With cyberthreats posing an increasing risk to Australian businesses, the Australian Cyber Security Centre (ASCS) has developed a set of mitigation strategies, as a framework for organisations to protect themselves against possible cyberattacks and protect sensitive information in line with the Privacy Act. The key strategies are known as the Essential Eight.

The Essential Eight are designed to protect Microsoft Windows-based internet-connected networks – although they may also be applied to cloud services and other operating systems. The ACSC recommends the Essential Eight as a baseline to build cyber resilience and minimise the risk of systems being compromised.

The Essential Eight

1. Application Control

Application control prevents the execution of unauthorised programs or malware. It uses a whitelist of all approved applications such as software libraries, scripts, installers, compiled HTML, HTML applications, control panel applets, and drivers.

2. Patch Applications

Cybercriminals can exploit vulnerabilities in applications to gain access to devices and sensitive information. Patches improve security by fixing known vulnerabilities in applications. Regular vulnerability scanning is recommended to identify missing patches and security updates.

3. Configure Microsoft Office Macro Settings

Microsoft Offices macros are another way of executing malicious code on systems. However, it is possible to change settings to only allow vetted macros in – either with digital signing or from trusted locations – blocking the entry of other macros from the internet.

4. Application Hardening

Flash, ads, and Java are common ways of delivering and executing malware. User application hardening is the process of disabling high-risk functionality in these programs – for example, by configuring web browsers to block or uninstall Flash, ads, and Java, and disabling unnecessary features in Microsoft Office, web browsers, and PDF viewers.

5. Restrict Administrative Privileges

All organisations have accounts with a higher level of access than standard users. Cybercriminals attempt to access these privileged accounts to carry out attacks. Restricting administrative privileges gives fewer accounts the ability to make significant changes to operating systems or applications, to reduce the overall level of risk.

6. Patch Operating Systems

As with applications, patching is a highly effective means of fixing vulnerabilities in operating systems. Unpatched operating systems are the most common external attack method – so it is critical to check frequently for security vulnerabilities, apply patches, and update to the latest operating system version.

7. Multi Factor Authentication

Stronger user authentication adds another protective layer around an organisation’s data and systems. Multi-factor authentication is used to verify users when they perform a privileged action or access highly-sensitive data.

8. Regular Backups

Regular backups are one of the simplest ways to ensure that important data can still be accessed following a cyberattack. Backups of essential information, software, and configuration settings should be performed at least daily, with copies of files stored offline where they can’t be accessed by hackers.

The Essential Eight Maturity Level

The ACSC has developed the Essential Eight Maturity Model to give businesses guidance around how to implement the strategies. The model comprises three levels, each with essential security controls and strategies. Maturity Level One is partly aligned with the intent of the mitigation strategies, Maturity Level Two mostly aligned, and Maturity Level Three in full alignment.

As a baseline, businesses should aim to reach up to Maturity Level Three for all Essential Eight strategies – although they may need to start by targeting a lower maturity level depending on what security measures they are willing to adopt.

Using a scoring system from 0 to 3, this model helps organisations identify their current status and determine where they can make improvements. Taken as a holistic approach, the Essential Eight Maturity Model prioritises implementing all of the key mitigation strategies as a complete package, in order to effectively build organisational cyber resilience.