Essential Eight cyber security overhaul and how it affects Australian businesses

Developed by The Australian Cyber Security Centre (ACSC) in 2017 to address cyber security threats, the Essential Eight cyber security strategies have had an overhaul after government consultation with industry partners. The Essential Eight are about to become compulsory for all 98 non-corporate Commonwealth Entities (NCCEs) which will have an impact on how Australia conducts cyber business into the future.

The aim of mandating the Essential Eight is to protect Australia and Australians. So much of our lives are now online, including much of our sensitive information. New threats have emerged due to the pandemic which has led the government to take swift action to establish a set of principles to help protect consumers and businesses.

While these changes will not be mandatory for businesses that sit outside NCCEs, the ACSC highly recommends businesses follow the Essential Eight to protect their digital assets. They recommend investing resources now rather than having to deal with costly and damaging cyber-attacks later.

However, this isn’t the only incentive. The government will be auditing the NCCEs for compliance, and the NCCEs may also require, as part of their contractual obligations with other businesses, to check compliance. This could result in businesses losing opportunities if they do not comply.


The Essential Eight mitigation strategies

The Essential Eight are, put simply, eight strategies to mitigate attacks by malicious actors on Microsoft Windows-based networks. They are a baseline, to be employed by organisations, to help protect their digital assets and the privacy of their customers.

In general terms, the Essential Eight is:

  • A 48hr timeframe to patch vulnerabilities
  • Tighter configuration around web browsers to stop malicious code
  • Tightening administration privileges
  • Stopping malicious macros from running through Microsoft Office
  • Multi-factor authentication
  • Creating a list of approved applications to stop unapproved applications from running
  • Daily backups of critical data
  • Keep operating systems patched/up to date within forty-eight hours

Previously, NCCEs were only required to implement the top four of the Essential Eight. They will now be required to implement all eight. In the past they were also able to self- assess their compliance. The new mandate will introduce audits to check proper compliance.

The Essential Eight maturity model

The Essential Eight maturity model is essentially levels of compliance that sit across all eight mitigation strategies. A new “level zero” has been introduced with this lowest level indicating significant weaknesses in an organisation's network which need to be addressed. The highest level, level three, indicates a network that is proactive and prepared to ward off sophisticated malicious threats.

In the past, NCCEs could focus on achieving a certain maturity level in any one of the eight. They could have varying levels in each of the eight strategies. This new mandate will require them to achieve the same level across all Essential Eight before progressing to a higher maturity level.

The required maturity level depends on the individual business and their unique set of circumstances. What is the risk of an attack and what does the business have to lose? Once the appropriate target level is established based on this risk, organisations should work to achieve it through appropriate reviewing and monitoring.

Security experts can help businesses transition to the Essential Eight. Contact Essential Tech today to find out how they can help secure your digital assets.

Got any Questions?

We listen and learn to understand your business challenges, so we can deliver effective solutions that meet your specific business needs. Speak with an expert now!

Request Quote

Top Tips to Protect your Business Data by Essential Tech Brisbane

Top Tips to Protect your Business Data The most critical issue facing businesses is cyber attacks and threats. Whether it comes... Read article

Is cybersecurity automation really the future?

Is cybersecurity automation the future? In the current technology-driven world, cyber-attacks aren’t the exception anymore, they’re the rule. As more businesses shift... Read article

6 ways malicious automation is a threat to your business

6 ways malicious automation is a threat to your business Society’s continued and increased reliance on online applications and cloud-based systems is creating a... Read article