Essential Eight (E8)
 

What is the Essential Eight?

The Essential Eight (sometimes known as the ACSC Essential Eight, the ASD Essential Eight, or just E8) is an Australian cyber security framework published by the Australian Cyber Security Centre (ACSC) in 2017.

While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline makes it much harder for adversaries to compromise systems.

possessed-photography-EuwhpE4tw9Q-unsplash

Essential Eight Objectives

The Essential Eight established eight controls that aim to protect Australian businesses from cyber attacks. Those eight strategies are divided across three primary objectives:

Objective 1: Prevent Cyber Attacks

  1. Patch application vulnerabilities
  2. Application control
  3. User application hardening
  4. Configuring Microsoft Office Macro settings

Objective 2: Limit the Impact of Cyber attacks

  1. Patch operating system vulnerabilities
  2. Restrict Admin access
  3. Implement Multi-Factor Authentication (MFA)

Objective 3: Data Recovery and System Availability

  1. Daily backups.

The Essential Eight Maturity Model

Organisations that implement the Essential Eight can track their compliance through the framework's maturity model, which is comprised of three levels:

  • Maturity Level One - Partly aligned
  • Maturity Level Two - Mostly aligned
  • Maturity Level Three - Fully aligned

Each level can be customised to suit each business' unique risk profile. This allows organisations to identify their current state of compliance so that they understand the specific efforts required to progress through each level.

The Australian Signals Directorate (ASD) recommends that all Australian businesses achieve maturity level three for the optimal malware threat and cyber attack protection.

It's important to understand that the Essential Eight is the minimum baseline of cyber threat protection recommended by the ASD. Organisations are encouraged to augment additional sophisticated data breach prevention solutions to this framework to significantly mitigate the impact of cyberattacks.

Why implement the Essential Eight security controls?

The ACSC’s Essential Eight forms the core of the strategies to mitigate cyber security incidents. Implementing these controls is crucial for any organisation looking to safeguard against targeted cyber intrusions, ransomware, and threats from malicious insiders. This framework not only protects customer data but also ensures compliance with Australian government guidelines.

Is the Essential Eight Mandatory?

Not yet. However, quoting the ASD themselves, "Implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident."

As such, Insicon suspects that the Essential Eight will move from 'nice to have', to 'must have'.

Essential Eight Maturity Model Changes

The November 2023 update to Australia's Essential Eight Maturity Model introduced several important changes aimed at enhancing cyber security practices across organisations. Key updates included:

  • Stricter requirements for patching applications and operating systems, mandating that critical vulnerabilities be addressed within 48 hours and routine vulnerability scans be conducted weekly.
  • Multi-factor authentication (MFA) standards have been tightened, requiring a combination of something users know and something they have, while also emphasising phishing-resistant methods.
  • Additionally, there are new guidelines for managing administrative privileges to ensure better control over sensitive data access.
  • Other notable adjustments involve enhanced application control measures and a focus on user application hardening, including logging command line processes.

These changes reflect a proactive approach to combat evolving cyber threats and encourage organisations to reassess their cyber security strategies to align with the updated model.

Next Steps with the Essential Eight

For organisations feeling overwhelmed by the Essential Eight and its implementation, it's crucial to take that first step towards a more secure future. Start by recognising that you don’t have to navigate this journey alone. Insicon is here to simplify the process and guide you through it. We offer tailored assessments to identify your current cyber security posture and help you prioritise actions based on your specific needs. Our team can break down the Essential Eight into manageable tasks, providing clear roadmaps and support every step of the way.

Let us help you demystify cyber security and empower your organisation to build a robust defence against threats.

Contact Insicon

Speak to one of our experts

Contact Insicon