Essential Eight demystified

Fatema Hashmi

Technical Senior Consultant


It's been said that it can take 20 years to build a reputation, but just one security incident to ruin it. Today's escalating cyber-crime makes that statement more relevant than ever.

According to the Australian Cyber Security Centre, cyber-crime cost businesses and individuals $33 billion1, with one incident reported every eight minutes. A quarter of the attacks impacted critical infrastructure and essential services.

There's no doubt that security has to be at the forefront of every organisation's thinking. But creating a cyber-resilient business can be a daunting task.

External threats. Internal challenges

For some, just knowing where to start can be a challenge in combating threats. Others are struggling to get security buy-in from other areas of the business.

Once these hurdles are overcome, others are sure to follow. Which security framework is for right? Do you have appropriate tools? Or have you over-invested in security products, with the confusion that brings? There's also the fatigue of dealing with constantly evolving threats and countermeasures.

What is the Essential Eight?

To help overcome the challenges, the Australian Signals Directorate identified a comprehensive list of thirty-seven approaches to limit an organisation's exposure to most cyber-threats.

As the name suggests, the Essential Eight are the eight most essential of these approaches. They provide a framework of mitigation strategies to protect digital environments.

The good news is the strategies are easy to follow, form a good baseline of protection, and act as the most practical starting point for a strong security posture.

The Essential Eight in essence

When you think about it, the Essential Eight can be condensed into three categories: prevent malware delivery and execution; limit the extent of cyber-security incidents; and recover data and system availability.

An easy way to understand the Essential Eight is through the phrase 'Catch, Patch and Match': catch vulnerabilities; patch applications and operating systems; and match them to the right level of access. Once that's done, make sure everything is backed up.

The Essential Eight in practice

The Essential Eight is easy to follow. Here's an example of how it works with a software installation:

1. Application control. An employee needs to install Cisco WebEx. Have you ensured the employee is installing from a trusted site, and do you have controls that prevent execution of malicious code?

2. Patch applications. To install Cisco WebEx, the employee needs to use a web browser. Have you updated the browser or has it been done automatically?

3. Configure Microsoft Office macro settings. Are macro settings disabled so they can't be compromised by disguised malware in software downloads?

4. User application hardening. Have you ensured the employee can't change the browser security settings, or that the browser has been set to block Java?

5. Restrict administrative privileges. Have you made sure the employee needs to get permission before installing Cisco WebEx?

6. Patch operating systems. Are operating systems up to date so they can't be compromised by a suspect download?

7. Multi-factor authentication. Are administrators authenticating the Cisco WebEx installation and other privileged actions?

8. Regular backups. Are you able to quickly restore your systems, software and data if they are compromised by the software installation?

Understand your Essential Eight maturity level

The Essential Eight has three maturity levels and often there's confusion understanding your specific level.

The first thing to realise is that you don't need to comply as soon as possible with full Level Three maturity of the Essential Eight. Level Three is only mandatory for government agencies. For other organisations, the Australian Signals Directorate advises that maturity levels need to be based on the level of risk.

Therefore, you need to know your risks and aim for the maturity level that mitigates those risks. That means you must:

  • Know your data
  • Know the assets you need to protect
  • Know your baseline security posture.

Once you've defined your exposure, you can use the Essential Eight as a starting point and framework for best practice. Then you can build your maturity level over time. It's also vital to achieve the same maturity level for all eight strategies before moving up to the next level.

However, reaching your desired maturity level isn't a reason to relax. You should then ensure your security processes are configured for optimal day-to-day running, and be looking at other ways to protect yourself.

What the Essential Eight is not

The Essential Eight is not a new security tool in the market. It's about fine-tuning what you have and addressing gaps along the way to mitigate vulnerabilities across people, processes and technology.

You should also remember that the Essential Eight is not an exhaustive list. And it's definitely not set and forget. The hard truth is that maintaining security is a never-ending journey that requires continuous effort.

At its core, the Essential Eight is a shift in mindset. It moves your thinking away from simply achieving compliance towards a focus on constant awareness, risk exposure, and maintaining zero trust.

The Essential Eight is appropriate at any stage of your security journey, so if you haven't implemented it, you should. It doesn't matter if you start small, but do start today.

1ACSC Annual Cyber Threat Report, 1 July 2020 to 30 June 2021. 10

Make a real difference Speak to an expert