Insights: Article

Guide to the Essential Eight cyber security framework

Cyber crime has increased to an incident reported every seven minutes in Australia. Yet, more than 50% of all businesses are not fully prepared for a cyber-attack and 95% of cyber security breaches are  caused by human error. These are just a few of the many keep-you-awake cyber statistics we regularly read about. To address this threat, there are numerous cyber services and solutions for many different aspects of cyber risk – but where do you begin? A solid starting point is the Essential Eight cyber security framework. In this insight, we discuss everything you need to know about the Essential Eight including its benefits and whether compliance is mandatory for your business.

What is the Essential Eight?

Back in 2010 – a whole generation ago in cyber security time – the Australian Signals Directorate (ASD) issued a set of 35 “Strategies to Mitigate Cyber Security Incidents”. Each of the 35 strategies has a Relative Security Effectiveness Rating (RSER) ranging from essential to excellent, very good, good, and limited. Put simply, the “essential” in Essential Eight refers to the eight mitigation strategies which have an RSER of essential. When these Essential Eight security strategies are implemented effectively, it’s much harder for adversaries to breach your network. While no set of mitigation strategies can provide guaranteed protection against all cyber threats, the ASD recommends organisations to implement and regularly revalidate the Essential Eight as a baseline.

The Essential Eight is broken down into three segments, focusing on strategies to prevent cyber attacks, limit the extent of cyber security incidents, and recover data.

Strategies to prevent cyber attacks

1. Application control: Allows only approved applications to run.

2. Patch applications: Regularly updating software and applications.

3. Configure Microsoft Office Macro settings: Restricts the execution of macros.

4. User application hardening: Blocks web ads and untrusted Java code on the internet.

Strategies to limit the impact of cyber attacks

5. Restrict administrative privileges: Limits powerful access to essential personnel only.

6. Patch operating systems: Keeps operating systems up to date.

7. Multi-Factor Authentication (MFA): Requires at least two forms of identification before granting access.

Strategies for data recovery

8. Perform regular backups: Ensures that crucial data is regularly backed up and can be easily recovered.

Mitigation Strategy Controls

Each Essential Eight Mitigation Strategy has several security controls or requirements, which are used to determine its maturity level. As an example, below is a list of all the security controls for MFA. To be assessed as meeting the requirements of a maturity level, your organisation needs to implement all the controls for each mitigation strategy, up to and including, that maturity level.

RELATED CONTENT: What is the most secure Multi-Factor Authentication method?

Maturity LevelMitigation Strategy Controls for MFA
1MFA is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.
1MFA is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store, or communicate their organisation’s sensitive data.
1MFA (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store, or communicate their organisation’s non-sensitive data.
1MFA is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.
2MFA is used to authenticate privileged users of systems.
2MFA uses either: something users have and something users know, or something users have that is unlocked by something users know or are.
2Successful and unsuccessful multi-factor authentications are logged.
3Successful and unsuccessful multi-factor authentications are centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.

Outside the Essential Eight

For context, below is a snapshot of some of the 27 mitigation strategies with an RSER below that of essential. This is not to say that the other 27 mitigation strategies are not important. It’s purely intended to highlight what the Essential Eight are not, and what can subsequently be tackled to mitigate the remaining risk from targeted attacks.

Mitigation StrategyRSER
Network segmentationExcellent
Web content filteringExcellent
Email content filteringExcellent
Endpoint detection and response software on all computersVery good
Anti-virus software with up-to-date signaturesLimited
IDS/IPSLimited

Is the Essential Eight mandatory?

While it’s recommended for private businesses and enterprises to implement the Essential Eight, it’s not currently mandated to comply with the framework. However, the Australian government has mandated compliance for all government agencies and departments. All non-corporate Commonwealth entities must implement Essential Eight maturity level two mitigations to achieve a managing maturity rating. The change is expected to significantly improve cyber security and resilience in Australia.

Benefits of implementing the Essential Eight

Implementing the Essential Eight is not just about complying with a standard but engraining cyber security into the fabric of your operations. The framework has extensive benefits, ranging from greater security and risk management to financial savings and reputation enhancement.

  • Robust protection and reduced vulnerabilities: Implementing the Essential Eight helps businesses fortify their defences against a multitude of cyber threats, including malware, ransomware, and phishing attacks. Regular patching of applications and operating systems closes potential security loopholes, reducing the risk of exploitation by malicious actors.
  • Limited damage and faster recovery: Strategies such as restricting administrative privileges can help in containing the damage from a security breach, preventing its spread across the network. Regular backups ensure that, in the event of data loss due to a cyber incident, businesses can promptly recover the lost data and maintain business continuity.
  • Reduced losses: By preventing cyber incidents, businesses can avoid the substantial financial losses associated with data breaches, including fines, ransoms, and the costs of remediation. Swift recovery from cyber incidents minimises operational disruptions, reducing the loss of revenue due to downtime. Many Essential Eight strategies also assist businesses in meeting legal and regulatory requirements related to data protection and cyber security, potentially avoiding legal penalties.
  • Trust and reputation management: Demonstrating adherence to this gold-standard security framework can enhance the reputation of the business, building trust among customers, partners, and stakeholders.
  • Greater employee awareness and responsibility: Implementing the Essential Eight requires the involvement of all staff, promoting awareness and fostering a culture of responsibility regarding cyber security practices. A more educated and vigilant workforce can recognise and respond to cyber threats more effectively.
  • Scalable security: The Essential Eight framework allows for scalability and adaptability, enabling businesses to modify their security measures in response to evolving threats and organisational changes.

RELATED CONTENT: 8 cloud security tips to keep your data safe in the cloud

Implementing and assessing the Essential Eight

The Essential Eight Maturity Model outlines all the requirements for the implementation of the Essential Eight, based on the ASD’s experience in managing cyber security incidents and threat intelligence. Once you have implemented the Essential Eight, it can be assessed using the Essential Eight Assessment Process Guide. Unlike a penetration test, an Essential Eight Assessment does not physically or logically touch your network or systems in any way. Rather, the assessment is carried out via a series of interviews with key stakeholders. The Essential Eight Assessment will then rate your organisation’s effectiveness in implementing each of the eight mitigation strategies against its controls.

This can be summarised and reported as seen in the table below. An entire assessment and report production can take as little as a few days to complete, so it is a low-cost, high-value insightful asset. For each of the eight mitigation strategies, the Essential Eight Assessment Report will also describe the risks associated with the individual controls that are not implemented to the required maturity level. Quotes can then be obtained, and costs calculated to mitigate against the identified risks.

While the language of an Essential Eight Assessment will be technical and low-level in nature, it can be used to underpin and validate an Executive or Board Level Security Risk Report. As a starting point, this ensures it is made very clear to Executive Management and Board Members what the organisational security gaps are against an industry-recognised standard, along with ownership of the risks associated with choosing not to commit funds to address the gaps.

RELATED CONTENT: Common cyber security mistakes and 3 simple ways to fix them

Mitigation StrategyCurrent MaturityLevel 1 Controls ImplementedLevel 2 Controls ImplementedLevel 3 Controls Implemented
Application control00/11/23
Patch applications04/54/73
Patch operation systems24/46/61
Configure Microsoft macros03/47/111
User application hardening03/57/120
Restrict admin privileges01/51/50
Multi-factor authentication01/45/70
Perform regular backups01/43/41

Kinetic IT’s PROTECT+ helps Australian businesses implement the Essential Eight

Whether you need to implement a few or all the Essential Eight strategies in your business, it can be overwhelming when getting started. Kinetic IT’s PROTECT+ cyber security team will streamline the process, having helped dozens of Australian organisations and government departments to assess and implement the Essential Eight framework and achieve compliance and a strong security posture.

We specialise in in-depth investigation and assessment of vulnerabilities, strengthening security posture across entire organisations, leveraging connected global intelligence for faster attack detection, and speedy incident resolution through our local Security Operations Centre (SOC). 

Get in touch with us for a chat about how you can start implementing the Essential Eight in your business.