For a long time, we have been working with our clients on designing, building and operating cyber security infrastructure and would traditionally work with the information technology team. We still do, however with the increasing profile of risks that many organisations face, we are finding that we are increasingly working with owners and boards or assisting the IT team to do so.

In recent times I am aware that many organisations have obtained cyber risk insurance which is a positive step.  However, what we are seeing is a gap between what they have committed to achieve in the policy, and what is actually implemented.  I have experienced situations where the CFO has answered the questions for the underwriter and paid for the policy while the IT team don’t even know the policy exists.  This situation could understandably create both a security and financial risk to the organisation.

The Australian Cyber Security Centre (ACSC) has created a framework to help organisations measure risk and protect themselves against an attack or incident.  This framework is called the “Essential 8“. Some insurance policies refer to this framework (amongst others like ISO27001 for example) as a minimum standard and non-compliance will mean that the cyber risk policy is ineffective.   Outside of the insurance discussion, Essential 8 is also a great framework to implement (as a starting place for most organisations).

The Essential 8 was created to predominantly help organisations that use Microsoft (MS) software, but is useful framework for organisations that use other software systems such as Google.  This was chosen because of the widespread use of the MS suite technology and to create a standardised or generic template that is easy to understand.

The framework is based on eight (8) key disciplines that should be implemented in an organisation today and four (4) levels of maturity for each.  The four levels of maturity are linked to the sophistication of an attacker the organisations are likely to encounter.  Your insurance underwriter could request that you be, or that you might commit to be at a specific maturity level.

The simplified version of this is shown in the table below.

There are other frameworks available.  NIST publish one that is often referred to in insurance policies and in rarer cases clients need to work to the Australian Federal Government ISM framework.  Some industries are regulated, and they may call on specific requirements of regulators such as APRA in for finance and insurance industries.

We encourage organisations we deal with to ask the questions about what commitments have been made, analyse the needs of the business, review its current systems, and focus on closing the gaps.