There are changes coming regarding the Essential Eight cyber security strategies in Australia. Any business with an IT infrastructure needs to at least be aware of these changes.
Essential Eight – what is it?
The Essential Eight are baseline mitigation strategies recommended for Microsoft Windows-based networks. They were developed by The Australian Cyber Security Centre (ACSC) in 2017 to combat cyber-security threats and are assessed and updated regularly in consultation with government authorities and their industry partners to reflect our changing world and the cyber threats that come with it.
The Essential Eight strategies were put in place to make it harder for malicious actors to attack IT systems. They guide businesses to stay on top of cyber security and put proper procedures and associated technologies in place to prevent attacks from happening, rather than leaving cyber security to chance and hoping for the best.
The Essential Eight includes:
- A timeframe of 48 hours to patch vulnerabilities
- Multi-factor authentication to make it harder for malicious actors to guess passwords
- Daily backups of critical data
- Keep operating systems patched/up to date within forty-eight hours
- Fortifying web browsers to stop the delivery of malicious code
- Restrictions on administration privileges
- Blocking Microsoft Office macros from the Internet, which is a common method of running malicious code
- A whitelist for approved applications
Using a maturity model that sits across the eight essential mitigation strategies, IT systems must be configured to meet certain standards before they can progress to the next maturity level. Each level acts as a stamp of cyber security protection.
Government changes are coming
The pandemic has brought an increased risk of cyber-attacks to Australian shores and the government are stepping up to do something about it. The ACSC will be mandating the Essential Eight for all 98 non-corporate Commonwealth Entities (NCCEs), although an official date has not been set.
This change will have a flow on effect to businesses that interact with NCCEs. While other businesses are not required to implement the Essential Eight, the ACSC website states, “Essential Eight implementations may need to be assessed by an independent party if required by a government directive or policy, by a regulatory authority, or as part of contractual arrangements” meaning that organisations may lose opportunities for growth if they do not comply.
The Essential Eight is recommended for businesses to help protect their IT infrastructure and sensitive data. The ACSC is encouraging investment in implementing the Essential Eight now as opposed to having to deal with a potential expensive attack in the future.
ACSC recommends a risk-based assessment when deciding on the desired maturity level for an organisation. Once that has been established steps can be taken to work towards achieving it. Proper monitoring and reviewing should also be applied.
What’s changed with the Essential Eight?
One of the major changes is its maturity model. Firstly, a new level, level zero, has been introduced. This level indicates weaknesses in an organisation’s cyber security protection. Level three is the highest maturity level and is reserved for organisations that have implemented cyber security to armour them from sophisticated threats.
Previously, NCCEs were required to implement the top four of the Essential Eight. With these new changes all eight will need to be addressed. Audits to check this and the maturity level will also be introduced.
The way in which the maturity model functions is also changing. Previously NCCEs could focus on achieving a certain level of maturity for the top four strategies. But now, they will have to achieve a level of maturity across all eight before advancing to the next level of maturity.
The Essential Eight is all the talk now in Australian cyber security. Contact the security experts at Linktech Australia to find out how they can help your business secure your IT infrastructure.