Posted on March 30 by ITSmart
Your guide to the ACSC Essential Eight

There’s been a lot of talk about the Essential Eight cyber mitigation strategies from the Australian Cyber Security Centre (ACSC). But there’s also a lot of confusion. So we’re providing a simple explanation of what it is, and why you should follow its guidelines.

Here are the most important things to know:

    • The Essential Eight is a proven framework to mitigate cyber threats
    • It can be adopted at any level of security maturity
    • It provides a step-by-step process of ongoing improvement
    • Every organisation should use it.


Why would you need the ACSC Essential Eight?


In a nutshell: cyber threats. They’re growing at an unprecedented rate, with attacks becoming more widespread, sophisticated and persistent.

This trend has been amplified by the COVID-19 pandemic. As more people worked from home, often with unsecured devices and networks, cyber criminals saw massive opportunities.

In fact, during the 2020–21 financial year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year.

Professional services businesses are an attractive target for cyber criminals because they hold so much sensitive information – about the organisation, about their employees, and about their customers.

Data theft is a popular objective. More extreme cases involve business disruption and ransom demands. Apart from financial loss, the impact on reputation can be long-lasting if a breach occurs.


What is the ACSC Essential Eight?


The ACSC has identified a comprehensive list of thirty-seven strategies to mitigate an organisation’s exposure to cyber threats. Of these, eight were chosen as the most essential to stop systems being compromised by attacks.

It’s important to note here that the Essential Eight strategies to mitigate cyber security incidents are specifically designed for Microsoft Windows systems that are connected to the internet.

Not every organisation has to comply with the Essential Eight. It’s only mandatory for government agencies. However, the ACSC recommends that private enterprise implements these controls. And that’s especially relevant for professional services businesses.


Why professional services businesses should embrace the Essential Eight


Statistics show that cyber crime is on the rise. SMBs are an easy target because they generally don’t have the security budgets or resources that large enterprises have.

Here at IT Smart Solutions, we’ve also seen increasing attacks on professional services organisations, particularly law firms.

In addition, professional services clients are wanting proof of how the organisation is securing their data, especially in light of recent supply chain attacks.

By embracing the Essential Eight and working towards higher maturity levels, you can give your clients the confidence to do business with you.


How does the Essential Eight work?


Not surprisingly, the Essential Eight comprises eight pillars. They cover off the fundamental strategies to mitigate cyber security incidents, from basic computer security to Microsoft 365 data protection and compliance.

At IT Smart Solutions, we follow best practice when implementing the Essential Eight mitigation strategies for cyber attacks:

1. Application Control. Only allow a defined and approved set of applications to run. Never let unsanctioned applications access your systems.

2. Patch Applications. Make sure you have the most up-to-date software.

3. Configure Microsoft Office Macro Settings. Don’t use macros unless you need to as these are a common entry point for attack.

4. User Application Hardening. Configure your applications to be more secure. For example, ensure web browsers have been set to block Java script.

5. Restrict Administrative Privileges. Hackers use admin permissions to compromise systems. Only approved staff should use the admin logon.

6. Patch Operating Systems. Ensure you keep your Windows operating system up to date with security patches. This should be done automatically.

7. Multi-factor Authentication. This is crucial. Make sure you use multi-factor authentication for access to not only Microsoft 365, but to any other software or cloud service that your business uses.

8. Regular Backups. Even if you have your data in Microsoft 365, you should still back it up elsewhere as data in both Microsoft 365 and Google Cloud is not backed up.

Steve Ranson, CEO at IT Smart Solutions, views the Essential Eight as a journey for professional services businesses: I see the Essential Eight as an ongoing process. I recommend ticking off the easy ones such as automating patching and backing up data first.

For other pillars such as application control and reducing admin permissions, you’ll need to consider if additional restrictions are worth it. Perhaps you’re happy for employees to install whatever they want on their computers, and you’re willing to take the risk. It all depends on the culture of your business.”


What is the Essential Eight Maturity Model?


Confusion sometimes sets in with the Essential Eight cyber capability maturity model.  But it’s simple to understand. The ACSC has developed a security model from 0 to 3 for each of the Essential Eight cyber security risk mitigation strategies.

An organisation with a level 0 maturity model has not achieved any of the requirements. A level 3 means the organisation has achieved a high level of maturity.

A common misconception is that every organisation must achieve level 3 maturity. Not so. Only government agencies need to have level 3 maturity.

Other organisations can adopt the maturity level they need, depending on their vulnerabilities to cyber threats.

Steve Ranson makes a crucial point:

The most important thing to remember is that you can reach optimum security in the areas where it is possible to do so for your organisation. It is quite conceivable to have maturity level 3 on one pillar and 0 on another. For example, you could easily be at level 3 for patching but level 0 for application control. If for some reason you cannot implement application control, there is no reason you should not strive to achieve level 3 for patching”.


How can IT Smart Solutions help?


Since our inception in 2005, we’ve worked very closely with professional services businesses like accountancy and law firms. This enables us to understand their specific risks and challenges.

Many of these companies have asked us to help implement security controls in their organisation. This includes deployment of the Essential Eight, where we work with them on an ongoing basis.


See how we make the Essential Eight easy


Our Smart Security solution is the ideal support when adopting the Essential Eight cyber capability maturity model. It focuses on three key approaches to simplify mitigation strategies for cyber attacks.

We work closely with our clients, using existing tools within Microsoft 365 and third-party software to:

  • Proactively prevent malicious damage
  • Create a baseline to reduce risk factors
  • Mitigate possible data loss.

To see how our Smart Security solution can help you get on top of the security essentials with less time and trouble, click here.