Understanding ACSC’s Essential Eight cyber security strategies

22 February 2024 by
Daniel Sparkman
| No comments yet

Are you wondering about protecting your business from cyber attacks? A good place to start is understanding the Australian Cyber Security Centre’s (ACSC) Essential Eight mitigation strategies and learning how they can be good starting points for strengthening your cyber security posture.

So, what are these Essential Eight strategies? 

The Essential Eight is a cyber security framework created back in 2017 by the ACSC, borne from an original set of four security controls from the Australian Signals Directorate (ASD). These controls have since evolved and expanded to include four more strategies, establishing the eight controls that aim to protect Australian businesses from cyber threats today:

1) ​Application control

This involves limiting the software applications your staff can run on their devices, computers and your company network. You may choose to either whitelist or blacklist a list of applications that are allowed to run on your systems. This helps to control access to potentially critical data and prevent unauthorised breaches. 

2) ​Patch applications

This refers to regularly updating the software applications your company uses to conduct business. This is a good practice to get onto as patching fixes the vulnerabilities and bugs in software that attackers can exploit to get into your systems. 

3) Patch operating systems

Like patching application, this refers to applying updates to the operating system (e.g. Windows, Apple, Linux) that runs your business computers. Not only will this help to enhance security, it can also improve the stability of your systems and make them more efficient. ​

4) ​Multi-factor authentication

This is a security method that adds an extra layer of protection to an employee account or computer system by requiring users to provide two or more verification factors, such as a code from a mobile app, before gaining access. This should be enabled across your business. 

5) ​User application hardening

In simple terms, this means configuring the settings and features within a software application to restrict its functionalities so that it is less “open” and more secure. Finding a balance between usability and security is crucial when implementing this strategy. 

6) ​Restrict administrative privileges

Limiting the number of users who have administrative access to systems and accounts, can minimise the potential damage caused by a cyber attack. Your IT team should be familiar with these users and monitor activity in their privileged accounts regularly. 

7) ​Restrict macros in Microsoft Office documents

Macros are programs used to automate tasks or add new functionalities to your Word, Excel and PowerPoint documents. While they can be very useful in helping you be more efficient, they can pose a security risk too. Attackers can embed malware within macros which are executed automatically when you open a document, potentially compromising your system. Disabling macros by default helps to protect against this type of attack. 

8) ​Regular backups

Timeless tech wisdom – back up and test your data! Failing to do so puts your business at risk of devastating monetary and data loss in the event of a cyber attack. Not to mention the costly downtime and reputational damage to your company. 

Do I have to implement Essential Eight? 

Essential Eight is not mandatory, however, it is a recommended best practice and all businesses across Australia are highly encouraged to apply all, if not, some of these strategies. Essential Eight is suitable for all industries and companies of all sizes, making it the most relevant and comprehensive standards in the cyber security space. 

Another point to consider is the increasing scrutiny on company directors by the Australian government in response to rising cyber attack incidences across Australia. For example, the Australian Securities and Investment Commission (ASIC) had warned that directors could be held liable for negligence if they fail to protect their companies and customers from cyber attacks. This places the responsibility squarely on their shoulders to become more proactive in assessing the risks and implementing the right controls. Additionally, substantial penalties for data breaches have been introduced by the Federal government, further underscoring the importance of adopting the Essential Eight as part of a vigilant approach to cyber security. 

Where do I begin? 

We would recommend starting with the “low-hanging fruit”. These are strategies that require minimum effort to implement, such as turning on multi-factor authentication, restricting administrative privileges and disabling macros in Microsoft Office documents.

At the same time, you can start looking at your data – where it is stored and levels of sensitivity. Analyse the potential impact of a cyber attack and use this as a gauge to decide which strategies to implement first.

You should also review your business's current cyber security posture against the Eight to get a sense of how robust your systems are against cyber attacks. This model can help you identify gaps in your implementation of the Essential Eight strategies and provide a roadmap for continuous improvement.

Staying vigilant

As we continue to rely more heavily on digital technologies, we also become more vulnerable to potential cyber attacks. The only way to protect your business, data and people is to be proactive in your cyber security approach and implementing the Essential Eight strategies is a good place to start. 

For a limited time only, Netway is offering a free 30-minute cyber security consultation where we will work with you to review the current IT footprint of your business and make recommendations on how to improve your security posture. Reach out to us today to learn more.  

Sign in to leave a comment