ESSENTIAL EIGHT (E8)

What is the Essential Eight?

The Essential Eight is an Australian cyber security framework by the Australian Cyber Security Centre (ACSC). This framework, published in 2017, is an upgrade from the original set of 4 security controls by the Australian Signals Directorate (ASD).

While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.

The Essential Eight (sometimes known as the ACSC Essential Eight, the ASD Essential Eight, or just E8) introduced 4 additional strategies to establish the eight controls that aim to protect Australian businesses from cyber attacks.

The eight strategies are divided across three primary objectives

  1. Prevent attacks
  2. Limit attack impact
  3. Data availability
a number 8 on a sign

Essential Eight Compliance

The Essential Eight's strategies are divided across three primary objectives - prevent attacks, limit attack impact, and data availability.

Objective 1: Prevent Cyber Attacks

  1. Patch application vulnerabilities
  2. Application control
  3. User application hardening
  4. Configuring Microsoft Office Macro settings

Objective 2: Limit the Impact of Cyber attacks

  1. Patch operating system vulnerabilities
  2. Restrict Admin access
  3. Implement Multi-Factor Authentication (MFA)

Objective 3: Data Recovery and System Availability

  1. Daily backups.

The Essential Eight Maturity Model

Organisations that implement the Essential Eight can track their compliance through the framework's maturity model, which is comprised of three levels:

  • Maturity Level One - Partly aligned with mitigation strategy objectives
  • Maturity Level Two - Mostly aligned with mitigation strategy objectives
  • Maturity Level Three - Fully aligned with mitigation strategy objectives

Each level can be customised to suit each business's unique risk profile. This allows organisations to identify their current state of compliance so that they understand the specific efforts required to progress through each level.

The Australian Signals Directorate (ASD) recommends that all Australian businesses achieve maturity level three for the optimal malware threat and cyber attack protection.

It's important to understand that the Essential Eight is the minimum baseline of cyber threat protection recommended by the ASD. Organisations are encouraged to augment additional sophisticated data breach prevention solutions to this framework to significantly mitigate the impact of cyberattacks.

Why implement the Essential Eight security controls?

The ACSC’s Essential Eight forms the core of the strategies to mitigate cyber security incidents. Implementing these controls is crucial for any organisation looking to safeguard against targeted cyber intrusions, ransomware, and threats from malicious insiders. This framework not only protects customer data but also ensures compliance with Australian government guidelines.

Is the Essential Eight Mandatory?

Not yet. However, quoting the ASD themselves, "Implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident."

As such, Insicon suspects that the Essential Eight will move from 'nice to have', to 'must have'.

Essential Eight Maturity Model Changes

The November 2023 update to Australia's Essential Eight Maturity Model introduced several important changes aimed at enhancing cyber security practices across organisations. Key updates included:

  • Stricter requirements for patching applications and operating systems, mandating that critical vulnerabilities be addressed within 48 hours and routine vulnerability scans be conducted weekly.
  • Multi-factor authentication (MFA) standards have been tightened, requiring a combination of something users know and something they have, while also emphasising phishing-resistant methods.
  • Additionally, there are new guidelines for managing administrative privileges to ensure better control over sensitive data access.
  • Other notable adjustments involve enhanced application control measures and a focus on user application hardening, including logging command line processes.

These changes reflect a proactive approach to combat evolving cyber threats and encourage organisations to reassess their cyber security strategies to align with the updated model.

Next Steps with the Essential Eight

For organisations feeling overwhelmed by the Essential Eight and its implementation, it's crucial to take that first step towards a more secure future. Start by recognising that you don’t have to navigate this journey alone. Insicon is here to simplify the process and guide you through it. We offer tailored assessments to identify your current cyber security posture and help you prioritise actions based on your specific needs. Our team can break down the Essential Eight into manageable tasks, providing clear roadmaps and support every step of the way.

Let us help you demystify cyber security and empower your organisation to build a robust defence against threats.

Take action today—contact Insicon to get started on your Essential Eight journey!