In 2017, the Australian Cyber Security Centre (ACSC) released eight essential strategies to prevent malware delivery, limit the impact of cybersecurity attacks, and improve recovery.

The Essential Eight Maturity Model acts as the baseline of ACSC’s Strategies to Mitigate Cyber Security Incidents. It was first published in June 2017 as a list of practical security controls that organisations can implement to improve the security of their information. Consequently, an update was released in July 2021. The Essential 8 uses a scoring system from 0 to 3 to help businesses identify their security posture.

These mitigation strategies are designed to protect Windows-based networks and outline a minimum level of preventative measures. Though there is no requirement for an organisation to be “Essential Eight Certified,” the Essential 8 are considered by the ACSC as the most effective strategies for limiting the impact of cyber security incidents and are therefore an excellent way to ensure the cyber-resiliency of your organisation’s mission.

The ACSC Essential 8 mitigation strategies

1. Application control
2. Patch applications
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privileges
6. Patch operating systems
7. Multi-factor authentication
8. Regular backups

These eight strategies in particular were selected because they are the most effective. Furthermore, the ACSC advises using appropriate alternative mitigation strategies to mitigate unique cyber threats in environments such as cloud services and enterprise mobility. However, organisations should first identify and plan for a target maturity level suitable for their environment before implementing the Essential Eight.

The Essential 8 are a set of risk-based strategies that represent the most impactful and cost-effective steps. Furthermore, maturity levels range from 0 through 3, with the levels designed to build upon the lower levels and fit your risk profile. While Level 1 indicates overall comprehensive protection against common attacks, Levels 2 and 3 add resiliency against customized, targeted attacks. It is recommended that each level be completed in its entirety across the eight strategies before considering higher levels. To illustrate, let’s use a building analogy; it is preferable to finish a floor before starting a new storey.

The Bottom Line

Finally, the Essential 8 is neither a certification nor an accreditation. Organisations are under no obligation to have their Essential Eight implementation certified by a third party. However, if required by a government directive or policy, a regulatory authority, or contractual arrangements, Essential Eight implementations may need to be assessed by an independent party.

Calibre One provides innovative business IT, Communication and Security solutions. Contact Hexicor One to book an Essential 8 Assessment with one of our qualified Cyber Security experts today.