Exploitation of software vulnerabilities or weaknesses are one of the most common methods of delivering a cyber-attack, and the ACSC indicates cybercriminals will often do so within 48 hours of a vulnerability being made public. Regularly updating software and infrastructure is one of the easiest cyber security measures to implement. Ensure that critical vulnerabilities are patched within 48 hours and, where possible, implement automatic software updates.

Only authorised users should have access to your data and systems. Use the Principle of Least Privilege (PoLP) and role-based access control to limit user access to only what is needed to complete their job. Regularly review user access requirements and offboard users promptly.  In addition, the implementation of strong passwords, frequent password rotation, and multi-factor authentication reduces the risk of user account compromise. If users work remotely, ensure data and systems are securely accessed through a VPN or by implementing zero trust security.

Data is critical to any business, and data loss or compromise can quickly result in significant business interruption, recovery costs, reputational damage, and legal liability. Protecting data should be a two-pronged approach – prevention and recovery. Prevention ensures only authorised users can access, read, or change data. This could include role-based access control or cryptographic controls such as encryption. Recovery involves backing-up data (e.g., to the cloud or an external storage device) and ensures data can be quickly recovered if manipulated or lost. Data backups should also be protected from unauthorised access, isolated from corporate networks or devices, and regularly tested.

Security technology is essential in managing cyber security, serving as both a first line of defence against cyber-attacks in the wild, and backstops when other controls fail. As a minimum, endpoints should be provided with antimalware software with up-to-date signatures. Network perimeters should be protected with firewalls that are regularly updated and configured to block network traffic by default. Security logs and alerts should be centrally monitored to facilitate prompt incident response.

Most organisations have established procedures and training for physical emergencies such as fires.  These help to ensure the organisation and staff can respond quickly to mitigate loss in the event of an incident. The same applies to cyber security – a formalised and regularly exercised cyber incident response plan helps to ensure an organisation can quickly respond and recover from a cyber incident. As with any emergency procedure or plan, testing should be regularly completed to ensure stakeholders are appropriately trained, aware of their responsibilities and that the plan remains relevant to business needs.

In some ways the human element is the weakest link in cyber security. For instance, it’s much easier to trick someone into giving you their login credentials, than it is to guess those credentials. Cybercriminals exploit the human element through social engineering attacks such as phishing. The best form of prevention against social engineering is education and establishing a culture of collective responsibility for cyber security. Users should be trained in basic cyber security hygiene such as strong passwords, and how to recognise and report phishing emails. It’s also important to regularly test the effectiveness of training through exercises such as phishing simulations.
 

Remember, no business is immune to cyber threats, but implementing these six basic cyber security practices can significantly reduce the risk and impact of cyber-attacks. Don't wait until it's too late, make cyber security a fundamental part of your business risk management strategy.