ESSENTIAL 8
SECURING YOU, YOUR ORGANISATION AND AUSTRALIA
Essential 8 is a set of mitigation strategies, developed and maintained by the Australian Cyber Security Centre (ACSC), that are designed to help organisations of all sizes protect themselves from the online threats that are recognised as being the root cause of most intrusion events and unplanned outages.
Talk to an ExpertCYBER SECURITY FIRST!
Malicious cyber activity is increasing in frequency, scale, and sophistication in Australia and globally. According to the Australian Cyber Security Centre (ACSC) annual cyber threat report, the ACSC receive over hundreds of thousands cybercrime reports every year. This equates to one report every few minutes! Australia is very attractive for cybercriminals by having the highest median wealth per adult in the world.
Key Statistics:
- An increase to over $98 million in financial losses due to BEC, an average loss of $64,000 per report.
- A rise in the average cost per cybercrime report to over $39,000 for small business, $88,000 for medium business, and over $62,000 for large business an average increase of 14%.
- Over 25,000 calls to the cyber security hotline, an average of 69% per day and an increase of 15% from the previous financial year.
- Fraud, online shopping and online banking were the top reported cybercrime types. Ransomware and Business Email Compromise remains the most destructive cybercrime.
THE CONSEQUENCES OF NOT HAVING A STRONG CYBER POSTURE
If your organisation doesn’t take a proactive approach to cyber security and doesn’t comply with regulations, the consequences can be catastrophic. These consequences may be operational, reputational, financial and legal.
- MILLIONS OF DOLLARS IN PENALTIES: The Australian government has significantly raised the maximum penalty of a data breach in 2023!
- FINANCIAL DAMAGE: - DIRECT: ransom payments, cost of investigation, recovery and legal fees - INDIRECT: lost revenue from business disruption, lost customers and reputational damage
- DATA LOSS/THEFT: the loss or theft of sensitive information, including customer data, financial data, intellectual property, and confidential business information, can lead to financial, legal and reputational consequences.
- REPUTATIONAL DAMAGE: a cyber-attack can result in a loss of customer trust and loyalty. This may lead to a decrease in sales, difficulty attracting new customers and long-term brand damage.
- LEGAL CONSEQUENCES: Australia has multiple laws in place that can cause massive legal repercussions for an organisation is not complied with. For example, Privacy Act 1988 (Privacy Act) Commonwealth Criminal Code Act 1995. This can cause a loss of license for regulated businesses.
- BUSINESS DISRUPTION: this can result in downtime, loss of productivity, and ability to serve customers, deliver products/ services, and meet deadlines.
Take the first Step Today Talk to an Expert
HOW TO SECURE AUSTRALIAN’S GOVERNMENT AGENCIES AND DEPARTMENTS WITH ESSENTIAL 8 STRATEGIES
The ACSC and CISO Online recommend that organisations implement eight essential mitigation strategies as a baseline. This baseline, known as the ESSENTIAL EIGHT, makes it much harder for adversaries to compromise systems. With bad actors becoming increasingly smarter in their attack methods, running a cyber security uplift program and security awareness training is more crucial than ever.
What is Essential 8:
The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies to protect organisations against various cyber threats. While no single mitigation strategy is guaranteed to prevent cyber security incidents, the most effective of these mitigation strategies is The Essential Eight. The mitigation strategies that constitute the Essential Eight are:
Prevention
Application control
×
WhatChecking programs against a pre-defined approved list and blocking all programs not on this list. |
WhySo that unapproved programs including malware are unable to start, and preventing attackers from running programs which enable them to gain access or steal data. |
Patch applications
×
WhatApply security fixes/patches for programs within a timely manner. Do not use applications which are out-of-support and do not receive security fixes. |
WhyUnpatched applications can be exploited by attackers and, in the worst case, enable an attacker to completely takeover an application and access all information. |
Configure Microsoft Office macro settings
×
WhatOnly allow Office macros (automated commands) where there is a business requirement and restrict the type of commands a macro can execute. |
WhyMacros can be used to run automated malicious commands that could let an attacker download and install malware. |
User application hardening
×
WhatConfigure key programs (web browsers, office, PDF software, etc) to apply settings that will make it more difficult for an attacker to successfully run commands to install malware. |
WhyDefault settings on key programs like web browsers, Office, PDF software may not be the most secure configuration. Best practices should be followed. |
Containment
Restrict administrative privileges
×
WhatLimit how accounts with the ability to administer and alter key system and security settings can be accessed and used. |
WhyAdministrator accounts are ‘the keys to the kingdom’ and so, controlling their use will make it more difficult for an attacker to identify and successfully gain access. |
Patch Operating Systems
×
WhatApply security fixes/patches for operating systems (e.g. Windows) within a timely manner. Do not use versions of an Operating system which are old and/or not receiving security patches. |
WhyUnpatched operating systems can be exploited by attackers and, in the worst case, enable an attacker to completely takeover an application and access all information. |
Multi Factor Authentication (MFA)
×
WhatA method of validating the user logging in by using additional checks that are separate to a password, such as a code from an SMS/Mobile application or fingerprint. |
WhyMakes it significantly more difficult for adversaries to use stolen user credentials to facilitate further malicious activities. |
Recovery
Regular backups
×
WhatRegular backups of important new or changed data, software and configuration settings, stored disconnected that are then retained for at least three months. Test the restoration process when the backup capability is initially implemented, annually and whenever IT infrastructure changes. |
WhyTo ensure information can be accessed following a cyber-security incident, such as a ransomware incident. |
Essential 8 Maturity Level:
To assist organisations with their implementation of the Essential Eight, four maturity levels have been defined (Maturity Level Zero through to Maturity Level Three). With the exception of Maturity Level Zero, the maturity levels are based on mitigating increasing levels of adversary counterintelligence. The Essential Eight Maturity Model is designed to assist organisations to implement the Essential Eight in a graduated manner based upon different levels of adversary tradecraft and targeting. The different maturity levels can also be used to provide a high-level indication of an organisation’s cyber security maturity.
Essential 8 Maturity Model:
To assist organisations with their implementation of the Essential Eight, four maturity levels have been defined (Maturity Level Zero through to Maturity Level Three). With the exception of Maturity Level Zero, the maturity levels are based on mitigating increasing levels of adversary counterintelligence. The Essential Eight Maturity Model is designed to assist organisations to implement the Essential Eight in a graduated manner based upon different levels of adversary tradecraft and targeting. The different maturity levels can also be used to provide a high-level indication of an organisation’s cyber security maturity.
- Maturity Level Zero
Not aligned with the intent of the mitigation strategy. This maturity level signifies that there are weaknesses in an organisation’s overall cyber security posture. When exploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity or availability of their systems and data. - Maturity Level One (ML1)
Partially aligned with the intent of the mitigation strategy. This maturity level signifies basic protections in place in an organisation’s overall cyber security posture. That help prevent cyber criminals and other threat actors, using common tools and methods, to break into systems.
- Maturity Level Two (ML2)
Mostly aligned with the intent of the mitigation strategy. This maturity level signifies strategies in place to mitigate a variety of sophisticated security attack that help prevent cyber criminals and other threat actors, using advanced tools and methods.
- Maturity Level Three (ML3)
Fully aligned with the intent of the mitigation strategy. This maturity level signifies that the organisations implement a range of enhanced strategies to ensure anomalous activity can be quickly detected, investigated and mitigated.
What Maturity Level should you aim for?
When implementing the Essential Eight, organisations should identify and plan for a target maturity level suitable for their environment. Generally, Maturity Level One may be suitable for small to medium enterprises, Maturity Level Two may be suitable for large enterprises, and Maturity Level Three may be suitable for critical infrastructure providers and other organisations that operate in high-threat environments.
Essential 8 Implementation:
Organisations should then progressively implement each maturity level until that target is achieved. As the mitigation strategies that constitute the Essential Eight have been designed to complement each other, and to provide coverage of various cyber threats, organisations should plan their implementation to achieve the same maturity level across all eight mitigation strategies before moving onto higher maturity levels. Organisations should seek to minimise any exceptions.
While the Essential Eight can help to mitigate the majority of cyber threats, it will not mitigate all cyber threats. As such, additional mitigation strategies and security controls need to be considered, including those from ISM.
Ready to Deploy? Talk to an Expert
Want to Learn More? Download our E8 eBook
Essential 8 updates:
Adversaries continually evolve their tradecraft to defeat preventative measures that organisations put in place. The ACSC continually learns of advances in adversary tactics, techniques and procedures through its cyber threat intelligence and incident response functions. The ACSC is committed to providing cyber security advice that is contemporary, contestable and actionable. This includes regular updates to the Essential Eight Maturity Model.
Essential Eight implementations may need to be assessed by an independent party if required by a government directive or policy, by a regulatory authority, or as part of contractual arrangements.
DON'T LET CYCYBER CRIMINALS INVADE AUSTRALIA?
WCISO Online is the right pick for your organisation when uplifting your cyber security with Essential 8 because:
- ACSC PARTNERSHIP: we are partnered with the ACSC (Australian Cyber Security Centre), which designed the Essential Eight Framework. The ACSC is the Australian Government’s lead agency for cyber security. This means we will be the first to know about any changes, updates and recommendations on the framework.
- EXPERIENCED: CISO Online has a range of cybersecurity experts who have decades of experience in the field.
- FLEXIBLE: we offer a range of services, packages and options, meaning we are flexible to fit your organisation’s engagement.
- TAILORED: we tailor our approach to meet the specific needs and concerns of our clients rather than taking a one-size-fits-all approach.
- ACCESSIBLE: we are always available! We support you locally and globally.
- PROACTIVE APPROACH: we take a proactive approach rather than a reactive approach, identifying and addressing potential risks before they turn into full-blown security breaches.