What is Essential 8?
What is Essential 8?
The inception of the Essential 8 aimed to foster robust security and operational protocols among Australian government bodies, departments, local councils, and other entities operating in the public domain. Many private enterprises consider the Essential Eight an advantageous starting point for evaluating security measures and establishing a fundamental groundwork for cybersecurity. The custodianship of the Essential Eight is under the Australian Cyber Security Centre (ACSC) purview.
What are the eight mitigation strategies?
Comprising a set of eight crucial mitigation tactics developed by the ACSC, Essential 8 serves to aid organisations in minimising or forestalling cybersecurity breaches. These strategies encompass three primary domains: prevention, restriction, and recovery – categorised based on their level of advancement.
The eight strategies are:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
What are the Essential 8 maturity levels?
The various strategies comprising the Essential 8 are assessed based on their capacity to counteract varying degrees of cybercriminal techniques.
These strategies are positioned along overarching maturity levels:
Maturity Level Zero
Maturity Level Zero means there are problems with how safe an organisation’s digital environment are. Whether they’re missing some important strategies or only started using a few, being at Level Zero shows that some important safety measures are missing, which makes them vulnerable.
Bad actors often go for easy targets, so even if a strong backup plan or extra security steps are used, like MFA, they can still find other ways to access your environment. Many businesses start at Level Zero, and that’s okay because it shows that some security rules might not completely cover all the risks to the organisation’s cyber defences.
Maturity Level One
Maturity Level One is the first step in making your organisation more secure. It’s about protecting yourself from bad actors/hackers online. These bad actors don’t have a specific target; they look for weak spots in different parts of your cybersecurity and try to exploit them. They use common tools found on the internet to find and exploit problems in software or systems that haven’t been updated. The goal here is to defend against common ways of causing problems rather than the advanced methods meant for specific goals. Even though these hackers aren’t after anything specific, their actions can still adversely affect how your systems and, therefore, your business.
Maturity Level Two
Maturity Level Two is about defending against clever bad actors who are more skilled and use smarter techniques. These bad actors might be performing a targetted attack at your organisation, not just employing a “spray and pray” campaign with fake emails. They could pretend to be someone from your organisation to get access to your data. These smart bad actors spend a lot of effort to break into specific systems, and they’re good at getting around security measures without being caught. Instead of attacking many places, they pick their targets carefully, considering how much time and work it will take to break in.
Maturity Level Three
Maturity Level Three is the top level, and it’s all about stopping advanced adversaries; they are smart and have the tools. These bad actors can find weaknesses in your cyber defences, like outdated software or insufficient monitoring. They know a lot and use advanced techniques and tools that beginners don’t use. They’re quick at using these tools and know how to hide from being caught. They’re picky about who they target and will put in much effort to get past all your security measures.
What Essential 8 Maturity level should I aim for?
In the past, the Essential Eight aimed to make organisations reach Maturity Level 3. But in the latest release, it wants organisations to be equally strong in prevention, limitation, and recovery before moving up. Also, it’s suggested that organisations work on the maturity level that fits their level of risk management.
When deciding which maturity level your business should aim for, consider how much of a target your company might be for attackers and what kind of information your organisation deals with. If you handle a lot of important or private data, it’s a good idea to aim for level three. Approach the Essential Eight with a focus on risks, and think about what could happen and how much it might cost your business if there’s a data breach or a malware attack.
What are the Essential 8 cybersecurity strategies?
Here is a brief overview of the Essential Eight mitigation strategies:
This is about how much control you have over the software your users use. It’s about stopping certain types of software, like scripts or programs, from running on their computers. Alternatively, it’s only allowing certain programs to run on their computers.
This rule is all about keeping third-party software up to date. It means getting security updates and fixes installed as soon as possible. To follow this, you need to regularly use tools that find problems in your software and remove programs that aren’t supported anymore by the companies that make them. Psst. We do this as part of Managed IT plans.
Configure Microsoft Office macro Settings
This concerns how much your employees can use macros in Microsoft Office applications. Usually, these macros are turned off for most employees unless they really need them for their work.
User Application Hardening
This is about controlling what your employees can do with their computer programs. Basically, web browsers shouldn’t show internet ads or run certain types of content. Also, Internet Explorer 11 should be turned off, and employees shouldn’t be able to change these settings.
Restrict Administrative Privileges
This strategy is about handling employees with admin privileges to control things on their computers. It means checking if they really need extra access to systems and apps, stopping those special users from using the internet, and making sure they work in a different way from regular users.
Patch Operating Systems
This strategy is about making sure your computer operating systems are current. The main goal is to update the system’s software, fixes, and security measures for online services within two weeks of their release – or even faster, within 48 hours if there’s a known problem. You should use tools that find any missing fixes, and if a system isn’t supported by its maker anymore, it should be replaced. Psst. We do this as part of Managed IT plans.
Multi-factor authentication (MFA)
This strategy is about making sure all important access requires extra verification through the form of an additional factor of authentication. This is usually a code sent to your mobile or generated in an app on your phone. Having this in place makes sure everyone uses this extra check before they use online services and third-party tools.
This strategy is about keeping your important files, email, chats and other data safe by making copies and having them ready for restoration if the time comes. It means making sure important data, software, and settings are copied and stored properly, according to what your business needs. You also make sure these backup systems work by testing them, and you limit regular users to their own backup areas.
Is my business already Essential 8 compliant?
Considering the technical nature of the Essential 8 guidelines, it’s improbable that companies will naturally meet their intended maturity level without putting in focused work.
The new interpretation of the strategies is designed to help organisations reach a consistent level of maturity throughout, rather than just focussing on reaching level 3. If your company has implemented some strategies in certain areas but not in others, the emphasis should be on enhancing maturity in those lagging areas.
Organisations should prioritise reaching a maturity level that aligns with their risk management approach. This often involves assessing both the cybersecurity and overall risk factors through audits.
Before moving up a maturity level, it’s crucial for businesses to comprehend their risks fully, the expenses involved in addressing those risks, and the potential consequences if they don’t succeed.
If you’re uncertain about meeting the Essential 8 requirements according to your risk profile, it’s safe to assume that you might not be there yet.
Which maturity level should my business focus on?
Every company has unique needs, so tailored solutions and strategies are necessary. To map out your path towards compliance, the most effective approach is to undergo an IT security assessment. We can conduct this assessment to help you gauge your current level of maturity across each strategy and then implement the necessary practices to align fully with the guidelines.
It’s worth noting that while Essential 8 represents critical technical controls that organisations should uphold, they aren’t the only cybersecurity measures that businesses should adopt. They don’t cover aspects like risk assessments or risk management methods.
What’s the cost of not taking action?
According to the ACSC the average cost of a cybercrime for a small business is $39,000. It’s $88,000 for a medium business. This doesn’t include potential downtime, reputation damage, having to redo work and data loss.
To find out more about how Essential Eight can help protect your business, watch this video from the ACSC
Complying with Essential 8 is a strong foundation for safeguarding your digital assets, and we’re here to guide you through the process. Additionally, Intuitive IT can assist you with comprehensive cybersecurity strategies and offer bundled security solutions featuring advanced threat detection and protection capabilities.
Contact Intuitive IT today to see how prepared your business is for Essential 8 and how we can help you improve your cybersecurity posture.
About the author
Yener is the founder and Managing Director of Intuitive IT. Prior to running his own business Yener worked for a number of corporate organisations where he gained invaluable experience and skills, as well as an understanding of how IT can complement and improve business outcomes.