The Essential Eight is a framework developed by the Australian Cyber Security Centre (ACSC) to identify, mitigate, and prevent potential cyberattacks. In order to protect Australian businesses, the Federal Government has recommended that all organisations, regardless of size, implement the Essential Eight strategies.

Given the surge in cyberthreats in recent years, businesses need to be vigilant about safeguarding their systems and sensitive data – as the financial and reputational damage caused by a cyberattack can be devastating.

Advantages of the Essential Eight

The Essential Eight delivers a framework to protect against common cyber-attacks, detect and respond to incidents, and minimise the impact of a cyber-event. As a tool, it provides key benefits:

• A Holistic Approach – The Essential Eight focuses on core mitigation strategies that complement each other to effectively mitigate a wide range of cyberthreats.

• Clear Direction – Businesses can assess their current cybersecurity maturity level and identify areas for improvement, to prioritise efforts and allocate resources effectively, providing a pathway to cyber resilience.

• Cost Savings – In 2022, the average cost per cybercrime reported to the ACSC was over $39,000 for small businesses, which could have been avoided by adhering to the Essential Eight framework.

• Privileged Access Management – The Essential Eight places administrative restrictions on applications, operating systems, and devices on a user basis, for increased control and heightened data security.

• Multi-Factor Authentication – Implementing multi-factor authentication across all devices provides an extra barrier and layer of security for cybercriminals to get past, reducing the likelihood of a cyberattack by up to a whopping 99.9%.

Limitations of the Essential Eight

While the Essential Eight is an important framework for building cyber resilience, there are a few disadvantages. Firstly, it is limited in scope – rather than a comprehensive solution that can protect any organisation from all possible threats. Because the strategies were specifically designed for Microsoft Windows, not all may be relevant to other operating environments.

What’s more, as a standardised solution, the framework may not align with the specific needs and risk profiles of every business. Organisations also require the necessary time, expertise, and resources to implement the security controls associated with each of the Essential Eight – which can be a challenge particularly for smaller and medium-sized businesses.

But one of the biggest issues for the Essential Eight is the speed of change when it comes to new and emerging cyberattack techniques. The framework may not be able to keep pace with the rapidly evolving threat landscape – so businesses still need to ensure ongoing monitoring, and adapt their security measures in response to new threats.

Getting the Right Balance

As a one-size-fits-all solution, the Essential Eight adopts a broad foundational approach to controlling cyberthreats that doesn’t necessarily address specific organisational needs. Because the scoring isn’t weighted across the different focus areas, business may end up placing too much emphasis on controls that aren’t relevant while neglecting ones that require greater attention.

The revised Privacy Act recommends a more interpretative ‘risk-based approach’ to organisational cybersecurity. Businesses are responsible for carrying out assessments that identify specific privacy risks in their practices and procedures, against the relevant legislative requirements.

With a tailored approach, businesses may decide that they don’t need to comply with every single element covered in the Essential Eight strategies. For example, if the organisation doesn’t use Microsoft Windows, then the controls related to blocking Powershell won’t be applicable.

The bottom line is, the Essential Eight is an extremely valuable tool for business owners, but they should feel empowered to take the reins on how the strategies apply to their own cybersecurity control requirements. Organisations should also adopt supplementary measures to meet the specific needs of their business and systems, overcome the limitations of the Essential Eight model, and adapt to evolving threats.