The “Essential Eight” cyber security audit is a benchmark that every hotel should test themselves against.

It will quickly tell you where your business has digital weak points that could be hacked.

There are many cyber security testing tools online - but the Essential Eight Cybersecurity Framework is the “gold standard” for Australian businesses.

Key reasons:

1. It’s independent and it’s free. It was developed by the Australian Signals Directorate (ASD), which is the government’s top agency to defend against cyber attacks.

2. It is designed for business.

3. It gives you a numerical rating across eight areas.

4. The results provide you with a clear pathway to improve.

At Boylen, we tried a range of online tests for Essential Eight and chose a self-audit on the First Focus website. We used it to rate our security but we used our existing IT supplier to toughen our defences.

How to Save Money on the Audit

The average business owner or manager can’t complete the Essential Eight on their own. It’s too technical.

We have IT specialists on our full-time staff, so we were able to answer questions quickly. If you don’t have IT staff, you will need to meet your provider and ask them these technical questions.

But you should sit in on the process so you understand what’s going on with your security at a high level.

Some businesses offer high-priced, all-in-one solutions. They’ll spend several days in your business, test a variety of computers on your premises and so on.

But we believe that your IT supplier should be able to verbally give you yes or no answers in a meeting, which will enable you can complete the Essential Eight assessment in an hour or two. Where your IT advisor will make their money is in providing solutions -because you are guaranteed to find flaws that need attention.

Other Audits

The problem with some of the testing tools online is that they set the bar too low.

For example, Boylen completed the government’s Cyber Security Assessment Tool and we rated at the top level – “Champion”. But we knew we weren’t! This was confirmed when we completed the Essential Eight.

The "Eight" Explained

The Essential Eight covers eight fundamental areas of cybersecurity that every business should focus on.

These strategies are designed to mitigate a range of common cyber risks and are based on extensive research and analysis of real-world cyber attacks.

As a business owner, you probably won’t understand each section. But you should have a top level grasp of the concepts.

1. Application whitelisting: This control involves only allowing approved applications to run on your systems, thereby preventing the execution of unauthorised or malicious software. By creating a whitelist of trusted applications and blocking all others, you can significantly reduce the risk of malware infections and unauthorised access.

2. Patching applications: Keeping your software up to date is crucial in preventing cyber attacks. This control involves regularly applying patches and updates to your applications, operating systems, and firmware. Patching helps address known vulnerabilities and weaknesses that can be exploited by attackers.

3. Configuring Microsoft Office macro settings: Microsoft Office macros are a common vector for spreading malware. This control involves configuring your Microsoft Office applications to disable or restrict the execution of macros, unless they are from trusted sources. By doing so, you can minimise the risk of malware being delivered through malicious macros.

4. Restricting administrative privileges: Limiting the number of users with administrative privileges can significantly reduce the impact of a security breach. This control involves implementing the principle of least privilege, where users are only given the minimum access rights necessary to perform their job functions. By doing so, you can prevent attackers from gaining full control of your systems even if they manage to compromise a user account.

Implementing the First Four Controls Of The Essential Eight Framework

Now that we have a good understanding of the first four controls of the Essential Eight Cybersecurity Framework, let's delve into how you can effectively implement them in your organisation:

1. Application whitelisting: Start by conducting an inventory of all the applications running on your systems. Identify the ones that are essential for your business operations and create a whitelist of approved applications.

Implement a robust application control mechanism that prevents the execution of any unauthorised software. Regularly review and update your whitelist as needed.

2. Patching applications: Establish a patch management process that ensures timely updates for all your applications, operating systems, and firmware. This process should include regular vulnerability assessments to identify and prioritise patches based on the level of risk they pose. Automate patch deployment wherever possible to streamline the process and minimise the window of exposure to vulnerabilities.

3. Configuring Microsoft Office macro settings: Configure your Microsoft Office applications to disable macros by default. Only enable macros for trusted documents or specific business processes that require their use. Educate your employees about the risks associated with macros and provide clear guidelines on how to handle macros from external sources. Regularly remind your employees to exercise caution when opening attachments or enabling macros.

4. Restricting administrative privileges: Conduct a thorough review of the administrative privileges assigned to user accounts in your organisation. Identify accounts with unnecessary administrative rights and revoke them.

Implement a privileged access management solution that enforces the principle of least privilege. Regularly monitor and audit administrative activities to detect any unauthorised access attempts.

By implementing these four controls, you can significantly enhance your organisation's cybersecurity posture and reduce the risk of cyber attacks. However, it is important to remember that cybersecurity is an ongoing process and requires continuous monitoring and improvement.

Implementing The Remaining Four Controls Of The Essential Eight Framework

5. Patching operating systems: Just like patching applications, keeping your operating systems up to date is crucial in preventing cyber attacks. Establish a patch management process for your operating systems similar to the one for applications. Regularly apply security patches and updates to address known vulnerabilities.

6. Multi-factor authentication (MFA): Implementing MFA adds an extra layer of security to your authentication process. It requires users to provide multiple forms of identification, such as a password and a unique code sent to their mobile device, to access systems or applications. By implementing MFA, you can significantly reduce the risk of unauthorised access, even if passwords are compromised.

7. Daily backups: Regularly backing up your critical data is essential to ensure business continuity in the event of a cyber attack or data breach. Implement a comprehensive backup strategy that includes regular backups of all important data, regular testing of backups to ensure data integrity, and offsite storage to protect against physical damage or loss.

8. User application hardening: This control involves implementing additional security measures for web browsers, PDF viewers, and other common applications. Configure these applications to restrict potentially malicious activities, such as automatically executing scripts or downloading files without user consent. Regularly update these applications to ensure they have the latest security enhancements.

The Role Of Employee Training In Cybersecurity

While implementing the Essential Eight controls is critical, it is equally important to educate and train your employees on cybersecurity best practices. Employees are often the weakest link in an organisation's cybersecurity defenses, as they can inadvertently click on malicious links, fall for phishing scams, or mishandle sensitive information. By providing regular training and awareness programs, you can empower your employees to become the first line of defense against cyber threats.

Start by creating a comprehensive cybersecurity policy that outlines the expected behaviour and responsibilities of your employees. In a hotel setting, this is for finance and other back office staff, people handling social media, users of your business email accounts etc.

This policy should cover topics such as password management, acceptable use of company resources, safe browsing habits, and incident reporting procedures. Conduct regular training sessions to educate your employees about the latest cyber threats, phishing techniques, and social engineering tactics. Reinforce the importance of following security protocols and provide practical examples of real-world scenarios to help employees understand the risks and consequences of their actions.