Frequently, we encounter headlines about yet another organisation succumbing to a cyber-attack. Despite the abundant news coverage and the industry’s clear emphasis on cyber security, 48% of Australian executives still expressed low confidence in their organisation’s capability to subjectively evaluate cyber risks. To enhance your organisation’s cybersecurity stance and shift towards a proactive rather than reactive approach, it is imperative to adopt the ASD Essential 8. By doing so, you can be assured that your confidential data remains secure, and your reputation remains intact.

What is Essential 8?

The Australian Signals Directorate (ASD) Essential 8 is a set of eight security controls that organisations can implement to protect themselves against cyber threats. The Essential 8 was first published in 2016, and it has since become a widely accepted benchmark for cyber security best practices.

The growing importance of the Essential 8 stems from various factors, primarily driven by the rapidly evolving threat landscape. In recent years, attackers have adopted highly sophisticated methods to infiltrate organisations’ systems and compromise data. The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year. In response to these escalating threats, the Essential 8 offers a comprehensive set of controls that empower businesses to effectively counter and mitigate such risks. Consequently, the following reasons highlight why the Essential 8 has emerged as a crucial component in bolstering cybersecurity:

  • Empowers businesses to remain current and proactive in countering emerging threats.
  • Encompasses an extensive array of controls, effectively mitigating diverse security risks.
  • Endorsed by multiple government and industry organizations, lending it unwavering credibility and legitimacy.
  • Effortlessly implementable and maintainable, rendering it an ideal solution for organisations of any scale.

While the Essential 8 does not function as an impenetrable titanium shield and cannot ensure absolute immunity to cyber-attacks for organisations, its implementation can significantly raise the bar for attackers, making their success far more challenging. For those seeking to enhance their organisation’s cyber security posture, the Essential 8 serves as an excellent starting point. By adopting the Essential 8 practices, organisations can substantially bolster their defences against potential attacks.

Implementation of the Essential Eight Maturity Model

The Essential Eight Maturity Model comprises of four maturity levels (0 to 3). The higher levels of maturity protect entities against moderate-to-high degrees of sophistication in adversary tradecraft and targeting. As of July 2022, it is a core requirement of the PSPF that entities implement the Essential Eight strategies to at least Maturity Level 2.

The Essential Eight Maturity Model comprises the following eight strategies:

  • Application control: ensures only corporate approved software applications can be executed on a computer, protecting against the execution of malicious applications.
  • Patch applications: applying vendor patches or other vendor mitigations prevents known vulnerabilities in applications from being exploited.
  • Configure Microsoft Office macro settings: limits macro programs embedded in Microsoft Office files from executing, thereby preventing potential malicious activity.
  • User application hardening: limits the use of potentially exploitable user application functionality to only what is required and removes particularly vulnerable software altogether.
  • Restrict administrative privileges: limits the unnecessary provision of administrative privileges, reducing the potential for these to be exploited by adversaries to gain full access to computers and data.
  • Patch operating systems: applying vendor patches or other vendor mitigations prevents known vulnerabilities in operating systems from being exploited.
  • Multi-factor authentication: requires users to present multiple authentication credentials to log in, rather than just using a passphrase, thereby preventing adversaries logging in as a user if they know the user’s passphrase.
  • Regular backups: making a copy of data, software, and configuration settings, storing it securely and periodically testing the ability to restore it, enables data and computers to be restored after an incident such as ransomware or computer hardware failure.

The Essential Eight Maturity Model recommends that organisations implement the Essential Eight using a risk-based approach. Where the strategies cannot be implemented, these exceptions should be minimised, and compensating controls should be used to manage the resulting risk. If the gap is effectively mitigated, the entity may self-assess their maturity against that strategy.

The Essential 8 is a valuable set of security controls that can help organisations protect themselves against cyber threats. By implementing these controls, organisations can make it much more difficult for attackers to succeed.

If you are interested in learning more about the Essential 8 or would like a no obligation chat contact us now.

Find out more about Oreta’s cybersecurity services here.