What is this Essential Eight thing I keep hearing about and (why) should I care’.

As large-scale data breaches make customers and partners more security-conscious, Devicie says it makes sense for Australian businesses to be able to chart a course to consistently improve their security posture.

One of the most well-known and effective ways to demonstrate security maturity is by aligning with the Essential Eight, a set of Australian government-developed baseline mitigation strategies that, once implemented, are designed to make life hard or would-be attackers and minimise the potential damage should an attacker breach defences.

 So, what are the Essential Eight exactly?

The Essential Eight tracks maturity as a set of levels from zero to three in areas including application controls, patch applications and operations systems, user application hardening, Microsoft Office macro settings, restricting administrative privileges, multi-factor authentication and backups; building defence in depth to raise security posture through those levels greatly enhances an organisation’s ability to defend against, and reduce the impact of, common attacks.

Broadly speaking and from an adversarial perspective, an organisation with an assessed maturity level of zero has potentially exploitable weaknesses in its posture.

Level One maturity is designed to protect against attackers that make use of conventional or public techniques and practise what might be described as “opportunistic attacks”.

As organisations move up the Essential Eight maturity scale, they are better positioned for encounters with more sophisticated attackers and techniques employed against their assets or users.

At Level Two maturity, organisations are better able to deal with attempts to bypass their security controls or to protect credentials from phishing or other social engineering-type attacks.

Organisations that achieve maturity Level Three are considered to be best-placed to defend against targeted attacks, particularly against adversaries that are better able to gain entry and avoid detection, particularly for an extended period of time.

Dwell time – the period in which an attacker is able to remain in a target’s system undetected – is often measured in weeks, during which time they can undertake significant reconnaissance, escalate the attack or wait for an opportune moment to try to steal data.

What are some of the benefits of the Essential Eight?

While ostensibly developed to improve the security posture and practices of government agencies and departments, the benefits of Essential Eight alignment have become more broadly recognised – and adopted – as a graduated pathway towards improving the security of organisations in a much broader set of industries.

Reducing the potential dwell time of an attacker is a strong reason – and potential payoff – to moving up the Essential Eight maturity scale.

Another potential payoff is that Essential Eight maturity can also act as an incredible communication tool.

For an organisation that reaches level three maturity on all – or even most – Essential Eight controls, it speaks volumes about their security and their ongoing commitment – and that level can be independently verified and understood by anyone.

A public commitment to the Essential Eight shows potential customers or partners the organisation has a robust security posture.

This may lead the organisation to be favoured by security and privacy-conscious customers. Recent surveys show that customers are increasingly making purchase decisions based on security criteria. One would anticipate this trend becoming even more pronounced over time.

For an organisation trying to sell its products or services, achieving a set maturity level with the Essential Eight means not having to explain each step they’ve taken to secure their operations, systems, patterns, or practices.

The maturity rating – as it relates to application control, patching, administrative privileges or multi-factor authentication, to name only a few domains the Essential Eight covers – demonstrates what prospective customers and partners can and should expect in the way the organisation will run their systems and protect important data.

In addition, while cyber supply chains will continue to be a popular avenue for cybercriminals seeking to cause disruption and losses to business of all sizes, by implementing measures such as those detailed in the Essential Eight, businesses can reduce the likelihood of falling victim to an attack on them directly. Checking with vendors, partners, and suppliers as to their adherence to a framework such as the Essential Eight can further help to reduce the risk of business disruption due to cyber attacks.

In summary, what should I know about the Essential Eight?

Organisations don’t want to be in a situation where they need to constantly show they are secure, or explain what they’ve done on the security controls front every time they encounter questions from a customer or partner.

The Essential Eight offers a way for organisations to combat and more importantly change their security posture dynamic, by offering an independent measure of how they are tracking, using a standard set of measures. This also makes comparing the relative security of different organisations on Essential Eight journeys comparable.

Anything else I should be do for my business when it comes to cybersecurity?

Yes, indeed!

  • First up, recognise no business is immune from a potential cyber attack.
  • Today, no Australian business should have known, published vulnerabilities sitting in their networks waiting for a malicious hacker to exploit them.  Therefore, focus on fixing known vulnerabilities.
  • When it comes to annual tech spend, ensure you invest in organisational training and raise awareness, including the responsibilities of all staff in managing what is a set of business risks, not IT risks.
  • All risk and compliance strategies in companies need to include a cybersecurity component.
  • If you don’t have the skills in-house, engage a trusted third-party organisation to perform a security gap analysis across your business operations.