Businesses in Australia are being offered Australian Trusted Trader (ATT) status if they comply with a set of regulations. This status provides trading companies with a range of privileges and benefits.
The Australian Trusted Trader programme is administered by the Australian Border Force (ABF) and aligns with international trusted trader frameworks to facilitate smoother cross-border trade. Companies that achieve ATT status gain access to tangible benefits that streamline their logistics and trading operations.
Benefits of the Australian Trusted Trader programme include:
- Administrative efficiency through simplified border processing and reduced intervention rates.
- Reduced bureaucracy with streamlined import and export procedures.
- Improved cash flow through access to periodic settlement of customs duties.
- Deferred duty payments, allowing businesses to manage their finances more effectively.
- Business travel card (APEC) access for eligible personnel, facilitating smoother international travel.
- Fast-tracked TSS visas for skilled workers needed by the business.
- Personalised logistics support from the ABF, including a dedicated client manager.
- Data collection service enhancements that assist with trade compliance reporting.
However, achieving and maintaining ATT status requires businesses to demonstrate a robust approach to cyber security. This is where the Australian Signals Directorate's (ASD) Essential 8 framework becomes critical.
The Essential 8
The Essential 8 is the Australian Cyber Security Centre's (ACSC) base level set of requirements for cyber security mitigation strategies. These eight strategies are designed to protect organisations against the most common forms of cyber attack and form a practical, prioritised set of actions that any business can implement.
The Essential 8 framework defines four maturity levels, from Level 0 through to Level 3. Level 0 indicates that the organisation has significant weaknesses that could be exploited by adversaries. Level 1 represents a baseline level of mitigation. Level 2 represents a more advanced mitigation posture. Level 3 represents the target level that most organisations should aim for, as it provides a strong defence against the majority of cyber threats. Businesses pursuing ATT status should aim to achieve Maturity Level 3 across all eight strategies.
The security assessment process follows a three-fold approach: first, identify the hazards that could affect the organisation's information systems; second, establish the level of risk each hazard presents to the business; and third, determine the appropriate mitigation measures to reduce that risk to an acceptable level.
Before embarking on Essential 8 implementation, there are critical preparatory activities that must be completed:
- Identify the systems, applications, and data that require protection.
- Identify the likely adversaries and threat actors relevant to your industry and operations.
- Identify the required level of protection based on the sensitivity of the data and the consequences of a breach.
Legacy systems present a significant risk in this context. Many organisations continue to operate outdated software and hardware that cannot support modern security controls. These legacy systems may be deeply embedded in business operations, making them difficult to replace, but they often represent the weakest link in an organisation's security posture.
Physical machines that are connected to the internet but were not originally designed for networked operation present another area of concern. Industrial control systems, building management systems, and other operational technology may lack basic security features and are increasingly being targeted by sophisticated adversaries.
Third-party relationships are frequently the limiting factor in an organisation's overall security posture. No matter how robust your internal security measures are, if your suppliers, partners, or service providers have weak security practices, they can become the vector through which your organisation is compromised. Managing third-party risk requires ongoing assessment and contractual security requirements.
The principle of least privilege is fundamental to any effective security implementation. Users and systems should only have the minimum level of access necessary to perform their functions. This limits the potential damage from a compromised account and reduces the attack surface available to adversaries.
Implementing the Essential 8
The Essential 8 strategies can be grouped into three key areas of security focus: preventing malware delivery and execution, limiting the extent of cyber security incidents, and recovering data and system availability.
Preventing malware delivery and execution encompasses application control, patching applications, configuring Microsoft Office macro settings, and user application hardening. These measures work together to reduce the likelihood of malicious code reaching and executing on your systems.
Limiting the extent of incidents involves restricting administrative privileges and patching operating systems. By ensuring that users operate with the minimum necessary privileges and that known vulnerabilities are promptly addressed, organisations can contain the impact of a successful attack.
Recovering data and system availability centres on multi-factor authentication and regular backups. Multi-factor authentication protects against credential theft, while comprehensive backup strategies ensure that data can be restored following a ransomware attack or other destructive incident.
Continuous assessment is essential. Cyber security is not a one-time project but an ongoing process that requires regular review, testing, and improvement. The threat landscape evolves constantly, and an organisation's security posture must evolve with it. Comprehensive records of assessments, findings, and remediation activities are essential for demonstrating compliance and supporting continuous improvement.
Cyber Citadel provides support across the full spectrum of Essential 8 implementation, from initial advice and gap analysis through to full implementation and ongoing management. Whether you are beginning your compliance journey or seeking to mature your existing security posture, our team can tailor an approach that meets your specific requirements.
This article was originally published in Across Borders magazine — Autumn 2019.