ACSC Essential Eight Cyber Security Guidelines & the Maturity Model

While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The ACSC Essential Eight explained.

ACSC Essential 8 Cyber Security Guidelines & the Maturity Model

THE ACSC ESSENTIAL EIGHT EXPLAINED

All businesses operate online, but has your business considered how safe its digital operations are?

Cybersecurity issues are increasing as we continue to rely on the internet, global connectivity and other digital technologies in fact there has been a 600% increase in 2021.  As you expand your online presence, cybersecurity must be a top priority due to the growing number of cyberattacks.

In Australia, the trend towards increased cyber security compliance is undenyable.  Over the past few years, we have seen the introduction of mandatory reporting of data breaches and businesses are now urged to comply with the ACSC Essential Eight.  It is only a matter of time before this becomes mandated for some if not all industries.

The ACSC recommends that all businesses implement the Essential Eight which is more cost effective in terms of time, money and effort than responding to a cyber security event.  With ransomware being reported every 11 seconds, all businesses are at risk.

The Australian Government, led by the Australian Cyber Security Centre (ACSC), strives to prevent these instances from occurring and assist businesses like yours strengthen their cyber security posture.

As the first line of defence, the Australian Signals Directorate (ASD) and the ACSC developed the Essential Eight.  By complying with the Essential Eight, you will be in the best position to protect your digital assets against an attack.

Breaking News: ACSC issues alert to Australian Businesses to adopt a cyber security strategy & federal government announces a $10 billion investment

What is the ACSC Essential Eight?

While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.

ACSC Essential Eight is eight prioritised strategies to help businesses protect themselves against cyber attacks.

Aimed at preventing malware delivery, mitigating cyber security incidents and serving as a baseline for organisations to address different cybersecurity risks and defend their systems online.

The Essential Eight is designed to protect Microsoft Windows-based, internet-connected networks.  The Essential Eight Maturity Model supports the implementation of the Essential Eight.

The strategies have been designed to complement each other, and to provide coverage across a range of cyber threats and cover 8 mitigation strategies:

  1. Application Control
  2. Patch Applications
  3. Patch Operating Systems
  4. Configure Microsoft Office Macro Settings
  5. User Application Hardening
  6. Admin Privilege Restriction
  7. Multi-factor Authentication
  8. Regular Backups
ACSC Essential Eight 8 core mitigation strategies

To guide you in the implementation the ACSC has published a maturity scale that helps measure your business’ alignment with each strategy.

  • Level 0 (Immature) – Not aligned with the mitigation strategy (no compliance)
  • Level 1 (Intermittent) – Party aligned with the mitigation strategy (low compliance)
  • Level 2 (Committed)– Mostly aligned with the mitigation strategy (medium compliance)
  • Level 3 (Advanced)– Fully aligned (highly protected) (2)

The ACSC provides a minimum cyber security posture which includes reviewing and enhancing detection, mitigation and response measures.

Our recommendation is to undertake a comprehensive cyber audit to assess your vulnerabilities and cyber gaps.

The results will inform the action and strategy required to mature your cyber security posture as a minimum meet the ACSC Essential Eight requirements but also goes above and beyond.

How to apply the Essential Eight to mature your cybersecurity measures

When implementing the Essential Eight, businesses must first identify a target maturity level that is suitable for their environment and then progressively implement each maturity level until that target is achieved.

Download our ACSC Essential Eight eBook

A guide for small and medium Australian businesses seeking to improve their cyber posture with the Essential Eight

Ebook

ACSC Essential Eight Maturity Levels Explained

Essential Eight Maturity Level Explained
The ACSC defined maturity levels so businesses understand what strategies make up Essential Eight to mitigate different levels of cyber threats (or cyber tradecraft).

There are four maturity levels:

The ACSC established 4 maturity levels Maturity Level Zero through to Maturity Level Three. With the exception of Maturity Level Zero, the maturity levels are based on mitigating increasing levels of adversary tradecraft (i.e. tools, tactics, techniques and procedures.

Level 0

Indicating weaknesses in your business’s overall cyber security posture. When exploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity or availability of their systems and data, as described by the tradecraft and targeting in Maturity Level One below.

Level 1

Appropriate for all Australian businesses that do not have significant uptime, data security or financial protection requirements.

Level 1 maturity indicates your business has a basic level of security to protect itself against a common attack. This maturity level focuses on adversaries who use easily accessible methods to gain control of systems. They may take advantage of common techniques or tools, such as publicly-available exploits or stolen credentials, to gain access. Instead of targeting specific victims, these adversaries look for any vulnerable target and exploit common weaknesses. They often use social engineering techniques to trick users into compromising system security, such as through malicious Microsoft Office macros. If they gain access to an account with special privileges, they will exploit it. Depending on their goals, they may even destroy data, including backups.

Level 2

Appropriate for all Australian businesses that do not have significant uptime, data security or financial protection requirements.

A level 2 protects against adversaries operating with a modest step-up in capability from the previous maturity level 1.

This maturity level focuses on adversaries with slightly advanced capabilities compared to the previous level. They invest more time and effort to bypass security controls and avoid detection. They target credentials through phishing, employ social engineering techniques, and exploit weak multi-factor authentication. These adversaries are selective in their targets but still conservative in their investments. They deceive users with successful phishing attacks and exploit system vulnerabilities like Microsoft Office macros. They exploit accounts with special privileges and may destroy accessible data, including backups.

Level 3

Appropriate for mid-sized and larger businesses with multiple critical systems and large amounts of personally identifiable information or financial data.

This maturity level focuses on adversaries who are highly adaptive and rely less on public tools and techniques. They take advantage of weaknesses in their target’s cybersecurity, such as outdated software or inadequate monitoring, to extend their access, evade detection, and strengthen their presence. They quickly utilize newly available exploits and other techniques to improve their chances of success.

These adversaries are often more focused on specific targets and are willing to invest effort in bypassing unique security controls and policies. For instance, they employ social engineering to deceive users into opening malicious documents and assist in bypassing security measures. They may also steal authentication token values to bypass stronger multi-factor authentication. Once they gain a foothold, adversaries aim to acquire privileged credentials, explore other network areas, and cover their tracks. Depending on their goals, they may even destroy all data, including backups.

ACSC Essential Eight Self Assessment

Take our self-assessment to help you understand your cyber security posture in relation to the Essential 8 maturity model.

Is the ACSC Essential Eight mandatory for Australian Businesses

This is rapidly evolving, so here are the links to the most recent information:

  • The Australian Department of Home Affairs has recently made amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act).  On 2 December 2021, the SOCI Act was amended to apply obligations to certain assets, including new assets defined in the SOCI Act and the Asset Definition Rules.  Learn More.
  • The Security of Critical Infrastructure Act 2018 mandates cyber incident reporting for critical infrastructure assets. Critical Infrastructure owners and operators are required to report a cyber security incident if you are captured by the critical infrastructure asset definitions.  Fact Sheet.
  • The Protective Security Policy Framework (PSPF), administered by AGD, mandates that all non-corporate Commonwealth entities implement four specific Essential Eight mitigation strategies (known as the Top Four) and strongly recommends the adoption of the entire Essential Eight. Learn more:  ACSC Essential Eight Cyber Security Guidelines & the Maturity Model and ACSC Strategies to mitigate cyber security incidents
  • Since 2018, it has become mandatory for all businesses with an annual turnover of at least $3 million, to report data breaches to the OAIC – whether or not they’ve embraced the Essential Eight framework.

Becoming compliant with the ACSC Essential Eight

KMT empowers Australian businesses with our comprehensive managed cyber security service.  Our comprehensive attack surface monitoring service provides a complete cyber security solution to protect your business from most cyber threats.

Essential Eight Frequently Asked Questions

What ACSC Essential Eight maturity level should I target?

  • Maturity Level One is generally suitable for small to medium enterprises,
  • Maturity Level Two is suitable for large enterprises
  • Maturity Level Three may be suitable for critical infrastructure providers and other organisations that operate in high threat environments.

Kaine Mathrick tech can help you achieve Maturity Level 1 or 2.

Summary
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

What is an internet-facing server?

An internet-facing server is any server that is directly accessible over the internet.

Summary
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

Does the ACSC provide a list of approved products for implementing the Essential Eight?

  • No. Kaine Mathrick Tech has a comprehensive managed cyber security service that can help achieve Maturity Level 1 or 2 depending on your requirements.
Summary
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

What industries does the Essential Eight apply to?

The Australian Signals Directorate recommends all Australian Government entities and Australian  businesses implement the Essential Eight framework for best cybersecurity practice.

Summary
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

Mitigation strategies to reduce vulnerability to cyber threat

When implementing a mitigation strategy, first implement it for high risk users and computers such as those with access to important (sensitive or high-availability) data and exposed to untrustworthy internet content, and then implement it for all other users and computers. Organisations should perform hands-on testing to verify the effectiveness of their implementation of mitigation strategies.

In order of priority, they recommend that businesses implement strategies that mitigate the following cyber risks:

  1. Cyber intrusions and other external threats that steal data
  2. Ransomware and threat actors who destroy data and prevent computers and networks from working
  3. Malicious employees who steal data
  4. Malicious employees who destroy data and prevent computers and networks from working
Mitigation strategies to reduce vulnerability to cyber threat-Landscape

When implementing a mitigation strategy, first implement it for high-risk users and computers such as those with access to important (sensitive or high-availability) data and exposed to untrustworthy internet content, and then implement it for all other users and computers. Organisations should perform hands-on testing to verify the effectiveness of their implementation of mitigation strategies.

 

Start with threats of most concern to the organisation. In each of the following phases, businesses need to implement mitigation strategies to:

Targeted cyber intrusions (advanced persistent threats) and other external adversaries who steal data:

    1. prevent malware delivery and execution
    2. limit the extent of cyber security incidents
    3. detect cyber security incidents and respond.

Ransomware and external adversaries who destroy data and prevent computers/networks from functioning:

    1. recover data and system availability
    2. prevent malware delivery and execution
    3. limit the extent of cyber security incidents
    4. detect cyber security incidents and respond.

Note that ‘Hunt to discover incidents’ is less relevant for ransomware that immediately makes itself visible.

Malicious insiders who steal data:

    1. limit the extent of cyber security incidents
    2. detect cyber security incidents and respond.

Note that technical mitigation strategies provide incomplete security since data could be photographed or otherwise copied from computer screens or printouts, or memorised and written down outside of the workplace.

Malicious insiders who destroy data and prevent computers/networks from functioning:

    1. recover data and system availability
    2. limit the extent of cyber security incidents
    3. detect cyber security incidents and respond.

The ACSC strongly recommends that businesses implement the Essential Eight mitigation strategies as a baseline.

However, Kaine Mathrick Tech, recommends all security, IT and business leaders must be thinking about their cyber security even more holistically and take their cyber security further by considering these additional factors:

  1. Make backing up a part of your everyday business and implement a quality backup strategy or implement a Back up as a Service
  2. Protect your office equipment from malware with antivirus software, application management, encryption, access control and ensuring hardware is current.
  3. Mobile device security to protect mobile assets.
  4. Strong password protection and multifactor authentication
  5. Network security and SIEM.

What actions should I take to improve my cyber posture?

Our recommendation is to undertake a comprehensive cyber security strategy that at a minimum meets the ACSC Essential Eight requirements but also goes above and beyond.

The ACSC Essential Eight outlines a minimum set of preventative measures, businesses must implement additional measures where it is warranted by their environment.  Furthermore, whilst the Essential Eight can help mitigate the majority of cyber threats, it will not mitigate all.  As such additional mitigation strategies and security controls should be considered.

Actions such as:

  1. Patching applications and devices
  2. Implementing mitigations against phishing and spear-phishing attacks
  3. Ensure that logging and detection systems are fully updated and functioning.
  4. Review incident response and business continuity plans.

Conclusion & Next Steps

Combining the experience of a dedicated cyber security team, as well as hands-on security specialists, Kaine Mathrick Tech has one of the most mature and highly credited managed cyber security solutions in Australia.

A comprehensive cyber security strategy and implementation plan will help ensure your business have the most appropriate people, processes and technology to help you mitigate or at worst recover fast from a cyber attack.

Here are resources that may assist you improve your cyber security posture:

Step 1: Current state of cyber security posture

Take our Essential Eight self-assessment to see how aligned your business is with the ACSC maturity models.

Step 2: Step up your maturity level goal

Identify and plan for a target maturity level suitable for your environment. Download our Essential Eight Explained eBook for details of each maturity level, and refer to Essential Eight Assessment Explained for conducting an assessment.

Step 3: Implement essential mitigation strategies

Progressively implement each maturity level until the target is achieved. Visit our cyber security learning centre with the checklist to help you implement mitigation strategies aligned with Maturity Level Two.

Your best cyber defence begins here

with Kaine Mathrick Tech

Reference

  1. “Australian organisations encouraged to urgently adopt an enhanced cyber security posture” Source: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model
  2. “Gartner Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem”
Summary
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

Related Stories

Compliance matters for legal firms

Navigate the complexities of legal compliance with confidence, ensure your legal practice adheres to the latest regulations and standards. Stay ahead of the curve.

Governance The Keystone of Legal Firm Integrity and Success

Governance: The Keystone of Legal Firm Integrity and Success

Explore the significance of governance as a pivotal element of legal firm integrity and success. It details how proficient governance ensures accountability, risk management, and strategic decision-making, vital for preserving a firm’s repute and securing long-term triumph.

Australian legal industry considerations in 2024 & Beyond

Australian legal industry considerations in 2024 & Beyond

This article discusses the significant transformations in the Australian legal landscape, driven by advancements in legal technology and evolving client expectations.

Want to be part of the crowd?

Summary
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo