The Essential Eight Maturity Model: A Strategic Defence Framework for Cyber Security

The Essential Eight Maturity Model: A Strategic Defence Framework for Cyber Security

The Essential Eight Maturity Model: A Strategic Defence Framework for Cyber Security

On average, a cyber-attack occurs every 39 seconds, a figure that highlights the stark reality that businesses are facing an escalating digital arms race. It’s a major issue for everyone, from individuals to large corporations; cybercrime is recognised as a global epidemic, and Australia is no exception. 

Understanding the Current Cyber Security Environment

In Australia alone, the financial impact of cybercrime exceeded $33 billion in 2022, with ransomware attacks contributing to $1.3 billion in damages. The Australian Signals Directorate’s (ASD) Annual Cyber Threat Report for 2023-24 highlighted 87,400 cybercrime reports last financial year, or roughly one every six minutes. At its current trajectory, the cost of cybercrime is expected to reach $10.5 trillion by 2025, and $24 trillion by 2027 – driven primarily by ransomware, social engineering, and insider threats. Unfortunately, ransomware and data theft extortion remain prevalent, with business email compromise (BEC) and fraud among the top self-reported cybercrimes for businesses and individuals in Australia. Whilst cybercriminals don’t discriminate, small businesses are particularly vulnerable, facing average losses of ~$50k per incident.

Cyber threats are growing in scale, frequency, and sophistication, and nowadays, cybercriminals are rapidly capitalising on the use of AI to enhance their attacks. In fact, studies by Darktrace identified that 84% of Australian security stakeholders had been impacted by Artificial Intelligence (AI)-driven cyber-attacks. Thus, with the threat against Australia’s digitally dependent economy only growing, a robust cyber-defence strategy is critical.

Introducing the Essential Eight Maturity Model

ACSC Essential 8 Model

The ASD’s Australian Cyber Security Centre (ACSC) developed the Essential Eight Maturity Model (Essential Eight) in 2017 to support Australian businesses and government agencies to enhance their cyber resilience and contribute towards Australia’s overall cyber security posture. The model provides a practical approach to help protect an organisation’s systems and infrastructure and serves as an essential component of any cyber security toolkit. Implementing the Essential Eight serves many purposes, including building cyber resilience, mitigating threats and vulnerabilities, and defending critical infrastructure. When effectively implemented, the Essential Eight can enhance an organisation’s cyber security posture and support compliance with legal and regulatory requirements, including the Australian Privacy Principles, the Security of Critical Infrastructure Act (SOCI Act), and the ASD’s Information Security Manual (ISM).

Breaking it Down

At its core, the Essential Eight highlights the most effective strategies that serve to mitigate and protect an organisation from cyber security incidents and enable them to address a wide range of traditional and AI-driven cyber threats. These are:

  1. Application Whitelisting: Ensuring that only specific, pre-approved applications can run on a computer or a network. IT administrators compile a list of approved applications that are safe to run and configure their systems to only allow these applications to execute.
  2. Patch Applications: Addressing vulnerabilities found in third party software (such as web browsers, office suites, audio or video editors, development tools). It involves updating software to fix vulnerabilities that could be exploited by attackers.
  3. Patch Operating Systems: Performing regular updates on operating systems to patch any vulnerabilities that attackers could exploit to gain unauthorised access. It is essential for maintaining a secure operating environment.
  4. Multi-Factor Authentication (MFA): Requiring users to verify their identity with two or more methods, such as entering password and a one-time code before access is granted, providing an additional layer of protection.
  5. Restrict Administrative Privileges: Limiting the number of administrative accounts, and the privileges granted for those accounts, as they typically have higher access privileges and the power to make significant system changes (and damage should they be compromised).
  6. Restrict Microsoft Office Macros: Preventing the use of Macros (small scripts used in programs like excel, to automate repetitive tasks, build processes and data flows), which can be leveraged to bypass security controls, gain unauthorised system access, and deliver malware.
  7. User Application Hardening: Hardening applications by implementing robust security controls to prevent or block threats, such as advertisements running malicious scripts, malicious websites, and vulnerabilities in unsupported software.
  8. Regular Backups: Regularly backing up systems (or even better, having automatic backups) to ensure you can recover data if it’s lost, stolen, or encrypted by ransomware, thus helping to maintain operational integrity, and making recovery possible even in the worst-case scenario.

Is the Essential Eight Framework Mandatory for all Organisations?

For private-sector businesses and enterprises, compliance with the Essential Eight is voluntary; however, implementation is strongly recommended to guide organisations in developing effective cyber security measures to uplift their cyber security posture.

For non-corporate Commonwealth entities (NCCEs) subject to the Department of Home Affairs’ Protective Security Policy Framework, it is mandatory to adopt the Essential Eight to uplift national cyber security and resilience.

At the end of the day, when it comes to information and data security, the primary objective is to ensure that the Confidentiality, Integrity, and Availability of your organisation’s data (collectively referred to as the CIA Triad) is upheld.

Why the Essential Eight?

The Essential Eight provides a baseline approach that organisations can implement to significantly reduce the risk of a cyber-attack. Focusing on practical and effective mitigation strategies will aid an organisation to build a robust and resilient cyber security posture and enhance their security hygiene.

Implementing the Essential Eight

When implementing the Essential Eight, the first step is to evaluate your organisation’s maturity level, and ensuring it aligns to your risk appetite. For example, if an organisation has a low-risk appetite, it may aim for a higher maturity level to ensure implementation of a robust approach. However, if an organisation has a higher risk appetite, it may aim for a lower maturity level, where it is willing to accept some risk in exchange for lower costs towards strategy implementation.

Evaluating your Organisation’s Maturity Levels

The beauty of the Essential Eight is that it meets an organisation where it is on its cyber security journey, and is designed to build up and strengthen an organisation’s defences in a way that is commensurate with their risk appetites:

Maturity Level Zero

  • Cyber security practices are minimal or non-existent.
  • Demonstrates the presence of weaknesses in the organisation’s cyber security posture, rendering them highly vulnerable to attacks.

Maturity Level One

  • Cyber security practices are partially aligned with the intent of the mitigation strategy.
  • Cyber security practices are adopted on an ad hoc basis. Measures in place, however inconsistent or incomplete, typically only applied in specific areas.

Maturity Level Two

  • Cyber security practices are structured and applied consistently across their systems.
  • Offers improved protection against more sophisticated threats.

Maturity Level Three

  • Cyber security practices are automated and fully optimised.
  • Designed for organisations who require a robust cyber security strategy to mitigate advanced cyber threats.

The Essential Eight: The Right Fit?

When evaluating whether the Essential Eight is sufficient and relevant for your organisation, it is important to understand its strengths and limitations:

Unlocking the Full Potential of the Essential Eight

While the Essential Eight provides a robust foundation for cyber security readiness, additional measures are necessary to achieve a comprehensive and resilient cyber security posture. Organisations can further strengthen their cyber security posture by incorporating elements from the ISO/IEC 27001 standard and NIST’s Cyber Security Framework. These frameworks will serve to complement the efforts of E8 by providing support in areas of risk management, incident response, and continuous monitoring. Moreover, by adhering to privacy and other industry specific regulations and standards, an organisation will be better positioned to achieve and maintain security requirements and controls and effectively secure their digital assets.

RightSec can Help

Here at RightSec, our team offers the expertise and tools you need to implement the Essential Eight as part of your cyber security strategy. Our mission is to ensure you have all the tools and resources to succeed in uplifting your cyber resilience and protecting your critical assets.

Book a consultation now to learn more about our tailored services and boost your preparedness for a rapidly evolving cyber threat landscape.

Ready to get started?

Find out how RightSec can help your organisation enhance
their cyber security resilience.

Contact Us
Binita Pitamber - Author

Binita Pitamber - Author

Cyber Security Consultant

Cyber Security Services

Illustration of a hacker device, representing cyber threats and the importance of cybersecurity defense mechanisms.

Cyber Strategy and Consulting

Expert guidance on how to safeguard your organisations valuable assets and reputation.

Icon representing domain registration, highlighting the importance of securing digital assets and online presence in cybersecurity.

Managed Security Services

RightSec's 24/7 managed security services will give your business the visibility and coverage needed.

Target icon symbolizing cybersecurity risk management and the identification of vulnerabilities in digital systems.

Penetration Testing and Red Teaming

Identify security weaknesses and take proactive measures to improve your security posture.

Cybersecurity flyer with key service offerings, promoting RightSec’s expertise in protecting businesses from digital threats and vulnerabilities.

Governance, Risk and Compliance

Assess your organisation's resources and validate the adequacy of your capabilities to manage Cyber Risk.

Startup icon symbolizing innovative cybersecurity solutions designed to protect new and growing businesses from digital threats.

Digital Forensics and Incident Response

RightSec’s IR team is available round the clock to provide immediate assistance to on-going incidents.

Business icon in black, representing professional cybersecurity services tailored to protect business operations and digital assets.

Team Augmentation

Augment your team with RightSec Cyber Security experts, to meet the growing demand of Cyber Security.

Customer-centricity icon illustrating a focus on client needs and personalized cybersecurity solutions to ensure business protection and success.

Auditing and Gap Analysis

We will help you evaluate your existing security controls and identify any vulnerabilities that may exist.

Reliability icon representing dependable cybersecurity services that ensure consistent protection and secure operations for businesses.

Security Awareness and Training

Our methodology leverages decades of experience in identifying and analysing threats, tailoring campaigns to educate stakeholders and users on threats an organisation may be facing.

References

  1. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
  2. https://www.ibm.com/reports/data-breach
  3. https://www.aic.gov.au/sites/default/files/2023-07/sr43_cybercrime_in_australia_2023_v2.pdf
  4. https://www.statista.com/statistics/1343645/australia-number-of-cybercrimes-reports-acsc/
  5. https://assets.kpmg.com/content/dam/kpmg/au/pdf/2024/kpmg-cyber-security-considerations-2024.pdf
  6. https://connect.comptia.org/blog/cyber-security-stats-facts
  7. https://www.deloitte.com/content/dam/assets-shared/docs/services/risk-advisory/2024/deloitte-global-future-of-cyber-survey-4th-edition-the-promise-of-cyber.pdf
  8. https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
  9. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2023
  10. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-explained
  11. https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2023-2024
  12. https://www.researchgate.net/publication/341136800_Risk_based_approach_in_scope_of_cybersecurity_threats_and_requirements
  13. https://www.ncsc.gov.uk/guidance/macro-security-for-microsoft-office
  14. https://teleforum.ethiotelecom.et/blogs/2436/The-CIA-Triad
  15. https://www.protectivesecurity.gov.au/news/policy-amendment-information-security?
  16. https://www.garp.org/hubfs/Whitepapers/a1Z1W0000054wyAUAQ.pdf