Diamond IT Blog

Unpacking the ACSC's Essential Eight

Written by Samantha Cordell | May 9, 2022

Everywhere you turn, there is a new message about the state of cyber security and the threat level facing Australian businesses.

Regardless of the size of your business, planning and successfully executing a robust cyber security strategy can easily become overwhelming, and for this reason, the Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate (ASD) have developed several initiatives to help organisations improve their cyber security.

The most effective of these initiatives is known as the Essential Eight.

Let's begin to unpack some of the common questions we receive from our customers regarding the Essential Eight cyber security initiative.

 

What is the Essential Eight?

The Essential Eight are Strategies to Mitigate Cyber Security Incidents and act as a baseline to help organisations protect themselves against various cyber threats. This baseline makes it much harder for cybercriminals to compromise systems.

According to the ACSC, they focus on Microsoft-based and Internet-based applications. The controls are divided into eight domains.

 

What are the Essential Eight domains?

Broken down into three subcategories, the Essential Eight Strategies to Mitigate Cyber Security Incidents includes:

Mitigation strategies to prevent malware delivery and execution

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening

Mitigation strategies to limit the extent of cybersecurity incidents

  1. Restrict administrative privileges
  2. Patch operating systems
  3. Multi-factor authentication

Mitigation strategies to recover data and system availability

  1. Daily backups

What are the Essential Eight Maturity Levels?

The Essential Eight Maturity Model is designed to assist organisations to implement the Essential Eight in a graduated manner based on different levels of adequacy and targeting. The different maturity levels can also be used to provide a high-level indication of an organisation’s cyber security maturity.

  • Maturity Level One - Partially aligned with mitigation strategy objectives.
  • Maturity Level Two - Mostly aligned with mitigation strategy objectives.
  • Maturity Level Three - Fully aligned with mitigation strategy objectives.

As the mitigation strategies that constitute the Essential Eight have been designed to complement each other, and to provide coverage of various cyber threats, organisations should plan their implementation to achieve the same maturity level across all eight mitigation strategies before moving onto higher maturity levels.

 

The Australian Signals Directorate (ASD) recommends that all Australian businesses achieve maturity level three for the optimal malware threat and cyberattack protection.

 

Scratching the surface of robust security practices

The ACSC exists to "help make Australia the most secure place to connect online" and provides advice and information about how to protect your business. If you are unsure where to start to ensure your cyber security strategy for this year is fit-for-purpose, the ACSC's website is a great place to start.

This said organisations should not look at the Essential Eight as a tick box list, as the cyber threat landscape continues to evolve and cybercriminals continue to change the methods they use to attack organisations. The Essential Eight should be viewed as a continual improvement exercise to assess and develop baseline mitigation strategies.

Coupled with the strategies provided by the Essential Eight, we recommend that all businesses speak with their technology provider to ensure that their cyber security defences include the following modern protection solutions:

 

How Diamond IT can support your cyber security strategy

The Diamond IT team specialise in reviewing cyber security strategies to ensure they are fit-for-purpose, align with government recommendations, and include the necessary defences required to best protect your business from malicious threats. 

Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cybersecurity and are ready to speak with you. Contact our team on 1300 307 907 today.