Table of ContentsToggle Table of Content

2024 Guide To Essential 8 Cyber Security Framework.

woman typing on a laptop

During the 2022-2023 financial year, nearly 94,000 reports of cybercrime were submitted to ReportCyber. That’s a report every six minutes in Australia. Yet in 2024, 79% of Australian organisations are unprepared for a cyber-attack and the vast majority of cyber incidents, up to 88%, are caused by employee error.

These are just a few of the many keep-you-awake cyber statistics we regularly read about. To address this threat, there are numerous cyber services and solutions for many aspects of cyber risk – but where do you begin? The Essential 8 Cyber Security Framework is a solid starting point.

In this insight, we discuss everything you need to know about the Essential 8, including its benefits and whether compliance is mandatory for your business.

What is The Essential 8?

Back in 2010 – a whole generation ago in cyber security time—the Australian Signals Directorate (ASD) issued a set of 35 “Strategies to Mitigate Cyber Security Incidents.” Each strategy has a Relative Security Effectiveness Rating (RSER) ranging from essential to excellent, very good, good, and limited.

Put simply, the “essential” in Essential 8 refers to the eight mitigation strategies with an RSER of essential. When these Essential 8 security strategies are implemented effectively, it’s much harder for adversaries to breach your network. While no mitigation strategies can provide guaranteed protection against all cyber threats, the ASD recommends organisations implement and regularly revalidate the Essential 8 as a baseline.

The updated Essential 8 framework emphasises practical, scalable outcomes organisations can implement based on specific operational risks. Instead of prescribing rigid technical requirements, the framework allows for a flexible, tailored approach to mitigating the most common cybersecurity threats. It includes eight essential mitigation strategies: application control, patch management, and multi-factor authentication. The focus is now on ensuring these strategies are implemented, adaptable and effective for organisations of varying sizes and sectors.

The latest ASD Cyber Threat Report (2022-2023) emphasises the persistent threat of cyberattacks on Australia, targeting critical infrastructure, government, businesses, and individuals. It notes the rise in ransomware, data breaches, and exploitation of vulnerabilities, with 1 in 5 crucial vulnerabilities exploited within 48 hours. The report underscores the importance of robust cybersecurity measures, patch management, and collaboration between public and private sectors to bolster resilience. The Essential 8 is divided into three segments, each focusing on strategies to prevent cyber attacks, limit the extent of cyber security incidents, and recover data.

Strategies to prevent cyber attacks.

1. Application control: Implement strict policies to ensure only verified and approved applications can run on systems, effectively reducing the risk of malware infiltration from unauthorised software.

2. Patch applications: Essential 8 suggests patching vulnerabilities within 48 hours for critical systems if an exploit is known. This increases the urgency and reduces the risk window for exploitation.

3. Configure Microsoft Office Macro settings: To mitigate the risk of malicious code execution via embedded macros in Microsoft Office applications, it’s strongly recommended to disable or restrict macros by default. Granular control is essential, with the latest guidance calling for stricter controls and default disablement of macros. However, if disabling is not feasible for specific users, organisations should implement a needs-based approach, tailoring macro access based on specific user roles and requirements. This ensures that only those who need access have it, reducing overall vulnerability to macro-based attacks.

4. User application hardening: Enforce strict browser settings to block unnecessary features like web adverts and untrusted Java content. This prevents the exploitation of vulnerabilities through malicious adverts or harmful code that could compromise security.

Strategies to limit the impact of cyber attacks.

5. Restrict administrative privileges: Limit administrative privileges to essential personnel only, reducing the risk of potential abuse by attackers. This strategy ensures that only authorised users can make critical system changes, significantly minimising the damage a cyber-attack could cause.

6. Patch operating systems: Regularly update and patch operating systems to address security vulnerabilities and protect against new threats. Keeping systems up to date helps prevent attackers from exploiting outdated software.

7. Multi-Factor Authentication (MFA): The latest Essential 8 calls for consistent implementation of MFA across high-risk environments. MFA is no longer seen as optional for admin accounts—it is a must-have across critical systems. MFA should ideally cover cloud-based systems, remote access points, and privileged accounts. So, have it all across the business, environment, and for all users.

Strategies for data recovery.

8. Perform regular backups: Consistently back up crucial data to ensure that information can be quickly restored without significant loss during a cyber attack. Establish a backup schedule and store backups securely to prevent data corruption or theft during an attack.

Mitigation strategy controls.

In 2024, the maturity levels for each control have much clearer definitions for Levels 1, 2, and 3, with Maturity Level 0 representing organisations that still need to implement controls effectively. Organisations are encouraged to implement Level 2 as a baseline (for non-corporate Commonwealth entities), though higher maturity levels are advised depending on risk exposure.

Maturity LevelMitigation Strategy Controls for MFA
1MFA is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.
1MFA is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store, or communicate their organisation’s sensitive data.
1MFA (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store, or communicate their organisation’s non-sensitive data.
1MFA is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.
2MFA is used to authenticate privileged users of systems.
2MFA uses either: something users have and something users know, or something users have that is unlocked by something users know or are.
2Successful and unsuccessful multi-factor authentications are logged.
3Successful and unsuccessful multi-factor authentications are centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.

Outside the Essential 8.

Below is a snapshot of some of the 27 mitigation strategies with a residual security risk (RSR) that falls below that of the Essential 8. This isn’t to suggest that the other strategies are unimportant; instead, it highlights what the Essential 8 strategies don’t cover and what additional measures can be taken to mitigate the remaining risks from targeted attacks.
Mitigation StrategyRSER
Network segmentationExcellent
Web content filteringExcellent
Email content filteringExcellent
Endpoint detection and response software on all computersVery good
Anti-virus software with up-to-date signaturesLimited
IDS/IPSLimited

Is the Essential 8 Mandatory?

While private businesses and enterprises are encouraged to implement the Essential 8, compliance with the framework is voluntary. However, the Australian government mandates all non-corporate Commonwealth entities to adopt Essential 8 Level 2 mitigations to achieve a managing maturity rating. This mandate aims to improve national cybersecurity and resilience significantly. The private sector, while not yet required by law to comply, especially in critical infrastructure, is increasingly expected to follow suit as part of best practices to bolster its cybersecurity posture.

Benefits of implementing the Essential 8.

One of the core (and always has been) value props for E8 is that adhering to the maturity model reduces vulnerabilities and improves resilience against advanced persistent threats (APT), particularly those from state actors targeting government and critical infrastructure sectors. This is a big deal today, with CI being targeted worldwide.
  • Robust protection and reduced vulnerabilities: Implementing the Essential 8 helps businesses fortify their defences against many cyber threats, including malware, ransomware, and phishing attacks. Regular patching of applications and operating systems closes potential security loopholes, reducing the risk of exploitation by malicious actors.
  • Limited damage and faster recovery: Strategies such as restricting administrative privileges can help contain the damage from a security breach and prevent its spread across the network. Regular backups ensure that businesses can promptly recover lost data and maintain business continuity in the event of data loss due to a cyber incident.
  • Reduced losses: By preventing cyber incidents, businesses can avoid the substantial financial losses associated with data breaches, including fines, ransoms, and remediation costs. Swift recovery from cyber incidents minimises operational disruptions, reducing revenue loss due to downtime. Many Essential 8 strategies also assist businesses in meeting legal and regulatory requirements related to data protection and cyber security, potentially avoiding legal penalties.
  • Trust and reputation management: Adherence to this gold-standard security framework can enhance a business’s reputation, building trust among customers, partners, and stakeholders.
  • Greater employee awareness and responsibility: Implementing the Essential 8 requires the involvement of all staff, promoting awareness and fostering a culture of responsibility regarding cyber security practices. A more educated and vigilant workforce can recognise and respond to cyber threats more effectively.
  • Scalable security: The Essential 8 framework allows for scalability and adaptability, enabling businesses to modify security measures in response to evolving threats and organisational changes.

Implementing And Assessing The Essential 8.

The Essential Eight Maturity Model offers a comprehensive guide for implementing Essential 8 strategies based on ASD’s experience with cyber security incidents and threat intelligence. You can assess your implementation using the Essential Eight Assessment Process Guide. Due to the evolving threat landscape, there’s a stronger emphasis on ongoing validation and regular reassessment, ensuring resilience as organisations mature in their security practices. These recent updates stress continuous improvement rather than a one-time assessment, aligning with the modern, iterative cyber security risk management approach.

Unlike a penetration test, the Essential 8 Assessment uses qualitative research to measure the effectiveness of your security implementation. The report is generated in a matter of days using interview data from key stakeholders, giving your organisation a low-cost, high-value asset to inform future security decisions.

The report identifies risks and gaps associated with individual controls that don’t meet the required maturity level and translates technical analysis into language that empowers executive and board-level decision-makers. Having an Essential 8 assessment report to underpin and validate your security approach can make a world of difference when allocating funding.

RELATED CONTENT: Common cyber security mistakes and 3 simple ways to fix them

Mitigation StrategyCurrent MaturityLevel 1 Controls ImplementedLevel 2 Controls ImplementedLevel 3 Controls Implemented
Application control00/11/23
Patch applications04/54/73
Patch operation systems24/46/61
Configure Microsoft macros03/47/111
User application hardening03/57/120
Restrict admin privileges01/51/50
Multi-factor authentication01/45/70
Perform regular backups01/43/41

Kinetic IT helps Australian businesses adopt the Essential 8.

Whether you need to implement a few or all the Essential 8 strategies in your business, getting started can be overwhelming. Kinetic IT’s PROTECT+ cyber security team will streamline the process. They have helped dozens of Australian organisations and government departments assess and implement the Essential 8 framework and achieve compliance and a strong security posture.

We specialise in in-depth vulnerability investigation and assessment, enhancing security posture across organisations through our P+ Security Operations Centre (SOC). Continuous monitoring and threat intelligence are vital in maintaining Essential 8 maturity, especially as cyber threats become more advanced. We leverage connected global intelligence and provide faster attack detection and swift incident resolution. Our P+ SOC ensures the ongoing vigilance needed to detect, respond to, and neutralise threats in real-time, keeping your organisation resilient against evolving cyber threats.

Relevant Topics.

staff circle 17

LET US ENHANCE YOUR EXPERIENCE.

Get in touch using the form below to discuss a tailored Kinetic IT enterprise solution.

Fill out the form to access this webinar content.

Provide your details to watch this on demand webinar and read the companion guide.

ISG Provider Lens™ ServiceNow Ecosystem Partners 2024 Report.

Name
We respect your privacy and will never share your information. Privacy Policy