Cyber security webinar

ACSC Essential Eight Cyber Security Guidelines & the Maturity Model

While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.

ACSC Essential 8 Cyber Security Guidelines & the Maturity Model

THE ACSC ESSENTIAL 8 EXPLAINED

All businesses operate online, but has your business considered how safe its digital operations are?

Cybersecurity issues are increasing as we continue to rely on the internet, global connectivity and other digital technologies in fact there has been a 600% increase in 2021.  As you expand your online presence, cybersecurity must be a top priority due to the growing number of cyberattacks.

In Australia, the trend towards increased cyber security compliance is undenyable.  Over the past few years, we have seen the introduction of mandatory reporting of data breaches and businesses are now urged to comply with the ACSC Essential Eight.  It is only a matter of time before this becomes mandated for some if not all industries.

The ACSC recommends that all businesses implement the Essential Eight which is more cost effective in terms of time, money and effort than responding to a cyber security event.  With ransomware being reported every 11 seconds, all businesses are at risk.

The Australian Government, led by the Australian Cyber Security Centre (ACSC), strives to prevent these instances from occurring and assist businesses like yours strengthen their cyber security posture.

As the first line of defence, the Australian Signals Directorate (ASD) and the ACSC developed the Essential Eight.  By complying with the Essential Eight, you will be in the best position to protect your digital assets against an attack.

What is the ACSC Essential Eight?

ACSC Essential Eight is eight prioritised strategies to help businesses protect themselves against a cyber attack.

Aimed at preventing malware delivery, mitigating cyber security incidents and serving as a baseline for organisations to address different cybersecurity risks and defend their systems online.

The Essential Eight is designed to protect Microsoft Windows-based, internet-connected networks.

The Essential Eight Maturity Model supports the implementation of the Essential Eight.

The strategies have been designed to complement each other, and to provide coverage across a range of cyber threats and cover 8 areas:

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict administrative privileges
  6. Patch operating systems
  7. MFA
  8. Daily Backups
ACSC Essential Eight

To guide you in the implementation the ACSC has published a maturity scale that helps measure your business’ alignment with each strategy.

  • Level 0 (Immature) – Not aligned with the mitigation strategy (no compliance)
  • Level 1 (Intermittent) – Party aligned with the mitigation strategy (low compliance)
  • Level 2 (Committed)– Mostly aligned with the mitigation strategy (medium compliance)
  • Level 3 (Advanced)– Fully aligned (highly protected) (2)

The ACSC provides a minimum cyber security posture which includes reviewing and enhancing detection, mitigation and response measures.

Our recommendation is to undertake a comprehensive cyber audit to assess your vulnerabilities and cyber gaps.

The results will inform the action and strategy required to mature your cyber security posture as a minimum meet the ACSC Essential Eight requirements but also goes above and beyond.

How to apply the Essential Eight to mature your cybersecurity measures

When implementing the Essential Eight, businesses must first identify a target maturity level that is suitable for their environment and then progressively implement each maturity level until that target is achieved.

Download our ACSC Essential Eight eBook

A guide for small and medium Australian businesses seeking to improve their cyber posture with the Essential Eight

Ebook

Mitigation strategies to reduce vulnerability to cyber threat

In order of priority, they recommend that businesses implement strategies that mitigate the following cyber risks:

  1. Cyber intrusions and other external threats that steal data
  2. Ransomware and threat actors who destroy data and prevent computers and networks from working
  3. Malicious employees who steal data
  4. Malicious employees who destroy data and prevent computers and networks from working

Mitigation strategies

In each of the following phases, businesses need to implement mitigation strategies to:

Cyber intrusions and other external threats that steal data

  • prevent malware delivery and execution
  • limit the extent of cyber security incidents
  • detect cyber security incidents and respond.

Ransomware and threat actors who destroy data and prevent computers and networks from working

  • recover data and system availability
  • prevent malware delivery and execution
  • limit the extent of cyber security incidents
  • detect cyber security incidents and respond.

Malicious employees who may steal data

  • limit the extent of cyber security incidents
  • Protect cyber security incidents and respond.
  • Implement ‘Control removable storage media and connected devices’ to mitigate data exfiltration.
  • Implement ‘Outbound web and email data loss prevention.
  • Implement ‘Personnel management’.
  • If employees are likely to have hacking skills and tools, implement mitigation strategies to prevent malware delivery and execution

Note that technical mitigation strategies provide incomplete security since data could be photographed or otherwise copied from computer screens or printouts, or memorised and written down outside of the workplace.

Malicious employees who destroy data and prevent computers and networks from working

  • recover data and system availability
  • limit the extent of cyber security incidents
  • detect cyber security incidents and respond.
  • Implement ‘Personnel management’.

If employees are likely to have hacking skills and tools, implement mitigation strategies to prevent malware delivery and execution.

The ACSC strongly recommends that businesses implement the Essential Eight mitigation strategies as a baseline.

However, Kaine Mathrick Tech, recommends all security, IT and business leaders must be thinking about their cyber security even more holistically and take their cyber security further by considering these additional factors:

  1. Make backing up a part of your everyday business and implement a quality backup strategy or implement a Back up as a Service
  2. Protect your office equipment from malware with antivirus software, application management, encryption, access control and ensuring hardware is current.
  3. Mobile device security to protect mobile assets.
  4. Strong password protection and multifactor authentication
  5. Network security and SIEM.

Maturity Levels Explained

Essential Eight Maturity Levels Explained-Landscape 02
The ACSC defined maturity levels so businesses understand what strategies make up Essential Eight to mitigate different levels of cyber threats (or cyber tradecraft).

There are four maturity levels:

The ACSC established 4 maturity levels Maturity Level Zero through to Maturity Level Three. With the exception of Maturity Level Zero, the maturity levels are based on mitigating increasing levels of adversary tradecraft (i.e. tools, tactics, techniques and procedures.

Level 0

Indicating weaknesses in your business’s overall cyber security posture. When exploited, these weaknesses could facilitate the compromise of the confidentiality of data, or the integrity or availability of your systems and data, as described by the tradecraft and targeting in Maturity Level One below.

Level 1

Appropriate for all Australian businesses that do not have significant uptime, data security or financial protection requirements.

Level 1 maturity indicates your business has a basic level of security to protect itself against a common attack.  For example, a cybercriminal will exploit a security vulnerability in an internet-facing service that has not been patched, or authenticate to an internet-facing service using stolen credentials.

Adversaries are looking for many victims rather than specific targets and will be opportunistic when seeking a common weakness across a number of businesses.  They employ common social engineering techniques to trick users into weakening the security of a system and launching malicious applications.

Level 2

Appropriate for all Australian businesses that do not have significant uptime, data security or financial protection requirements.

A level 2 protects against adversaries operating with a modest step-up in capability from the previous maturity level 1.

These adversaries are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools.

This includes actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication.

Generally, adversaries are likely to be more selective in their targeting but still somewhat conservative in the time, money and effort they may invest in a target.

Adversaries will likely invest time to ensure their phishing is effective and employ common social engineering techniques to trick users to weaken the security of a system and launch malicious applications, for example via Microsoft Office macros. If the account that an adversary compromised has special privileges they will seek to exploit it, otherwise, they will seek accounts with special privileges. Depending on their intent, adversaries may also destroy all data (including backups) accessible to an account with special privileges.

Level 3

Appropriate for mid-sized and larger businesses with multiple critical systems and large amounts of personally identifiable information or financial data.

This maturity level provides protection from cybercriminals who are more adaptive and much less reliant on public tools and techniques.

These adversaries are able to exploit the opportunities provided by weaknesses in their target’s cyber security posture, such as the existence of older software or inadequate logging and monitoring.

Adversaries do this to not only extend their access once initial access has been gained to a target but to evade detection and solidify their presence. Adversaries make swift use of exploits when they become publicly available as well as other tradecraft that can improve their chance of success.

Generally, adversaries may be more focused on particular targets and, more importantly, are willing and able to invest some effort into circumventing the idiosyncrasies and particular policy and technical security controls implemented by their targets.

Once entry is gained on a system, adversaries will seek to gain privileged credentials or password hashes, pivot to other parts of a network, and cover their tracks. Depending on their intent, adversaries may also destroy all data (including backups).

ACSC Essential Eight Self Assessment

Take our self-assessment to help you understand your cyber security posture in relation to the Essential 8 maturity model.

Is the Essential Eight manditory for Australian Businesses

This is rapidly evolving, so here are the links to the most recent information:

  • The Australian Department of Home Affairs has recently made amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act).  On 2 December 2021, the SOCI Act was amended to apply obligations to certain assets, including new assets defined in the SOCI Act and the Asset Definition Rules.  Learn More.
  • The Security of Critical Infrastructure Act 2018 mandates cyber incident reporting for critical infrastructure assets. Critical Infrastructure owners and operators are required to report a cyber security incident if you are captured by the critical infrastructure asset definitions.  Fact Sheet.
  • The Protective Security Policy Framework (PSPF), administered by AGD, mandates that all non-corporate Commonwealth entities implement four specific Essential Eight mitigation strategies (known as the Top Four) and strongly recommends the adoption of the entire Essential Eight. Learn more:  ACSC Essential Eight Cyber Security Guidelines & the Maturity Model and ACSC Strategies to mitigate cyber security incidents
  • Since 2018, it has become mandatory for all businesses with an annual turnover of at least $3 million, to report data breaches to the OAIC – whether or not they’ve embraced the Essential Eight framework.

Becoming compliant with the Essential Eight

KMT empowers Australian businesses with our comprehensive managed cyber security service.  Our comprehensive attack surface monitoring service provides a complete cyber security solution to protect your business from most cyber threats.

Essential Eight Frequently Asked Questions

What ACSC Essential Eight maturity level should I target?

  • Maturity Level One is generally suitable for small to medium enterprises,
  • Maturity Level Two is suitable for large enterprises
  • Maturity Level Three may be suitable for critical infrastructure providers and other organisations that operate in high threat environments.

Kaine Mathrick tech can help you achieve Maturity Level 1 or 2.

Summary
ACSC Essential 8 everything you need to know
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

What is an internet-facing server?

An internet-facing server is any server that is directly accessible over the internet.

Summary
ACSC Essential 8 everything you need to know
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

Does the ACSC provide a list of approved products for implementing the Essential Eight?

  • No. Kaine Mathrick Tech has a comprehensive managed cyber security service that can help achieve Maturity Level 1 or 2 depending on your requirements.
Summary
ACSC Essential 8 everything you need to know
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

What industries does the Essential Eight apply to?

The Australian Signals Directorate recommends all Australian Government entities and Australian  businesses implement the Essential Eight framework for best cybersecurity practice.

Summary
ACSC Essential 8 everything you need to know
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

What actions should I take to improve my cyber posture?

Our recommendation is to undertake a comprehensive cyber security strategy that at a minimum meets the ACSC Essential Eight requirements but also goes above and beyond.

The ACSC Essential Eight outlines a minimum set of preventative measures, businesses must implement additional measures where it is warranted by their environment.  Furthermore, whilst the Essential Eight can help mitigate the majority of cyber threats, it will not mitigate all.  As such additional mitigation strategies and security controls should be considered.

Actions such as:

  1. Patching applications and devices
  2. Implementing mitigations against phishing and spear-phishing attacks
  3. Ensure that logging and detection systems are fully updated and functioning.
  4. Review incident response and business continuity plans.

Conclusion & Next Steps

Combining the experience of a dedicated cyber security team, as well as hands-on security specialists, Kaine Mathrick Tech has one of the most mature and highly credited managed cyber security solutions in Australia.

A comprehensive cyber security strategy and implementation plan will help ensure your business have the most appropriate people, processes and technology to help you mitigate or at worst recover fast from a cyber attack.

Here are some things that may assist you improve your cyber security posture:

Your best cyber defence begins here

with Kaine Mathrick Tech

Reference

  1. “Australian organisations encouraged to urgently adopt an enhanced cyber security posture” Source: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model
  2. “Gartner Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem”
Summary
ACSC Essential 8 everything you need to know
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

Related Stories

6 Biggest Cyber Security Threats Against Businesses

6 Biggest Cyber Security Threats Against Businesses

Read this blog post and learn more about the 6 Biggest Cyber Security Threats Against Australian Businesses.

Why Now Is The Perfect Time To Learn About Cyber Security

Why Now Is The Perfect Time To Learn About Cyber Security

Are you currently concerned about your company’s cyber security but you’re wondering if it’s worth the time to research? Well, then. Read this blog post.

How The Australian Cyber Security Centre Protects You Online

How The Australian Cyber Security Centre Protects You Online

Cyber security experts warn that cyberattacks will only get fiercer from this point on. Learn the key cyber security facts and figures in this post.

Want to be part of the crowd?

Summary
ACSC Essential 8 everything you need to know
Article Name
ACSC Essential 8 everything you need to know
Description
While no one set of mitigation strategies are guaranteed to protect against all cyber threats, businesses are recommended to implement eight essential cyber security strategies defined by the ACSC. The Essential Eight explained.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo