Content Comparison

Essential 8. Eight - This is by what the Australian Government - things says you need to start with first.

• https://www.cyber.gov.au/acsc/view-all-content/essential-eight/essential-eight-explained

• https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model 

5 Knows. This is a really good basic framework

• https://www.telstra.com.au/content/dam/tcom/business-enterprise/security-services/pdf/5-knows-of-cyber-security.pdf 

Basics

Know about this stuff:

• Passwords

• Phishing

• Data Storage

• Sharing Data

• PCI Compliance

• Access restriction

• Principle of least privilege 

• Alerts for data changes

  • eg Email employee if their bank details change on the payroll system

    • Visibility

    • Logs 

• Protecting emails - eg having rules in place for money transfers eg for Email hacking.

• SPF / DMARC / DKIM

Many small businesses don’t even know where to start to even begin to read and understand the Essential Eight though.

Thankfully the ACSC has some better content for Small Businesses, and ID Care have a Small Business Cyber Resilience package funded by the Australian Government which is quite good.

Pre-Steps

• Don’t even start with these steps unless your Business Email and Document storage is in the cloud. I don’t care It doesn’t matter if it’s Microsoft 365 or GSuite, just get itoff those servers in the back room.

  • If you don’t like OneDrive or Google Drive for all your documents (I use highly complex Word Documents and I don’t trust either cloud service to not stuff them up), then get Dropbox (Pro or Business) or Box.

...

Next Steps

• Get a Password Manager

  • 1Password Business or LastPass Enterprise. I don’t care which one, just get it.

• Use your Password Manager

  • Every single business login needs to be in there.

  • Anything shared with your team or outside your team is only shared via the app.

  • I have both so my clients can share passwords with me via their app of choice.

• Turn on 2 Factor Authentication for everything.

  • DO THIS NOW!

  • Yes, every app your business touches.

    • Eg Xero (now mandatory), Microsoft365, GSuite, Salesforce, Unleashed, Quickbooks, Twitter, Facebook

  • I like Authy, but it’s probably easiest to use the token generator in 1Password or LastPass. I would not use Microsoft or Salesforce specific ones unless needed (eg Salesforce needs to use theirs for Lightning Login).

  • I use a Yubikey for my most sensitive accounts - eg my GSuite, my M365, my Windows laptop, and my Salesforce.

• Ensure the basics of Virus Protection, Malware Protection and Ransomware protection are on your devices.

  • Yes, that includes your Macs. Don’t risk your business on the myth that “Macs don’t get viruses”.

  • I use Microsoft defender.

• Your laptop does have a secure login doesn’t it?

  • I use Windows Hello but also have my Microsoft login behind MFA using a Yubikey device.

• Your phone does have a secure login doesn’t it?

  • I use Android fingerprint login.

Next Steps

...

See my Small Business Cybersecurity Activation Plan for where to start on your journey to good cybersecurity for your Small Business.