In light of the increased cybersecurity threats the pandemic has brought with it, steps are being taken to protect Australians and their data and digital assets from cybersecurity threats.
The Australian Cyber Security Centre (ACSC) is edging closer to mandating the Essential Eight cyber security mitigation strategies for all 98 non-corporate Commonwealth Entities (NCCEs) after consulting with the government and industry partners.
Since their inception in 2017, the Essential Eight (E8) have been regularly updated to reflect changing threats in the cybersecurity landscape. Further recent updates were made to strengthen the strategies in preparation for the mandate; however, no official date has been provided yet. Although the Essential Eight will be mandatory for NCCEs, this will no doubt have implications for businesses that interact with NCCEs.
Regardless, the Essential Eight is still recommended for other businesses to help protect their digital assets with the ACSC encouraging businesses to invest in digital security now vs having to deal with potential expensive and resource-intensive malicious attacks in the future.
What is the Essential Eight?
The Essential Eight mitigation strategies are a recommended baseline for Microsoft Windows-based networks to combat cybersecurity threats. These strategies make it harder for malicious actors to infiltrate sensitive data or to hijack a system. They encourage businesses to be pro-active rather than re-active when it comes to cybersecurity.
The mitigations strategies are implemented using a maturity model. Organisations aim to implement mitigation strategies at an initial level and work on increasing their maturity level thereby increasing their cybersecurity protection.
The Essential Eight mitigation strategies include:
- Multi-factor authentication
- Restricting administration privileges
- Daily backups of critical data
- Keep operating systems patched/up to date within forty-eight hours
- Armouring web browsers as they are a popular way of delivering malicious code
- Configuring Microsoft Office to block macros from the Internet
- Allowing only approved programs to run
- Patching vulnerabilities within 48 hours
What’s changed with the Essential Eight?
In the past, NCCEs were required to implement the top four of the Essential Eight, and they were only required to self-asses if they met them. The mandate will now be extended to include all eight mitigation strategies and will see the introduction of cybersecurity audits checking for adherence.
There is no requirement for other organisations to implement the Essential Eight. However, according to the ACSC website, “Essential Eight implementations may need to be assessed by an independent party if required by a government directive or policy, by a regulatory authority, or as part of contractual arrangements” meaning that organisations may lose possible business opportunities if they do not comply.
One of the major changes in the Essential Eight is to its maturity model. The Essential Eight Maturity Model consists of levels that sit across all Essential Eight mitigation strategies. The lowest is the recently introduced “zero” maturity level, for organisations with weaknesses in their cybersecurity. “Three” is the highest maturity level and is for organisations that have implemented cybersecurity initiatives to ward off sophisticated threats.
NCCEs will be required to achieve adherence across all eight migration strategies for a particular level before advancing to the next level. Previously, NCCEs were able to focus their efforts on a subset of the migration strategies, like the top four, neglecting other strategies and, thus, putting them in a weaker position overall. The changes require an overall “packaged” approach across all eight strategies.
ACSC recommends that each organisation make its own risk-based assessment on the maturity level they require and then work to progressively achieve it. The process should be monitored and reviewed on a regular basis, even when the desired level has been achieved.
While these new changes may seem daunting for businesses, the Essential Eight are a strong basis for implementing proper cyber security policies and procedures to protect your business. Contact the security experts at Lindentech to find out how they can help.