Additional mitigation strategies
Perform regular vulnerability assessments
It addition to implementing the Essential Eight, systems should be regularly reviewed for security vulnerabilities, particularly after significant changes. Vulnerability assessments can be done in-house or by an independent provider using both automated and manual methods.
Implement an education program for employees and subcontractors
An education program will provide employees and subcontractors with a better understanding of common cyber threats such as socially engineered emails, malicious websites and the danger of poor password policies.
Beware of malicious insiders
Adversaries will often attempt to influence contractors’ employees in an attempt to gain access to Australian Government information or to have them perform actions on a system to benefit their strategic goals. By conducting ongoing vetting of employees, especially for those with privileged access, controlling the ability to remove Australian Government information from systems, and implementing a comprehensive audit program, this risk can be lowered.
Report cyber security incidents early and often
This includes informing the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) of any cyber security incidents that could potentially threaten Australian Government information. Seeking assistance early can mitigate or reduce a potentially dangerous and embarrassing compromise. By immediately informing the ACSC [4], assistance can be provided without delay and will contribute to safeguarding Australian Government information.
Use available cyber security resources
Initiatives such as the Defence Industry Security Program (DISP) [5] helps to ensure that contractors are provided with appropriate security guidance. For example, contractors with membership to the DISP have access to the Defence Security Principles Framework (DSPF) [6] which details the standards, processes and procedures that direct the application of protective security measures by Defence personnel and external service providers.