During the 2022-2023 financial year, nearly 94,000 reports of cybercrime were submitted to ReportCyber. That’s a report every six minutes in Australia. Yet in 2024, 79% of Australian organisations are unprepared for a cyber-attack and the vast majority of cyber incidents, up to 88%, are caused by employee error.
These are just a few of the many keep-you-awake cyber statistics we regularly read about. To address this threat, there are numerous cyber services and solutions for many aspects of cyber risk – but where do you begin? The Essential 8 Cyber Security Framework is a solid starting point.
In this insight, we discuss everything you need to know about the Essential 8, including its benefits and whether compliance is mandatory for your business.
What is The Essential 8?
Back in 2010 – a whole generation ago in cyber security time—the Australian Signals Directorate (ASD) issued a set of 35 “Strategies to Mitigate Cyber Security Incidents.” Each strategy has a Relative Security Effectiveness Rating (RSER) ranging from essential to excellent, very good, good, and limited.
Put simply, the “essential” in Essential 8 refers to the eight mitigation strategies with an RSER of essential. When these Essential 8 security strategies are implemented effectively, it’s much harder for adversaries to breach your network. While no mitigation strategies can provide guaranteed protection against all cyber threats, the ASD recommends organisations implement and regularly revalidate the Essential 8 as a baseline.
The updated Essential 8 framework emphasises practical, scalable outcomes organisations can implement based on specific operational risks. Instead of prescribing rigid technical requirements, the framework allows for a flexible, tailored approach to mitigating the most common cybersecurity threats. It includes eight essential mitigation strategies: application control, patch management, and multi-factor authentication. The focus is now on ensuring these strategies are implemented, adaptable and effective for organisations of varying sizes and sectors.
The latest ASD Cyber Threat Report (2022-2023) emphasises the persistent threat of cyberattacks on Australia, targeting critical infrastructure, government, businesses, and individuals. It notes the rise in ransomware, data breaches, and exploitation of vulnerabilities, with 1 in 5 crucial vulnerabilities exploited within 48 hours. The report underscores the importance of robust cybersecurity measures, patch management, and collaboration between public and private sectors to bolster resilience. The Essential 8 is divided into three segments, each focusing on strategies to prevent cyber attacks, limit the extent of cyber security incidents, and recover data.
Strategies to prevent cyber attacks
1. Application control: Implement strict policies to ensure only verified and approved applications can run on systems, effectively reducing the risk of malware infiltration from unauthorised software.
2. Patch applications: Essential 8 suggests patching vulnerabilities within 48 hours for critical systems if an exploit is known. This increases the urgency and reduces the risk window for exploitation.
3. Configure Microsoft Office Macro settings: To mitigate the risk of malicious code execution via embedded macros in Microsoft Office applications, it’s strongly recommended to disable or restrict macros by default. Granular control is essential, with the latest guidance calling for stricter controls and default disablement of macros. However, if disabling is not feasible for specific users, organisations should implement a needs-based approach, tailoring macro access based on specific user roles and requirements. This ensures that only those who need access have it, reducing overall vulnerability to macro-based attacks.
4. User application hardening: Enforce strict browser settings to block unnecessary features like web adverts and untrusted Java content. This prevents the exploitation of vulnerabilities through malicious adverts or harmful code that could compromise security.
Strategies to limit the impact of cyber attacks
5. Restrict administrative privileges: Limit administrative privileges to essential personnel only, reducing the risk of potential abuse by attackers. This strategy ensures that only authorised users can make critical system changes, significantly minimising the damage a cyber-attack could cause.
6. Patch operating systems: Regularly update and patch operating systems to address security vulnerabilities and protect against new threats. Keeping systems up to date helps prevent attackers from exploiting outdated software.
7. Multi-Factor Authentication (MFA): The latest Essential 8 calls for consistent implementation of MFA across high-risk environments. MFA is no longer seen as optional for admin accounts—it is a must-have across critical systems. MFA should ideally cover cloud-based systems, remote access points, and privileged accounts. So, have it all across the business, environment, and for all users.
Strategies for data recovery
8. Perform regular backups: Consistently back up crucial data to ensure that information can be quickly restored without significant loss during a cyber attack. Establish a backup schedule and store backups securely to prevent data corruption or theft during an attack.
Mitigation strategy controls
In 2024, the maturity levels for each control have much clearer definitions for Levels 1, 2, and 3, with Maturity Level 0 representing organisations that still need to implement controls effectively. Organisations are encouraged to implement Level 2 as a baseline (for non-corporate Commonwealth entities), though higher maturity levels are advised depending on risk exposure.
RELATED CONTENT: What is the most secure Multi-Factor Authentication method?
| Maturity Level | Mitigation Strategy Controls for MFA |
|---|---|
| 1 | MFA is used by an organisation’s users if they authenticate to their organisation’s internet-facing services. |
| 1 | MFA is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store, or communicate their organisation’s sensitive data. |
| 1 | MFA (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store, or communicate their organisation’s non-sensitive data. |
| 1 | MFA is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services. |
| 2 | MFA is used to authenticate privileged users of systems. |
| 2 | MFA uses either: something users have and something users know, or something users have that is unlocked by something users know or are. |
| 2 | Successful and unsuccessful multi-factor authentications are logged. |
| 3 | Successful and unsuccessful multi-factor authentications are centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected. |
Outside the Essential 8
Below is a snapshot of some of the 27 mitigation strategies with a residual security risk (RSR) that falls below that of the Essential 8. This isn’t to suggest that the other strategies are unimportant; instead, it highlights what the Essential 8 strategies don’t cover and what additional measures can be taken to mitigate the remaining risks from targeted attacks.
| Mitigation Strategy | RSER |
|---|---|
| Network segmentation | Excellent |
| Web content filtering | Excellent |
| Email content filtering | Excellent |
| Endpoint detection and response software on all computers | Very good |
| Anti-virus software with up-to-date signatures | Limited |
| IDS/IPS | Limited |
Is the Essential 8 Mandatory?
While private businesses and enterprises are encouraged to implement the Essential 8, compliance with the framework is voluntary. However, the Australian government mandates all non-corporate Commonwealth entities to adopt Essential 8 Level 2 mitigations to achieve a managing maturity rating. This mandate aims to improve national cybersecurity and resilience significantly. The private sector, while not yet required by law to comply, especially in critical infrastructure, is increasingly expected to follow suit as part of best practices to bolster its cybersecurity posture.
Benefits of implementing the Essential 8
One of the core (and always has been) value props for E8 is that adhering to the maturity model reduces vulnerabilities and improves resilience against advanced persistent threats (APT), particularly those from state actors targeting government and critical infrastructure sectors. This is a big deal today, with CI being targeted worldwide.
- Robust protection and reduced vulnerabilities: Implementing the Essential 8 helps businesses fortify their defences against many cyber threats, including malware, ransomware, and phishing attacks. Regular patching of applications and operating systems closes potential security loopholes, reducing the risk of exploitation by malicious actors.
- Limited damage and faster recovery: Strategies such as restricting administrative privileges can help contain the damage from a security breach and prevent its spread across the network. Regular backups ensure that businesses can promptly recover lost data and maintain business continuity in the event of data loss due to a cyber incident.
- Reduced losses: By preventing cyber incidents, businesses can avoid the substantial financial losses associated with data breaches, including fines, ransoms, and remediation costs. Swift recovery from cyber incidents minimises operational disruptions, reducing revenue loss due to downtime. Many Essential 8 strategies also assist businesses in meeting legal and regulatory requirements related to data protection and cyber security, potentially avoiding legal penalties.
- Trust and reputation management: Adherence to this gold-standard security framework can enhance a business’s reputation, building trust among customers, partners, and stakeholders.
- Greater employee awareness and responsibility: Implementing the Essential 8 requires the involvement of all staff, promoting awareness and fostering a culture of responsibility regarding cyber security practices. A more educated and vigilant workforce can recognise and respond to cyber threats more effectively.
- Scalable security: The Essential 8 framework allows for scalability and adaptability, enabling businesses to modify security measures in response to evolving threats and organisational changes.
RELATED CONTENT: 8 cloud security tips to keep your data safe in the cloud
Implementing And Assessing The Essential 8
The Essential Eight Maturity Model offers a comprehensive guide for implementing Essential 8 strategies based on ASD’s experience with cyber security incidents and threat intelligence. You can assess your implementation using the Essential Eight Assessment Process Guide. Due to the evolving threat landscape, there’s a stronger emphasis on ongoing validation and regular reassessment, ensuring resilience as organisations mature in their security practices. These recent updates stress continuous improvement rather than a one-time assessment, aligning with the modern, iterative cyber security risk management approach.
Unlike a penetration test, the Essential 8 Assessment uses qualitative research to measure the effectiveness of your security implementation. The report is generated in a matter of days using interview data from key stakeholders, giving your organisation a low-cost, high-value asset to inform future security decisions.
The report identifies risks and gaps associated with individual controls that don’t meet the required maturity level and translates technical analysis into language that empowers executive and board-level decision-makers. Having an Essential 8 assessment report to underpin and validate your security approach can make a world of difference when allocating funding.
RELATED CONTENT: Common cyber security mistakes and 3 simple ways to fix them
| Mitigation Strategy | Current Maturity | Level 1 Controls Implemented | Level 2 Controls Implemented | Level 3 Controls Implemented |
|---|---|---|---|---|
| Application control | 0 | 0/1 | 1/2 | 3 |
| Patch applications | 0 | 4/5 | 4/7 | 3 |
| Patch operation systems | 2 | 4/4 | 6/6 | 1 |
| Configure Microsoft macros | 0 | 3/4 | 7/11 | 1 |
| User application hardening | 0 | 3/5 | 7/12 | 0 |
| Restrict admin privileges | 0 | 1/5 | 1/5 | 0 |
| Multi-factor authentication | 0 | 1/4 | 5/7 | 0 |
| Perform regular backups | 0 | 1/4 | 3/4 | 1 |
Kinetic IT helps Australian businesses adopt the Essential 8
Whether you need to implement a few or all the Essential 8 strategies in your business, getting started can be overwhelming. Kinetic IT’s PROTECT+ cyber security team will streamline the process. They have helped dozens of Australian organisations and government departments assess and implement the Essential 8 framework and achieve compliance and a strong security posture.
We specialise in in-depth vulnerability investigation and assessment, enhancing security posture across organisations through our P+ Security Operations Centre (SOC). Continuous monitoring and threat intelligence are vital in maintaining Essential 8 maturity, especially as cyber threats become more advanced. We leverage connected global intelligence and provide faster attack detection and swift incident resolution. Our P+ SOC ensures the ongoing vigilance needed to detect, respond to, and neutralise threats in real-time, keeping your organisation resilient against evolving cyber threats.
Contact us for a chat about implementing the Essential 8 in your business.
