IT Security for medium-sized businesses and enterprises in Australia

They can be further classified by criticality – essential, recommended, or advanced controls (in order of criticality).

Essential controls

Essential technology controls could start with the Australian Cyber Security Centre's Essential eight strategies (which could benefit any business worldwide), even at Maturity Level Zero. These include application control, patching, hardening, MS Office macro settings, restricting admin privileges, patching operating systems, configuring Multi-Factor Authentication, and backup data.

Other technology essentials are – endpoint protection (EPP), network firewalls, secure email gateway (SEG), and virtual private networks (VPN) with remote access management. Disaster Recovery (DR) configuration, strategy and procedure, and well-planned backup strategy are other strong points for businesses, especially with noticeable on-premises IT assets.

In terms of processes, it is vital to formalise IT Security policies, work procedures and guidelines. This will require respective user education, which focuses on People's IT Security awareness training, ideally with tests and simulations. Approval of IT Security policies by the CEO will also engage executive leadership support and get more compliance from all users.

It is hard to imagine any medium-sized business surviving in the modern threat landscape without having these essential controls implemented. Even if some of them are not in place or don't cover 100% of IT assets and users, it is a matter of time before a cybersecurity incident happens.

Recommended controls

Besides essentials, it is also recommended to invest in Data Leak Prevention (DLP), Secure Web-gateway (SWG), Cloud Access Security broker (CASB), and Vulnerability Management (VM) control. Processes could benefit from formalised Incident Response (IR) plan, periodic IT Security penetration tests, and third-party security assessments. Access to a professional Virtual Chief Information Security Manager (vCISO) is also a prudent measure.

These controls help to address more sophisticated threats or decrease the severity of incidents if they happen.

Advanced controls

If the business has a high-value and low-risk tolerance, more advanced IT Security controls would include Security Information and Event Management (SIEM), Managed Detection and Response (MDR) delivered by a Managed Security Services provider (MSSP), Encryption of data at rest, and Cloud Access Posture Management (CAPM), especially for cloud-hosted IT Assets.

An independent IT Security assessment conducted by a professional assessor could help highlight weak spots or define an IT Security strategy. Businesses can assess their IT Security posture against the most adopted Cyber Security frameworks, like ISO 27001 standard (Information Security Management System) or the National Institute of Standards and Technology (NIST - US department of commerce).

Suppose a business invests in the development of its own business applications or strongly depends on e-commerce operations. In that case, these assets should be respectively covered by their own Application and Web-sites security controls. However, these aspects are outside of the scope of this article.

Conclusion

As the closing remarks, IT Security is not a point-in-time static state but a journey, constantly reviewing all the threats mentioned above, controls, and challenges.

Once implemented, many of these controls require daily, monthly, quarterly, or annual operations, maintenance, and review. Delivered either by in-house staff or outsourced to contracted MSSP, IT Security is an aspect of survival for many modern businesses, and this trend is only increasing.

The adversaries need to succeed only once out of endless attempts, while security measures should always be on top of all threats. And as every business user now uses technologies, IT Security is everyone's responsibility.

Stay safe!