What is the Essential Eight?
Initially, the Australian Signals Directorate (ASD) and subsequently the Australian Cyber Security Centre (ACSC) after careful analysis, which included active incident response with some of the early victims developed the Essential Eight Strategies to Mitigate Cyber Security Incidents.
They consist of eight essential strategies designed to help organisations mitigate or prevent cybersecurity incidents. These strategies cover three key areas:
- prevention,
- limitation,
- and recovery
and are ranked by maturity level.
The ACSC Says:
While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the essential eight, makes it much harder for adversaries to compromise systems.
The Essential Eight strategies themselves cover vital areas of concern for many organisations. These include:
Application Control
Patch Applications
Configure Macro Settings
Application hardening
Restrict Admin Privileges
Patch OS
Multi-factor authentication
Regular backups
The strategies are ranked according to maturity level – meaning the risks an organisation faces related to increasing levels of cybercriminal tradecraft.
Maturity Level 0
shows there are weaknesses in an organisation’s overall cybersecurity posture.
It’s not a question of if but when these weaknesses are exploited, and these weaknesses could facilitate the compromise of the confidentiality of data, or the integrity or availability of systems and data.
Maturity Level 1
an organisation can likely hold its own against a noncommittal attack using basic tradecraft and tools.
Adversaries will use common social engineering techniques to obtain access to data with the intent of stealing and/or encrypting data. Depending on the circumstances, adversaries may also gain access and destroy backups.
Maturity Level 2
the organisation is ready to handle attacks from a more committed attack.
Adversaries use a combination of more sophisticated social engineering techniques as well as common vulnerabilities to try and weaken the security of the system to launch malicious applications. Any compromised account with special privileges will be exploited. Depending on their intent, adversaries may also seek to steal or destroy all data including backups.
Maturity Level 3
this indicates the organisation can mitigate attacks from a dedicated threat actor using advanced tradecraft and techniques.
Adversaries targeting specific organisations will likely spend more time and effort to infiltrate a customer network, and then spend time solidifying their access across the network. Once a foothold is gained in the system, adversaries will seek to gain privileged access credentials or password hashes, move to other parts of the network and then cover their tracks. Depending on their intent, adversaries may also steal or destroy data including backups.
Who is the Essential Eight for?
Given that the Australian government has developed the Essential Eight, it’s little wonder that it is mandatory for other government agencies.
It’s also no surprise that businesses and organisations that work alongside these agencies – either directly or as part of the supply chain – will be interested in reaching a level of compliance that makes them attractive to these agencies.
However, it’s not just the government ecosystem that benefits from the Essential Eight. Organisations that want a simple checklist approach to cybersecurity – and have the in-house (or IT MSSP support) capacity to make it happen – can use the Essential Eight to identify gaps in their cybersecurity posture and make changes that suit their level of risk.
Why is the Essential Eight important to my business?
The Essential Eight is essentially about risk. Faithfully implementing the Essential Eight strategies will lower the risk of cyber security incidents in your business.
Some of the things that might influence the amount of risk you are prepared to accept are:
Customer Data
What information do you hold about your customers ?
- Bank account details
- Identification Documents
- Telephone Numbers
- Company Addresses
- Purchase History
- Medical and other private information.
The list goes on. What damage would it do to your business if your customer data was compromised?
Employee Data
What information do you hold about your employees ?
- Bank account details
- Birthdays
- Partner information
- Home Address
- Telephone Number
What damage would it do to your business if your employee data was compromised?
Company Data
What information does your business hold about how it operates ?
- Accounting Data
- Price lists
- Stock levels
- Past and future orders
- Policies & Procedures
- Business IP
What damage would it do to your business if your company data was compromised?
Production Capability
How long can your business withstand not having access to the data stored in your environment ?
- Minutes ?
- Hours ?
- Days ?
The average time it takes to recover from a cyber security incident is Australia is 23 days. How would that affect your business?
As a Board Member/ Owner – What are the benefits of implementing the Essential 8?
Faithfully implementing the Essential 8 strategies will lower the risk of cyber security incidents in your business and to make life hard for would-be attackers and minimise the potential damage should an attacker breach your defences.
Board members and owners are increasingly being held liable for security breaches, data loss and personally identifiable information (PII) loss because of cyber security breaches.
One of the most effective ways to mitigate this risk is demonstrate security maturity by aligning with the Essential 8,
To be able to respond to the cyber insurance security questions with – We are Essential 8 – Maturity level X – Demonstrates a reduction in risk to your cyber security provider and often results in a reduced cyber insurance premium.
Another potential payoff is that Essential 8 maturity can also act as an incredible communication tool.
- For an organisation that reaches level two or three maturity on all – or even most – Essential 8 controls, it speaks volumes about their security and their ongoing commitment – and that level can be independently verified and understood by anyone.
- A public commitment to the Essential Eight shows potential customers or partners the organisation has a robust security posture. This may lead the organisation to be favoured by security and privacy-conscious customers. Recent surveys show that customers are increasingly making purchase decisions based on security criteria. One would anticipate this trend becoming even more pronounced over time.
- For an organisation trying to sell its products or services, achieving a set maturity level with the Essential Eight means not having to explain each step they’ve taken to secure their operations, systems, patterns, or practices.
How do I implement the Essential 8?
As you can see, the Essential 8 covers a lot of ground.
- Past iterations of the Essential 8 sought to have an organisation reach Maturity Level 3. However, in the latest release, the Essential 8 aims to get an organisation to achieve a homogenous maturity level across the prevention, limitation, and recovery sections before moving to the next level. Additionally, organisations are encouraged to focus on achieving a maturity level that makes sense for their risk management level.
- It offers technical strategies for organisations a prescriptive list of mitigation activities that can help them manage the risks associated with cybersecurity.
- Largely, what it does not do, is tell you how to implement solutions to meet your desired maturity level.
This framework is great if your organisation has the technological capacity to implement them and only needs guidance on which activities to perform.