What Is The Essential 8 and Does Your Business Need to Comply With It?

The Essential Eight represents a cybersecurity structure developed by the Australian Cyber Security Centre (ACSC). Launched in 2017, it's an enhanced version of the Australian Signals Directorate's (ASD) original four security protocols, introducing four more strategies, hence being termed the Essential Eight. Sometimes, it's also referred to as the ACSC Essential Eight or ASD Essential Eight. This framework was designed to shield Australian companies from current cyber threats.

The framework's eight strategies are categorised under three main goals - warding off potential attacks, mitigating the consequences of attacks, and ensuring data accessibility.

Objective 1: Prevent Cyberattacks

Patch application vulnerabilities

Patches are updates that fix vulnerabilities, bugs, or performance issues in software applications. They are crucial to maintaining the security and functionality of a system.

For moderate threats, swift action is more critical. Patches for internet-facing services and commonly-targeted applications should be applied within two weeks, and other applications within a month. Advanced threats necessitate the most urgent response - patches for internet-facing services and commonly targeted applications should be applied within two weeks or 48 hours if an exploit is detected.

These guidelines apply to workstations, servers, network devices, and other network-connected devices, with advanced threats requiring the quickest response.

ASD's ACSC advises proactive measures such as daily identification of missing patches for internet-facing services, fortnightly for commonly targeted applications, and as required for others. The frequency increases with threat severity.

Application Control

Application control, a key security strategy, permits only authorized applications to run on systems, thereby thwarting malicious code. In Windows environments, this can be achieved using two methods: Windows Defender Application Control (WDAC) and Microsoft AppLocker. WDAC employs code integrity policies to limit code execution, while AppLocker regulates application execution based on a variety of attributes.

The ASD's ACSC document outlines specific Group Policy settings for deploying application control with these tools. These include establishing approved paths for executables, DLLs, scripts, and packaged apps, and managing execution grounded on publisher certificates. To uphold secure configurations, it's vital to regularly test and validate these rules.

Application Hardening

The ACSC suggests several strategies for application hardening. These include disabling unnecessary features and functionality, configuring operating systems, applications and programming frameworks securely, patching promptly and regularly, using the latest version of applications, and ensuring strong, unique default credentials are used.

In addition, the ACSC recommends the principle of least privilege - i.e., ensuring that accounts only have privileges necessary to perform their duties. This helps in mitigating potential damage if an account is compromised.

Configuring MS Office Macro settings

Macros, scripts that automate tasks in Office documents, can be exploited by cybercriminals to deliver malware. To mitigate these risks, ACSC advises disabling macros in Office applications. However, if macros are essential, the use of Office 2016 or later versions is recommended due to their enhanced security features.

In these versions, macros in documents from the internet are blocked by default, and users are alerted if an opened document contains macros. To further enhance security, ACSC suggests using Group Policy settings to control macro behaviours in your organization.

User Application Hardening:

Configuring web browsers and PDF viewers to block untrusted Java code, Flash content, and ads. These are common methods for delivering and executing malware, so blocking them can significantly increase your protection.

User Application Hardening also involves updating these applications regularly to ensure any security patches are applied, reducing the risk of exploitation. Additionally, using features like sandboxing can isolate potentially harmful code and prevent it from affecting your system. Lastly, disabling unnecessary features and plugins can minimize potential attack vectors, as each additional functionality can be a potential gateway for malicious activity.

Objective 2: Limit the Impact of Cyberattacks

Restrict Admin Access

The ACSC advises organizations to identify tasks requiring administrative privileges and establish separate, attributable accounts for staff members who need these privileges. This approach ensures accountability and allows regular monitoring of these high-privilege accounts.

Further, the ACSC recommends implementing technical controls to prevent risky activities. These controls can include limiting the use of administrative privileges on internet-facing systems and blocking email and web browsing capabilities for privileged accounts.

Patch Operating Systems

ACSC recommends the practice of Patching Operating Systems. These patches are essentially software updates that fix known vulnerabilities or bugs and improve the overall performance of the system. Just like app makers, the companies that create operating systems (like Windows or MacOS) regularly send out updates called patches. These patches are designed to strengthen the system's security and protect it from potential threats.

Multi-factor Authentication

ACSC strongly recommends the use of Multi-Factor Authentication (MFA). Multi-Factor Authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction, such as SMS Verification, Email Verification, Biometric Verification etc. The goal of MFA is to create a layered defence and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network, or database.

Objective 3: Data Recovery and System Availability

Daily Backups

ACSC highly recommends conducting daily backups of vital data. Regular backup of important data ensures that it can be quickly restored following a cybersecurity incident. If a system is compromised, having backups allows you to restore the data without paying a ransom or losing valuable information.

The Essential Eight Framework's Three-Tiered Maturity Scale

The Essential Eight framework enables organizations to monitor their compliance, using a three-tiered maturity scale:

1. Maturity Level One represents partial adherence to the mitigation strategies. At this stage, organizations have begun to implement the Essential Eight but have not fully integrated all strategies into their cybersecurity practices.
2. Maturity Level Two indicates significant alignment with the mitigation strategies. Organizations at this level have made substantial progress in embedding the Essential Eight into their cybersecurity framework, but there is still room for improvement.
3. Maturity Level Three signifies total alignment with the mitigation strategies. At this highest level, organizations have fully incorporated the Essential Eight into their cybersecurity practices and consistently apply these strategies across their entire digital infrastructure.

Each tier can be tailored to match the unique risk profile of each business. This customization allows organizations to pinpoint their current compliance status and comprehend the specific steps needed to advance through the stages.

Is Compliance with the Essential Eight Framework Required?

The Essential Eight (maturity level 2) is a mandatory requirement for all Australian non-corporate Commonwealth entities subject to the PGPA Act (as per PSPF Policy 10). 

However, while it is highly recommended, compliance with the Essential Eight is not strictly mandatory for all businesses. Nonetheless, the Australian government is increasingly encouraging and in some cases mandating its use, especially for organizations dealing with sensitive data or under specific regulatory requirements.

The primary goal of the Essential Eight framework is to help organizations mitigate cybersecurity incidents by strengthening their systems against threats. Compliance with this framework can help businesses meet various industry-specific security requirements.

Strengthening Your Organization's Cybersecurity

Want to start or continue your cybersecurity journey by implementing the Essential Eight framework? Get in touch with our team.