What you need to know about the ACSC’s Essential Eight Maturity Model and how your organisation can implement it to protect against cyber threats.
All About the Essential Eight Maturity Model
In July this year, while the whole of Australia was preoccupied with talks of lockdowns and COVID-19 spreads, the Australian Cyber Security Centre (ACSC) was busy rolling out new advice on the implementation of the Essential Eight for organisations.
The Essential Eight Maturity Model defines how Australian organisations should protect themselves against various cyber threats. Still feeling baffled? Let’s talk some more about what Essential Eight is, and how you can comply.
What is the Essential Eight Maturity Model?
The Essential Eight Maturity Model is a set of mitigation strategies developed by the ACSC that can help organisations fight off common attack vendors. This framework is specifically designed for Microsoft Windows-based Internet-connected networks, and is particularly useful for small to medium businesses that want to improve security controls.
The model is divided into eight strategies (hence the name) which fall under three broader objectives:
- Prevent malware attacks
- Limit the extent of cybersecurity incidents
- Recover data & systems
But what’s all this talk about “maturity”? Basically, there are increasing levels of maturity to an organisation’s cybersecurity measures. Once a business has reached Level 3 maturity, it is fully aligned with the intent of the mitigation strategy.
What does that mean for your organisation?
The idea is that organisations use the Essential Eight Maturity Model as a baseline for their cybersecurity strategies. Once Maturity Level One is implemented, your business should aim to move up until you make it to Level Three, and your data is as protected as it can be.
How to implement the Essential Eight
In order to implement the Essential Eight, the first step for organisations is identifying the most suitable target maturity level. It’s then a case of working through each maturity level until you achieve that target.
Before moving onto a higher level, it’s important that you achieve the same maturity level across all eight mitigation strategies. Use a risk-based approach and take measures to minimise impact to users and systems.
Organisations are required to self-assess themselves against the guidelines - there’s no need to call in an independent party to certify your Essential Eight implementation.
What are the Essential Eight strategies?
Mitigation strategies to prevent malware attacks
- Application whitelisting - define the programs you trust to prevent the execution of malicious applications.
- User application hardening - the ACSC recommends locking down, uninstalling and disabling the features and applications you don’t need. Configure web browsers to block Flash, ads and Java.
- Patch applications - update or patch those applications with publicly identified vulnerabilities.
- Configure Microsoft Office macro settings - block macros from the internet, to protect against word documents with malicious code.
Mitigation strategies to limit the extent of cybersecurity incidents
- Restrict administrative privileges - restrict privileges to operating systems and applications based on user duties, and carry out regular audits.
- Patch operating systems - patch/mitigate computers that have extreme risk vulnerabilities. Always use the latest, supported versions.
- Implement multi-factor authentication - all users should require MFA to get access to systems.
Mitigation strategies to recover data & systems
- Carry out daily backups - backup data and software, store it off-site and keep hold of it for at least three months.
Book a consultation
The updated guidelines from the Australian Cyber Security Centre are a lot to take in - we know! That’s why The IT Department helps to make sure your organisation is in compliance and has maximum protection from cyber threats. Book a consultation and let us take the weight off your shoulders.