Strategies to Mitigate Cyber Security Incidents

According to the latest Notifiable Data Breaches Report, 483 data breaches were notified from July to December 2023, up by 19% from the number of notified breaches from January to June 2023. Over 60% of these breaches were due to cyberattacks made by malicious actors.

Australian businesses are no strangers to cyber threats. Small business owners and enterprises across the country have been targeted by threat actors, causing the government to take proactive measures to boost digital security. This article explores Australia’s Strategies to Mitigate Cyber Security Incidents.

ASD’s “Strategies to Mitigate Cyber Security Incidents”

To protect organisations from cyberattacks, the Australian Signals Directorate (ASD) has taken a proactive approach to threat management. They’ve developed prioritised mitigation strategies contained in the document “Strategies to Mitigate Cyber Security Incidents” to address targeted cyber intrusions, ransomware, malicious insiders, and other digital threats.

There are 37 mitigation strategies divided into five main categories with different effectiveness ratings. The categories are:

1. To prevent malware delivery and execution
2. To limit the extent of cyber security incidents
3. To detect security incidents and respond
4. To recover data and system availability
5. To prevent malicious insiders

Each strategy under these categories is rated as “Essential”, “Excellent”, “Very Good”, and “Limited”. The ratings indicate the relative importance of each strategy to forming an organisation’s cyber defence and are meant to guide users in prioritising what must be implemented at once.

The frameworks were first introduced in 2010 and have been constantly updated to reflect the evolving threat landscape in the country. However, it only provides a base foundation for digital security, and organisations are encouraged to pursue tougher methods to complement these mitigation strategies.

Introducing the Essential Eight

In ASD’s advisory, eight “Essential” mitigation strategies are considered foundational in building a highly effective baseline for defending against security threats. These Essential Eight strategies focus on proactive measures to reduce vulnerabilities and limit potential attack vendors.

ASD recommends starting with these eight strategies as you build your organisation’s cyber defence. The organisational impact of each strategy is rated as low, medium, or high in terms of potential user resistance, upfront costs, and ongoing maintenance. These ratings are intended to help you anticipate the preparations needed as you implement these mitigation strategies.

The Essential Eight is tightly focused on Microsoft Windows-based internet-connected networks even though they are also applicable to other platforms and operating systems. There are no third-party independent certifying bodies that’ll examine your implementation of these frameworks. However, to meet other external regulatory needs, you’d discover that you must implement these strategies.

Mitigation Strategies to Prevent Cyber Security Incidents

These strategies are part of the category “to prevent malware delivery and execution”. Ransomware, a type of malware, is consistently ranked as one of the top cyber incidents affecting organisations worldwide. Threat actors use social engineering hacks to trick unaware users into opening an email attachment or clicking a link that they use to deliver malware to a system.

This launches a cyber-attack where the malware exploits system vulnerabilities either to wreak havoc in the system or to obtain confidential and sensitive data. Preventing these attacks is the focus of the following strategies.

1. Application Whitelisting

This strategy ensures only authorised applications are executed on network systems. It involves implementing control and constraints over applications and limiting other executable files, such as software libraries, scripts, and installers, from running on workstations.

The strategy’s goal is to prevent the execution of any unapproved (and potentially malicious) programs. It’s expected to have high upfront costs since you’d have to invest in IT staff, software, and hardware to execute it. It’s also likely to meet potential user resistance, and you’d also have to consider some ongoing maintenance costs.

2. Patch Applications

Vendors frequently release patches that are intended to cover a security flaw that may or may not have been discovered by hackers. Patch management involves applying these patches promptly to ensure continued system security. It requires scanning the system for security vulnerabilities and following recommended timeframes for patch applications. It also involves removing any security solutions that are no longer supported by vendors.

Since the process is usually automated, there’s a low potential for user resistance. However, it can entail high upfront and ongoing maintenance costs since you need the team and software to frequently scan and apply patches.

3. Configure Microsoft Office Macro Settings

Microsoft Office applications allow users to automate routine tasks using macros. These are commands and instructions that you can group as a single command. However, they can be used as part of a targeted cyber intrusion by including malicious code resulting in unauthorised remote access to sensitive information.

By default, macros, especially those from the internet, must be blocked unless there’s a valid business requirement for them. If they’re allowed, they must be digitally signed with a trusted certificate and deployed only in trusted locations with limited access.

Macros created by employees must be reviewed by independent parties before deploying them within the organisation. While macros are useful tools, businesses must strike a balance between productivity and security.

Macros have a medium organisational impact on potential user resistance, upfront costs, and ongoing maintenance costs.

4. User Application Hardening

All unnecessary features in Microsoft Office, web browsers, and PDF viewers must be disabled. Web browsers are recommended to block Flash (if possible, uninstall it), ads, and Java. Cyber adversaries are known to exploit workstations using Java applications, malicious websites, malicious email attachments, and removable media. Hardening applications reduces the risks of being infected by these malicious attempts.

This strategy is expected to have a medium organisational impact when it comes to user resistance and upfront and ongoing maintenance costs.

Mitigation Strategies to Restrict Access in Case of Cyber Security Incident

Cyberattacks can’t be prevented all the time, and when they happen, companies can reduce their impact by limiting their reach. The following strategies are intended to reduce the extent of various cyber threats and security incidents.

1. Restrict Administrative Privileges

Organisations should only give a few selected people administrative privileges, which include full file access and making significant configuration changes to operating systems and applications. Administrative privileges also involve bypassing critical security settings and accessing sensitive information.

Because of their power, administrators can inflict a lot of damage on an organisation when their credentials are compromised. Restricting administrative privileges minimises the potential damage of a hacker’s malware by reducing the chances of threat actors gaining this coveted access credential.

Practical steps to implement this strategy include validating requests for privileged access, blocking internet access of privileged accounts, and using separate operating environments for privileged and unprivileged users.

2. Patch Operating Systems

The goal of this strategy is to keep operating systems updated so everyone in the organisation is using the latest/current operating system version. As soon as patches are released, they must be deployed within two weeks (for medium-risk vulnerabilities) and 48 hours (for high-risk vulnerabilities).

It’s automatically done, so there should be a low impact on potential user resistance. However, since patches are expected to be frequently released, the impact on ongoing maintenance costs is expected to be high.

3. Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) makes it harder for cyber criminals to access a device or network since they have to go through several authentication steps, such as passwords, OTPs, biometrics, and the like. This decreases the chances of them stealing legitimate credentials and performing further malicious activities.

All users who engage in internet-facing activities must be required to enable MFA. This includes remote users and administrators who are particularly susceptible to hacking. It’s expected that setting up this strategy will have a high impact on the organisation’s upfront costs.

Mitigation Strategies to Recover Organisation’s Existing Systems

In the event of a successful security attack, organisations must have an effective system in place to recover data immediately and restore system availability. Under the category “to recover data and system availability”, the following is considered an essential strategy:

Daily Backups

Important data and software configuration settings must have daily backups to ensure that they can be retrieved immediately after a cyber security incident. This flexible strategy must be made according to business continuity requirements. Access to backups must also be restricted to their rightful owners.

This strategy can have a high impact on upfront and maintenance costs but isn’t expected to cause potential user resistance since it’s a strategy that can be easily automated.

The Essential Eight Maturity Model (E8MM)

The Australian Cyber Security Centre (ACSC) defined four maturity levels for each Essential Eight strategy to assist organisations in implementing it. These maturity levels are based on tradecraft levels. Understanding where your organisation falls will help you understand your risk profile and properly implement the essential eight mitigation strategies.

The maturity levels are:

1. Level Zero – the weakest level since the organisation hasn’t implemented any mitigation strategy, making them an easy target for adversaries
2. Level One – the foundational level because some mitigation strategies are implemented although they’re incomplete, insufficient, or inconsistent
3. Level Two – most of the mitigation strategies have been implemented, but there’s still room for improvement
4. Level Three – highest maturity level where all Essential Eight mitigation strategies are fully implemented, giving organisations a strong cybersecurity posture

Essential Eight strategies are complementary, and each maturity level should progressively implement them as the maturity level increases. To determine what maturity level an organisation should strive for, you must assess your organisation’s attractiveness to cyber attackers.

Small businesses with low-risk profiles can aim for Level One Maturity, while enterprises with high-risk profiles should strive for Level Three Maturity.

Other Strategies to Mitigate Cyber Security Incidents

Aside from the Essential Eight strategies, the 29 other mitigation strategies have Excellent, Very Good, and Limited ratings. These ratings indicate the effectiveness of each mitigation strategy and determine their implementation priority. The ACSC recommends starting with the threats the organisation is most concerned about.

Essential strategies are always implemented first, followed by Excellent strategies. The step is repeated using the less effective mitigation strategies until an acceptable residual risk level is attained.

These are the other strategies categorised by the risk mitigated.

Category: To prevent malware delivery and execution

This category focuses on preventing the initial delivery and execution of malware. There are 17 strategies under this category, including the four essential ones mentioned above.

Excellent Rating

• Automated dynamic analysis of email and web content run in a sandbox
• Email content filtering
• Web content filtering
• Deny corporate computers direct internet connectivity
• Operating system generic exploit mitigation

Very Good Rating

• Server application hardening
• Operating system hardening
• Antivirus software using heuristics and reputation ratings
• Control removable storage media and connected devices
• Block spoofed emails

Good Rating

• User education

Limited Rating

• Antivirus software with up-to-date signatures
• TLS encryption between email servers

Category: To limit the extent of cyber security incidents

The strategies under this category aim to reduce the impact and minimise the damage of a cybersecurity incident in case it happens. It restricts how far an attacker can move within the network after successfully breaching it. There are 10 mitigation strategies within this category, with 3 considered as essential.

Excellent Rating

• Disable local administrator accounts
• Network segmentation
• Protect authentication credentials

Very Good Rating

• Non-persistent virtualised sandboxed environment
• Software-based application firewall, blocking incoming network traffic
• Software-based application firewall, blocking outgoing network traffic
• Outbound web and email data loss prevention

Category: To detect cyber security incidents and respond

The following mitigation strategies are designed to detect cybersecurity incidents promptly so organisations can effectively respond and minimise the impact of a potential breach.

Excellent Rating

• Continuous incident detection and response

Very Good Rating

• Host-based intrusion detection/prevention system
• Endpoint detection and response software
• Hunt to discover incidents

Limited Rating

• Network-based intrusion detection/prevention system
• Capture network traffic

Category: To recover data and system availability

These mitigation strategies are critical for ensuring system recovery in the event of a cyberattack. It’s designed to minimise data loss and immediately restore essential business functions. One of the mitigation strategies under this category is considered essential.

Very Good Rating

• Business continuity and disaster recovery plans
• System recovery capabilities

Category: To prevent malicious insiders

Finally, ASD has suggested organisations adopt a strategy for handling their employees and preventing insider attacks.

Very Good Rating

• Personnel management

Implement These Mitigation Strategies with Proper Security Awareness Training

Employee security awareness is a tremendous advantage to ensuring these mitigation strategies are implemented properly and achieve their intended goals. Employees are the first line of defence against cyber threats, and empowering them with the right knowledge will make them the company’s allies in ensuring a strong cybersecurity posture.

Talk to an expert and explore our available security training workshops so you can start educating your workforce today.

About the author

ProtectCyber is a leading Australian cyber security firm dedicated to safeguarding businesses and individuals from digital threats. Our expert team, with decades of combined experience in the field, provides insights and practical advice on staying secure in an increasingly connected world. Learn more about our mission and team on our
About Us page.