Many not-for-profits consider themselves unappealing to cyber criminals because they are either a small organisation, barely have any money reserved, or work with little data. This is further made believable with most cybercrime news headlining large for-profit organisations. But nowadays, any data is valuable for cyber criminals because even a handful of stolen personal information from your employees or volunteers—such as emails or login credentials—can open doors for more damaging attacks. This is one of the motivations behind why cybercriminals continue evolving their tactics in exploiting not-for-profit vulnerabilities, hence the continued rise in cybersecurity incidents. In 2022, there were over 76,000 reported cybercrime incidents, an increase of nearly 13% compared to the previous financial year¹.

To keep your not-for-profit cybersafe you can take numerous security measures. However, there is one strategy that is proven to be effective and is recommended by the Australian Signals Directorate. Implementing a baseline risk mitigation strategy like Essential Eight will help protect your not-for-profit against new age cyber threats. To recap its eight essential security controls that we discussed in this blog previously, it includes:

1. Application Whitelisting: prevent unauthorised software from running.
2. Application Patching: remediate known security vulnerabilities.
3. Restriction of Administrative Privileges: limit powerful access to systems.
4. Operating System Hardening: remediate known security vulnerabilities.
5. Configuration of Office Macros: block untrusted macros.
6. User Application Hardening: protect against vulnerable functionality.
7. Multi-factor Authentication: protect against risky activities.
8. Review Backups: maintain the availability of critical data.

Today, we’re sharing the Essential Eight maturity levels so you can understand and compare how your not-for-profit stacks up.

¹ 2022 Annual Cyber Threat Report, Australian Cyber Security Centre (ACSC).

The Essential Eight Maturity Levels

The Essential Eight maturity levels represent a progressive approach to cybersecurity, with Level 0 being the lowest and Level 3 being the highest. The higher the maturity level, the better your not-for-profit can protect your information systems and data from cyber threats.

Level 0

Not yet implemented any of the Essential Eight strategies.

This is the starting point for most organisations. At this level, your not-for-profit has not yet taken any steps to protect your information systems and data from cyber threats. This signifies a significant weakness in your organisation’s overall cyber security posture that, when exploited, could facilitate data loss, compromise data integrity, or cause non-availability of your systems.

Level 1

Partly implemented the Essential Eight strategies.

Your organisation is at this level if you have implemented at least one of the Essential Eight strategies and have basic cybersecurity controls in place. You may have already started taking steps to protect your systems and data, but there is still room for improvement.

Level 2

Mostly implemented the Essential Eight strategies.

Your not-for-profit is at this level if you understand your cybersecurity risks well and have implemented most of the Essential Eight strategies to address them. This means you have made significant progress in protecting your digital estate, but gaps still need to be addressed.

Level 3

Fully implemented the Essential Eight strategies.

At this level, your not-for-profit has fully implemented all of the Essential Eight strategies and has a mature cybersecurity program. Your organisation has a good grasp of your cybersecurity risks, has implemented appropriate controls to mitigate those risks, and has a cybersecurity awareness and vigilance culture.

Achieve Maturity Level 1 in Essential Eight

Moving from level 0 to level 1 in the Essential Eight Maturity Model typically involves implementing the first four Essential Eight strategies, which are considered foundational controls for an effective cybersecurity program. These four strategies are:

1. Application Whitelisting. This involves creating a list of approved applications that can run on your organisation’s systems and block all others. To implement application whitelisting, your not-for-profit must first identify and create a list of approved applications based on your business needs. The whitelist is then implemented on each endpoint, server, or network device to ensure that only approved software can run. Any attempts to run unauthorised software will be blocked and logged for review and investigation.
2. Application Patching. This involves regularly applying software updates or patches to applications to address known security vulnerabilities. These updates may be released by the software vendor or developer in response to newly discovered vulnerabilities or other issues that could be exploited by cyber attackers to gain unauthorised access to your system or steal sensitive data. By regularly applying patches to applications, your not-for-profit can reduce the risk of a successful cyber attack and better protect your assets.
3. Operating System Patching. This involves regularly applying software updates or patches to your organisation’s underlying operating systems to address known security vulnerabilities. To implement it, your organisation must establish a process for identifying and evaluating available patches, testing them in a non-production environment, and deploying them promptly. This process must be ongoing, as software vendors regularly release new patches.
4. Restricting administrative privileges. This involves limiting the number of users with administrative privileges on your organisation’s systems and only granting these privileges to those who need them to perform their duties. To implement this strategy, your not-for-profit should review its user access policies and identify which users require administrative privileges to perform their duties. These users should be granted only the minimum level of privileges necessary to perform their work, and those privileges should be carefully monitored and audited to ensure that they are not misused.

To move from level 0 to level 1, your not-for-profit must implement these four strategies and ensure they are effectively configured and managed. This typically involves conducting a gap analysis to identify areas where improvements are needed, developing a plan for implementing the necessary changes, and regularly monitoring and testing the implemented controls to ensure they remain effective.

Final words

Like many for-profit companies, your not-for-profit is not immune to the threat of being compromised. Without a proven and measurable cybersecurity strategy and modern tools for protecting your digital estate, your not-for-profit could easily become a cybercrime victim. It is in your organisation’s best interest to step up your cybersecurity game to sustain your donors’ trust and confidence.

If you’re worried about your not-for-profit’s digital security state, Professional Advantage can help. We have worked with numerous not-for-profits implementing Essential Eight to improve their cybersecurity posture. You can begin improving yours by signing up for your complimentary 90-minute Discovery Call today.

Not quite ready yet? Please join us for our webinar, Essential Eight Cybersecurity from the Server Room to the Boardroom, to help you better understand this cybersecurity framework. Join us live on the 20th July 2023 by registering here.

You say level 4 is the highest, but below you only have points for levels 0-3.