What Is the Essential 8 Security Model?

Cybercrime is increasing in severity and scale across Australia. In its 2022 report, the Australian Cyber Security Centre (ACSC) revealed that businesses had incurred more than $33 billion in total losses from cybercrime throughout the year. The ACSC received more than 67,500 reports of cybercrime in 2020-22, equal to a report coming in every eight minutes. With the risk of cyber attacks ever-growing, Australian businesses must proactively improve their defences - or risk reputational and financial damage. To help companies improve their cyber security posture, the ACSC has designed the Essential Eight. Below, we’ll explain what the Essential Eight is, how it works and how your company can implement it.

What Is the ACSC Essential Eight?

The Essential Eight was released in 2017. It is an evolution of the Australian Signals Directory’s (ASD) Top Four recommendations. The Essential Eight features eight strategies designed to reduce the likelihood of malware attacks, limit the impact of cyber security incidents and ensure data and system availability. The eight controls are:

  • Application Control: Only approved and trusted applications should be safelisted.
  • Application Patching: Applications with severe vulnerabilities should be patched within 48 hours. Applications should be updated to the latest version as soon as possible.
  • Restrict Administrative Privileges: Users should only be able to access applications and documents that they need to do their job. User privileges should be reviewed regularly.
  • Patch Operating Systems: Operating systems with severe vulnerabilities should be patched within 48 hours. Organisations should not use unsupported systems.
  • Configure Microsoft Office Macro Settings: Macro settings should be configured to block macros from the internet.
  • Using Application Hardening: Web browsers should block Flash, ads, and Java.
  • Multi-Factor Authentication: All users with privileged access should use multi-factor authentication.
  • Regular Backups: Important data, applications and software should undergo backups every day.

Why Should My Company Implement the Essential Eight?

Many small businesses hope that they can ‘fly under the radar’ - that they won’t be appealing to cyber-attackers and thus are more protected from being breached. Unfortunately, this is far from the case. A 2019 ACSC Small Business Cyber Security Survey found that 62% of small businesses reported having previously been a victim of a cyber security incident. Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure”. This saying has a lot of weight in today’s cyber landscape. The cost of a breach is likely to hugely outweigh the cost of implementing foundational cyber security controls.However, many small and medium-sized businesses don’t have the internal knowledge to effectively implement cyber security controls. This is exactly what the Essential Eight can assist with. It offers businesses foundational guidance that can help protect against the most common cyber attacks.

How Can My Business Implement the Essential Eight?

To help organisations get started with the Essential Eight, the ACSC recently released the Essential Eight maturity model. The model uses a scoring system - from 0 to 3 - to help organisations understand their current level of security maturity and the steps they need to take to become more resilient. The maturity levels are defined as:

  • Maturity Level Zero: Not aligned with the strategy
  • Maturity Level One: Partly aligned with the strategy
  • Maturity Level Two: Mostly aligned with the strategy
  • Maturity Level Three: Fully aligned with the strategy

All organisations should aim to reach Maturity Level Three to ensure maximum cyber security protection.

How Can I Improve My Maturity Level?

Once you have identified your maturity level, you can start implementing controls that will improve your cyber security posture. The mitigation strategies in the Essential Eight complement each other, so you should focus on all eight controls holistically rather than choosing only to implement one or two. It’s worth noting, also, that the essential eight offers organisations a minimum set of preventative measures. Even companies at Maturity Level Three are not exempt from all cyber attacks. We recommend combining the Essential Eight with other security controls and mitigation strategies to ensure comprehensive coverage. This, of course, will depend on the sector in which you operate and the type of data you handle. Medical organisations, for example, that must comply with RACGP will need to go above and beyond the Essential Eight to ensure data security. While it’s not a silver bullet, reaching Maturity Level Three will help organisations to defend against the most common cyber attacks today.

We’re Here to Help You Secure Your IT Data & Network

We help small and medium-sized businesses improve their cyber security maturity across multiple sectors. Our expert consultants are on hand to assist, starting with a free business IT Audit to review your network security and offer helpful suggestions to reduce risk. To learn more about how Xpresstex managed IT services can help you, please call us on 1 300 991 030. You can also find out more by clicking the link below.

XpressteX Managed IT Services

Book A Consultation