BeyondTrust Survey Finds 90% of Australian Enterprises Are Aligning Their Security Programs to the Essential Eight

Just under half of organisations struggling to learn the lessons of recent high profile cybersecurity attacks.

Ninety per cent of Australian organisations are planning to align their security programs to the Essential Eight, highlighting its momentum as fast becoming a de facto standard inclusion for cybersecurity strategies across the country. That’s according to a survey conducted at last month’s AusCERT security conference by BeyondTrust, the leader in intelligent identity and access security.

The Essential Eight provides organisations with a clear framework that can improve their levels of IT security and better position them to withstand attacks.  However, when asked to select the top three challenges organisations face in aligning to the Essential Eight, 63 per cent of respondents highlighted application control (63%), while just over half (51%) cited user application hardening (51%).  Just under half (49%) also said that patching applications was a challenge while Restricting Admin Privileges was also highlighted by more than one in four (44%) of respondents as a struggle.

The survey, highlighting the increasing workload of security teams, also found that more than one in eight (85%) organisations are also pursuing a Zero Trust security model, with 85 per cent either having their processes in place or in progress. However, reflecting that zero trust is a journey, 46 per cent of organisations allow third parties to remotely access their internal system via VPN. This is likely to breach the principle of least privilege as VPNs commonly offer an all or nothing access to systems while users are connected unless considerable effort is placed in maintaining routing rules. For this reason, bringing users from a remote network via the Internet and onto a trusted or secure private network so they can access an application or data is inefficient at best, and risky at worst.

Indeed, 69 per cent of respondents from organisations adopting zero trust say that users in their organisation have excessive privileges beyond what is required to do their job.  Ultimately, a Zero Trust security model advocates for the creation of zones and segmentation to control sensitive IT resources. This also entails the deployment of technology to monitor and manage data, users, applications, assets, and other resources between zones, and, more importantly, authentication within zones.

“The findings of this survey suggest that while many Australian organisations  are embarking on a Zero Trust strategy they are potentially missing one of the foundations of the strategy: the principle of least privilege,” says Scott Hesford, Director of Solutions Engineering, Asia Pacific and Japan, BeyondTrust. “Excessive privileges and common VPN configurations go against the principle of least privilege – the concept of providing just the right amount of access for the specific amount of time for a user to complete a task – and are commonly exploited by cyber attackers.”

Scott Hesford, Director of Solutions Engineering, Asia Pacific and Japan, BeyondTrust

“The survey findings also reflect the challenges around the Essential Eight expressed by cybersecurity professionals that we speak to every day,” says Hesford. “Many teams struggle to find the balance between productivity and security for aspects of the Eight, such as application control and restricting admin privileges.”

“Ongoing budget and resourcing constraints mean that organisations are looking to consolidate strategies of application control, user application hardening and restricting admin privileges into a single solution set.”

Indeed, just under half (48%) of respondents had seen their workload increase over the past two years due to a variety of reasons, including growing attack sophistication and frequency, lack of security skills across the business, an inability to hire and retain staff, the higher repercussion from a breach, and the need to manage too many deployed security solutions.

In addition, the survey found that 48 per cent of respondents felt that organisations had not yet learned lessons resulting from major recent publicised cybersecurity attacks and updated their security strategies.

Learn more at