de.iterate logo

Which Essential Eight Maturity Level Does Your Business Need?

Which Essential Eight Maturity Level Does Your Business Need?

Which Essential Eight Maturity Level Does Your Business Need?

10 Aug 2023

The Essential Eight is a framework developed by the Australian Cyber Security Centre (ACSC) to help organisations protect their systems and devices against cyberattacks. In November 2022, the ASCS released a new Essential Eight Maturity Model to provide guidance on how to implement the Essential Eight strategies.


This model is used to determine an organisation’s current security status, as well as identify and plan for a target maturity level suitable for their operating environment. The business can then progressively implement each strategy, achieving the same maturity level across all of the Essential Eight before moving to the next maturity level.



What are the Maturity Levels?


Four maturity levels have been defined, based on an organisation’s ability to mitigate security risks associated with increasingly sophisticated tools, techniques, and procedures used by cybercriminals.


Maturity Level Zero


The lowest maturity level indicates that there are significant weaknesses in an organisation’s overall cybersecurity posture. Because these are easy to exploit, the business is at risk of the confidentiality and integrity of their systems and data being compromised.


Maturity Level One


The focus of Maturity Level One is defending against cybercriminals who use tools and techniques that are easily available to gain access and control of your systems – for example, exploiting a vulnerability that hasn’t been patched, or authenticating with previously stolen passwords. Organisations targeting this maturity level are protecting themselves against malicious actors that are seeking any victim rather than a specific victim. Rather than investing heavily to gain access to one target, they opportunistically look for common weaknesses across many targets that can be readily exploited to launch malware, such as PDF tools and Microsoft Office software.


Maturity Level Two


At Maturity Level Two, cybercriminals have slightly more advanced capabilities than at the previous maturity level. They may be willing to invest more time and effort to specifically target one organisation – although their attempts are still more conservative than at Maturity Level Three. For example, malicious actors may attempt to use phishing or other techniques to trick users into clicking links and opening malicious attachments. Organisations targeting this maturity level will tighten controls, log high risk activities, and consider a broader range of potential threats.


Maturity Level Three


At the highest maturity level, the focus is on mitigating threats from cybercriminals that are more adaptive, and use tools and techniques that are not publicly available. Targeting specific organisations, they are willing to invest time and effort into circumventing their security controls. By exploiting weaknesses in an organisation’s cybersecurity posture, the goal is not only to gain initial access but a foothold in the system to solidify their presence. Organisations targeting Maturity Level Three will consider a very broad scope of potential threats, are willing to sacrifice some usability for security and implement specific technical controls to enable centralised monitoring of network activity.



Taking a Risk-Based Approach


Organisations need to achieve a maturity level that is appropriate to their risk profile, taking into account all possible risks and the costs involved in enhancing their security measures. They should also consider their desirability to cybercriminals and the likelihood of becoming a specific target, as well as the financial and reputational consequences of a cyber incident. These factors can be used to help determine a target maturity level.


Using a risk-based approach, organisations can identify and plan for a suitable target maturity level – carrying out a risk assessment and cybersecurity audit at the same time. Business owners then need to implement the controls required for the target maturity level for each of the Essential Eight strategies. Note that the overall maturity score is based on the lowest score across all eight strategies and won’t change until all are uplifted. Once this level has been achieved, the organisation may require a higher maturity level, repeating the process for each mitigation strategy.


Because compliance can require significant investment in both time and resources, it may be advisable to target a lower level of maturity at first, unless your business has specific requirements or is facing advanced threats. It is also a good idea to set a clear and appropriate budget from the outset to reduce the risk of cost overrun.


The Essential Eight is a framework developed by the Australian Cyber Security Centre (ACSC) to help organisations protect their systems and devices against cyberattacks. In November 2022, the ASCS released a new Essential Eight Maturity Model to provide guidance on how to implement the Essential Eight strategies.


This model is used to determine an organisation’s current security status, as well as identify and plan for a target maturity level suitable for their operating environment. The business can then progressively implement each strategy, achieving the same maturity level across all of the Essential Eight before moving to the next maturity level.



What are the Maturity Levels?


Four maturity levels have been defined, based on an organisation’s ability to mitigate security risks associated with increasingly sophisticated tools, techniques, and procedures used by cybercriminals.


Maturity Level Zero


The lowest maturity level indicates that there are significant weaknesses in an organisation’s overall cybersecurity posture. Because these are easy to exploit, the business is at risk of the confidentiality and integrity of their systems and data being compromised.


Maturity Level One


The focus of Maturity Level One is defending against cybercriminals who use tools and techniques that are easily available to gain access and control of your systems – for example, exploiting a vulnerability that hasn’t been patched, or authenticating with previously stolen passwords. Organisations targeting this maturity level are protecting themselves against malicious actors that are seeking any victim rather than a specific victim. Rather than investing heavily to gain access to one target, they opportunistically look for common weaknesses across many targets that can be readily exploited to launch malware, such as PDF tools and Microsoft Office software.


Maturity Level Two


At Maturity Level Two, cybercriminals have slightly more advanced capabilities than at the previous maturity level. They may be willing to invest more time and effort to specifically target one organisation – although their attempts are still more conservative than at Maturity Level Three. For example, malicious actors may attempt to use phishing or other techniques to trick users into clicking links and opening malicious attachments. Organisations targeting this maturity level will tighten controls, log high risk activities, and consider a broader range of potential threats.


Maturity Level Three


At the highest maturity level, the focus is on mitigating threats from cybercriminals that are more adaptive, and use tools and techniques that are not publicly available. Targeting specific organisations, they are willing to invest time and effort into circumventing their security controls. By exploiting weaknesses in an organisation’s cybersecurity posture, the goal is not only to gain initial access but a foothold in the system to solidify their presence. Organisations targeting Maturity Level Three will consider a very broad scope of potential threats, are willing to sacrifice some usability for security and implement specific technical controls to enable centralised monitoring of network activity.



Taking a Risk-Based Approach


Organisations need to achieve a maturity level that is appropriate to their risk profile, taking into account all possible risks and the costs involved in enhancing their security measures. They should also consider their desirability to cybercriminals and the likelihood of becoming a specific target, as well as the financial and reputational consequences of a cyber incident. These factors can be used to help determine a target maturity level.


Using a risk-based approach, organisations can identify and plan for a suitable target maturity level – carrying out a risk assessment and cybersecurity audit at the same time. Business owners then need to implement the controls required for the target maturity level for each of the Essential Eight strategies. Note that the overall maturity score is based on the lowest score across all eight strategies and won’t change until all are uplifted. Once this level has been achieved, the organisation may require a higher maturity level, repeating the process for each mitigation strategy.


Because compliance can require significant investment in both time and resources, it may be advisable to target a lower level of maturity at first, unless your business has specific requirements or is facing advanced threats. It is also a good idea to set a clear and appropriate budget from the outset to reduce the risk of cost overrun.


The Essential Eight is a framework developed by the Australian Cyber Security Centre (ACSC) to help organisations protect their systems and devices against cyberattacks. In November 2022, the ASCS released a new Essential Eight Maturity Model to provide guidance on how to implement the Essential Eight strategies.


This model is used to determine an organisation’s current security status, as well as identify and plan for a target maturity level suitable for their operating environment. The business can then progressively implement each strategy, achieving the same maturity level across all of the Essential Eight before moving to the next maturity level.



What are the Maturity Levels?


Four maturity levels have been defined, based on an organisation’s ability to mitigate security risks associated with increasingly sophisticated tools, techniques, and procedures used by cybercriminals.


Maturity Level Zero


The lowest maturity level indicates that there are significant weaknesses in an organisation’s overall cybersecurity posture. Because these are easy to exploit, the business is at risk of the confidentiality and integrity of their systems and data being compromised.


Maturity Level One


The focus of Maturity Level One is defending against cybercriminals who use tools and techniques that are easily available to gain access and control of your systems – for example, exploiting a vulnerability that hasn’t been patched, or authenticating with previously stolen passwords. Organisations targeting this maturity level are protecting themselves against malicious actors that are seeking any victim rather than a specific victim. Rather than investing heavily to gain access to one target, they opportunistically look for common weaknesses across many targets that can be readily exploited to launch malware, such as PDF tools and Microsoft Office software.


Maturity Level Two


At Maturity Level Two, cybercriminals have slightly more advanced capabilities than at the previous maturity level. They may be willing to invest more time and effort to specifically target one organisation – although their attempts are still more conservative than at Maturity Level Three. For example, malicious actors may attempt to use phishing or other techniques to trick users into clicking links and opening malicious attachments. Organisations targeting this maturity level will tighten controls, log high risk activities, and consider a broader range of potential threats.


Maturity Level Three


At the highest maturity level, the focus is on mitigating threats from cybercriminals that are more adaptive, and use tools and techniques that are not publicly available. Targeting specific organisations, they are willing to invest time and effort into circumventing their security controls. By exploiting weaknesses in an organisation’s cybersecurity posture, the goal is not only to gain initial access but a foothold in the system to solidify their presence. Organisations targeting Maturity Level Three will consider a very broad scope of potential threats, are willing to sacrifice some usability for security and implement specific technical controls to enable centralised monitoring of network activity.



Taking a Risk-Based Approach


Organisations need to achieve a maturity level that is appropriate to their risk profile, taking into account all possible risks and the costs involved in enhancing their security measures. They should also consider their desirability to cybercriminals and the likelihood of becoming a specific target, as well as the financial and reputational consequences of a cyber incident. These factors can be used to help determine a target maturity level.


Using a risk-based approach, organisations can identify and plan for a suitable target maturity level – carrying out a risk assessment and cybersecurity audit at the same time. Business owners then need to implement the controls required for the target maturity level for each of the Essential Eight strategies. Note that the overall maturity score is based on the lowest score across all eight strategies and won’t change until all are uplifted. Once this level has been achieved, the organisation may require a higher maturity level, repeating the process for each mitigation strategy.


Because compliance can require significant investment in both time and resources, it may be advisable to target a lower level of maturity at first, unless your business has specific requirements or is facing advanced threats. It is also a good idea to set a clear and appropriate budget from the outset to reduce the risk of cost overrun.


© Secureroo Pty Ltd, 2021-2023

© Secureroo Pty Ltd, 2023