Essential Eight cyber security overhaul and how it affects Australian businesses
Developed by The Australian Cyber Security Centre (ACSC) in 2017 to address cyber security threats, the Essential Eight cyber security strategies have had an overhaul after government consultation with industry partners. The Essential Eight are about to become compulsory for all 98 non-corporate Commonwealth Entities (NCCEs) which will have an impact on how Australia conducts cyber business into the future.
The aim of mandating the Essential Eight is to protect Australia and Australians. So much of our lives are now online, including much of our sensitive information. New threats have emerged due to the pandemic which has led the government to take swift action to establish a set of principles to help protect consumers and businesses.
While these changes will not be mandatory for businesses that sit outside NCCEs, the ACSC highly recommends businesses follow the Essential Eight to protect their digital assets. They recommend investing resources now rather than having to deal with costly and damaging cyber-attacks later.
However, this isn’t the only incentive. The government will be auditing the NCCEs for compliance, and the NCCEs may also require, as part of their contractual obligations with other businesses, to check compliance. This could result in businesses losing opportunities if they do not comply.
The Essential Eight mitigation strategies
The Essential Eight are, put simply, eight strategies to mitigate attacks by malicious actors on Microsoft Windows-based networks. They are a baseline, to be employed by organisations, to help protect their digital assets and the privacy of their customers.
In general terms, the Essential Eight is:
A 48hr timeframe to patch vulnerabilities
Tighter configuration around web browsers to stop malicious code
Tightening administration privileges
Stopping malicious macros from running through Microsoft Office
Creating a list of approved applications to stop unapproved applications from running
Daily backups of critical data
Keep operating systems patched/up to date within forty-eight hours
Previously, NCCEs were only required to implement the top four of the Essential Eight. They will now be required to implement all eight. In the past they were also able to self- assess their compliance. The new mandate will introduce audits to check proper compliance.
The Essential Eight maturity model
The Essential Eight maturity model is essentially levels of compliance that sit across all eight mitigation strategies. A new “level zero” has been introduced with this lowest level indicating significant weaknesses in an organisation's network which need to be addressed. The highest level, level three, indicates a network that is proactive and prepared to ward off sophisticated malicious threats.
In the past, NCCEs could focus on achieving a certain maturity level in any one of the eight. They could have varying levels in each of the eight strategies. This new mandate will require them to achieve the same level across all Essential Eight before progressing to a higher maturity level.
The required maturity level depends on the individual business and their unique set of circumstances. What is the risk of an attack and what does the business have to lose? Once the appropriate target level is established based on this risk, organisations should work to achieve it through appropriate reviewing and monitoring.