This page lists the ACSC’s Small Business Cloud Security guidance. This guidance adapts the ACSC’s Essential Eight mitigation strategies and outlines an example of how each can be implemented to secure Microsoft 365 capabilities. The technical examples are designed to offer significant protection against cyber incidents while remaining accessible to organisations with limited resources and cyber security expertise. Small Business Cloud Security Guides: Executive overview The ACSC’s Small Business Cloud Security Guides provide technical examples organisations can use to improve their cyber security and protect against damaging cyber incidents. This page outlines everything executives need to know about the guides including who the guides are designed for, the security benefits they offer and the buy-in required from leadership. Small Business Cloud Security Guides: Introduction Securing your business can be a complex task. Among the numerous security priorities and configuration options, it can be difficult to know where to begin. These guides adapt the ACSC’s Essential Eight mitigation strategies and outline an example of how each can be implemented to secure Microsoft 365 capabilities. The technical examples are designed to offer significant protection against cyber incidents while remaining accessible to organisations with limited resources and cyber security expertise. Technical Example: Multi-Factor Authentication Multi-factor authentication (MFA) makes it harder for adversaries to use compromised user credentials to access an organisation’s systems. It is one of the most important cyber security measures an organisation can implement. Technical Example: Restrict Administrative Privileges Privileged account credentials are prized by cybercriminals because they provide extensive access to high value assets within a network. Restricting privileged access to only users with a demonstrated business need is essential to protecting your environment. Technical Example: Regular backups Implementing regular backups will assist your organisation to recover and maintain its operations in the event of a cyber incident, for example, a ransomware attack. Technical Example: Patch Operating Systems Patching operating systems is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to their devices and sensitive information. Patches improve the security of operating systems by fixing known vulnerabilities. Technical Example: Patch Applications Patching applications is one of the most effective controls an organisation can implement to prevent cyber criminals from gaining access to their devices and sensitive information. Patches improve the security of applications by fixing known vulnerabilities. Technical Example: Configure Macro Settings Configuring macro settings protects an organisation’s systems from malicious macros. Macros are powerful tools. They were introduced to improve productivity however their functionality can also be used by cyber criminals to compromise a user’s system. Technical Example: Application Control Application control restricts the ability of an application to run or install on a device. Application control makes it harder for users to intentionally or unintentionally install unwanted or malicious software. Technical Example: User Application Hardening User application hardening protects an organisation from a range of threats including malicious websites, advertisements running malicious scripts and exploitation of vulnerabilities in unsupported software. These attacks often take legitimate application functionality and use it for malicious purposes. User application hardening makes it harder for cybercriminals to exploit vulnerabilities or at-risk functionality in your organisation’s applications.