This Insight summarises the Essential Eight cyberthreat mitigation strategies and how you can assess their implementation in your business.
What are the Essential Eight?
The Essential Eight are 8 mitigation strategies to mitigate cybersecurity incidents, created by the Australian Signals Directorate (ASD) to help organisations better protect themselves against cyberthreats.
The ASD is the federal authority responsible for cybersecurity which runs the Australian Cyber Security Centre (ACSC) leading the Government’s efforts to improve cyber resilience.
The Essential Eight focus on protection of an organisation’s internet-connected IT networks and the mitigation strategies are:
-
Application control
By restricting the use of unauthorised software on systems, your business can mitigate the likelihood of malicious programs being used to access your business records. Often this is done through application control or allow listing software.
-
Patch applications
Patch management is the process that identifies, acquires, installs, and verifies patches for products and systems. A patch is a software update designed to fix or improve the software as well as address any present bugs. ‘Patching applications’ is where these patches are systematically implemented to ensure functional and secure updates and fixes are applied across all applications. They prevent cybercriminals from taking advantage of known security vulnerabilities to commit cybercrime.
-
Patch operating systems
Patching operating systems is the process of applying patches to operating systems to ensure they are functional, secure and up to date.
-
Restrict Microsoft Office macro settings
Microsoft Office macros are often used to automate routine tasks. It is important to restrict the macros your business uses to only vetted macros, to mitigate the likelihood of malicious macros making your system susceptible to a cyberattack.
-
User application hardening
User application hardening involves implementing security measures to strengthen software and applications against intrusion. The process involves minimising the ‘attack surface’ cyber actors can use to deploy malicious software. For example, use of obfuscating code to make it deliberately hard for a reader to decipher and so prevent cybercriminals from gaining access. The aim of this strategy is to increase resistance to common attack vectors, minimising risk of exploitation and reducing the potential impact of security breaches.
-
Restrict administrative privileges
User accounts with administrative privileges can create an obvious target for cybercriminals, as they provide individuals the ability to make changes to network configurations, bypass security settings and access, or modify or delete sensitive information. If malicious parties gain access to these privileges, your business is at a much higher risk of suffering a cyberattack. Businesses should carefully control and restrict which user accounts have administrative privileges, tailoring access according to each user’s corresponding role within the firm. Users who hold these privileges should not attract attention to this fact.
-
Multi-factor authentication
Multi-factor requires users to present two or more pieces of evidence when signing into their account to confirm that they are the intended user. This could be a username and password, a fingerprint or authorisation through a multifactor authentication application.
-
Daily backups
Conducting regular backups of your data and information is easy and essential. Backup can be a useful means for restoring operating systems quickly following a service disruption. Attackers will commonly target data backups when committing cybercrimes, therefore, storing backup data ‘offline’, where it can’t be accessed or overwritten is important.
Essential Eight Assessment Process
The ACSC also offers the Essential Eight Maturity Model which supports the implementation of the Essential Eight by helping businesses identify and plan for a target maturity level suitable to their environment.
The model incorporates three target security maturity levels, ranging from 1 to 3, with 3 representing the highest and most robust level of secutiyt maturity. The model also includes a Maturity Level 0 which describes when requirements for Level 1 are not met.
When you assess your organisation’s security maturity under the Essential Eight, you need to consider whether mitigation strategies have been effectively implemented. This is assessed in context of your business size and the complexity of your operations. Factors impacting whether you have implemented the Eight effectively include:
- whether you have adopted a risk-based approach to the implementation of mitigation strategies;
- your ability to test the mitigation strategies across an accurate representative sample of workstations, servers and network devices;
- the level of assurance gained from assessment activities and any evidence provided; and
- any exceptions from compliance with the Eight and whether they’ve been accepted by an appropriate authority as part of a formal exception process.
The ASD/ACSC proposes standardised assessment outcomes for Essential Eight compliance which are:
- Effective: the organisation is effectively meeting the control’s objective;
- Ineffective: the organisation is not adequately meeting the control’s objective;
- Alternate control: the organisation is effectively meeting the control’s objective through an alternate control;
- Not assessed: the control has not yet been assessed;
- Not applicable: the control does not apply to the system or environment; and
- No visibility: the assessor was unable to obtain adequate visibility of a control’s implementation.
For further information on the Essential Eight and how it can be used by your business, visit the ASD/ASCS’s website here.
Next Steps
The Essential Eight provide businesses with a reliable and tested framework of tools and guidance to help mitigate cyberthreats and attacks. It is important that you review your current cybersecurity strategies and ensure they align with the Essential Eight.
For advice on how your business can be better protected from cyberthreats, contact Sainty Law at lawyers@saintylaw.com.au.