Essential 8: Where to Start

The Essential Eight, introduced by the Australian Signals Directorate, is a set of security mitigation strategies that can help all organisations, not just government and NFP, strengthen their cybersecurity. However, these strategies are important, but they are just a starting point.

The Essential Eight which is focused on Application control, office macros, user application hardening, restrict administrator privileges, patching of both your applications and operating systems, multi-factor authentication and regular backups is about mitigating the risk of a cyberattack through preventative countermeasures.

Organisations also need tools, policies, and procedures to mitigate the risk of data theft from insiders, business email compromise and phishing attacks. While government agencies can face more exotic and sophisticated attacks from nation-state threat actors, the common types of attacks can be rendered ineffective or minimised by following the Essential Eight strategies.

ALL ESSENTIAL EIGHT STRATEGIES ARE TO BE TREATED EQUAL

All aspects of the Essential Eight are to be considered equally important to implement as the strategies are complimentary of each other. If an organisation decides to implement application control to a standard but chooses to ignore applying critical patches then the effectiveness of the implemented strategy is undermined. It is acknowledged that you are only as good as your weakest link.

With the above in consideration, it is advised that anyone choosing to pursue Essential Eight alignment does so in a phased approach, target maturity level 1 in all areas before making the step for increased security with maturity level 2. In the journey to achieve maturity level 1 organisations will need to decide what data is important to them, what they define as privileged access and gain an understanding of their internet facing assets.

Remember, the Essential Eight is a security baseline that makes it harder for adversaries to potentially compromise your environment.

THE ESSENTIAL EIGHT IS A CONTINUOUS IMPROVEMENT PROGRAM

Organisations need to stop looking at the Essential Eight as a task list. They need to see it as a continuous improvement program. Threat actors are continually changing the tools and methods they use to attack organisations and the thread landscape is continuously evolving.

Once the organisation has completed its initial program of work to achieve Essential 8 compliance, resources need to be allocated to maintain compliance. Security and risk management is an ongoing activity. While a server or application may be deemed safe today, regular patching is required to ensure that newly discovered vulnerabilities are applied promptly. Ensuring that backups are securely stored and tested requires similar vigilance to provide assurance that your data will not fall victim to ransomware attacks.

For this to happen, compliance with the Essential Eight needs to transition from being a program of work into a business-as-usual activity. There need to be processes and procedures to ensure new applications are deployed after they are hardened and allow- , with defined mechanisms for keeping them updated and with limited lateral access so they can only be used in prescribed ways. And it will require people dedicated to ensuring that compliance is maintained in the long term as environments evolve.

An effective cybersecurity strategy requires people, processes and technology working in concert. Successfully implementing the Essential Eight requires careful consideration of business activity, the capability of your technology and risk teams and the use of effective risk management so you invest time, money, and effort where it makes the most sense. Engaging with experienced and trusted partners for advice can be a valuable investment.

WHERE TO START

Each of the controls described in the Essential Eight is specific in its scope. Did you know that the Australian Cyber Security Centre posts some great Essential Eight guides to get you started on your journey.

The Essential 8 Assessment offers a sound set of strategies that can be used by almost any organisation. But cybersecurity is about constant vigilance and that means having systems in place to ensure that compliance is not just a point in time result but maintained continuously. As cyber-attacks increase in frequency, velocity, complexity, and scale and affect organisation’s reputation, profitability and service provision, being cyber secure is a crucial part of daily organisational operations.

If you have any questions about the Essential Eight and how it could be implemented in your company reach out to speak to one of experts on the matter.