how to measure the maturity of their implementation. ASD’s website has actionable supporting guidance in the Information Security Manual, as well as separate guidance for mitigating denial of service and securely using cloud computing and enterprise mobility. There is also a suite of resources available to assist organisations on specific controls including: Patching Applications and Operating Systems publication; Implementing Multi-Factor Authentication publication; Restricting Administrator Privileges publication; Implementing Application Control publication; Restricting Microsoft Office Macros publication.
Governance is, of course, critical in enabling robust cybersecurity, and additional guidance for business and government is available here and includes:
- Ten Things to Know About Data Security;
- Practical Cyber Security Tips for Leaders; and
- Questions for Boards to Ask About Cyber Security.
With the impending new Cybersecurity Act and existing regulatory requirements, it is essential that organisations understand what legislative and regulatory obligations apply to their data and information. Depending on your organisation’s sector, you may be subject to the Security of Critical Infrastructure Act 2018.
Personal information of customer and employee data your organisation produces or collects may be subject to a range of regulatory requirements, including record-keeping and archival requirements, as well as financial, privacy, and taxation requirements. This includes protecting personal information under the Privacy Act 1988 and the Australian Privacy Principles. Also, depending on the locality of your business operations and customers, you may be subject to privacy regulations in other jurisdictions, such as the EU’s General Data Protection Regulation.
In the event of a cyber security incident, you may also have regulatory obligations to notify various regulators depending on your organisation’s sector. For breaches of personal information for entities subject to the Privacy Act 1988 and the Notifiable Data Breach Scheme, notification to the Office of the Australian Information Commissioner and affected individuals when an eligible data breach has occurred and where a ransomware demand is made, notification to the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) under the new Cybersecurity Act.