‘Essential Eight’ for cybersecurity

The Australian Cyber Security Centre’s Essential Eight are eight measures the Australian Government recommends all organisations take to safeguard against cyber threats. The Essential Eight cover everything from application patching to multi-factor authentication.

Background

The Essential Eight are eight actions that all organisations should take to protect themselves from cyber threats. They were released by the Australian Cyber Security Centre (ACSC) in 2017 as part of that agency’s mandate to protect Australia from cyber threats.

The Australian Cyber Security Centre is part of the Australian Signals Directorate (ASD) and works across all sectors (business, not-for-profit, government, academia and the general community) to drive national cyber security. Its role encompasses responding to threats and protecting against threats to minimise harm to all Australians. Threats include:

  • Targeted cyber intrusions

  • Ransomware and other data destruction

  • Data theft from insiders

  • Data destruction from insiders

  • What are the Essential Eight?

The ACSC’s Essential Eight are eight essential actions organisations should take to protect themselves and their data in the digital age. The ACSC considers these mitigation strategies as baseline protection. The Essential Eight are:

  1. Application whitelisting – to control the execution of unauthorised software

  2. Patching applications – to remediate known security vulnerabilities

  3. Configuring Microsoft Office macro settings – to block untrusted macros

  4. Application hardening – to protect against vulnerable functionality

  5. Restricting administrative privileges – to limit powerful access to systems

  6. Patching operating systems – to remediate known security vulnerabilities

  7. Multi-factor authentication – to protect against risky activities

  8. Daily backups – to maintain the availability of critical data.”

Our Compliance Management

Business IT ensures your cybersecurity compliance by thoroughly evaluating your systems against the Essentials Eight security framework. This framework, developed by the Australian Cyber Security Centre (ACSC), outlines eight essential mitigation strategies to help organisations protect their systems from cyber threats. By adhering to these guidelines, we help you achieve a robust security posture.

Our approach includes:

Comprehensive Assessment: We conduct a detailed analysis of your current IT infrastructure to identify any gaps or vulnerabilities in relation to the Essentials Eight framework.

Continuous Monitoring: Our advanced security toolset allows us to monitor your systems continuously for any changes or potential threats. This proactive approach ensures that any issues are detected and addressed promptly.

Implementation and Verification: We implement the necessary security measures to align your systems with the Essentials Eight framework. Our tools provide verifiable evidence of these implementations, ensuring transparency and accountability.

Reporting and Documentation: We generate detailed reports that document the compliance status of your network. These reports can be shared with external parties, such as auditors or insurance companies, to demonstrate your commitment to cybersecurity.

By leveraging our expertise and advanced tools, we provide you with peace of mind, knowing that your business is protected against cyber threats and compliant with industry standards. Our goal is to help you maintain a secure and resilient IT environment, allowing you to focus on your core business activities.

Configure Microsoft Office macro settings

A macro is a single command that initiates a group of actions to automate commonly used procedures/sequences. This makes it easier and faster to execute common processes. However, a macro can also be used to deliver malicious code.

Macros are commonly used in the Microsoft Office suite and so configuring Microsoft Office’s macro settings to block macros from the internet and vett other macros is one of the Essential Eight.

Implementation: An IT administrator can set up allowed macros (they’re very handy and can save a lot of time so you don’t want to simply disable all macros). Allowed macros should be set up as ‘trusted’ by creating a digitally signed macros. This can be done for all macros your organisation commonly uses or needs to use.

Read more information from the ACSC on Microsoft Office macro security.

Restrict administrative privileges

Administrator logins should be restricted to users whose jobs clearly require them to have administrator access, and administrator accounts shouldn’t be used for reading email or browsing the web. Administrative access also needs to be re-evaluated regularly. Administrative privileges bring power and access to your internal system, so guard your admin accounts!

Implementation: Review all your user accounts to make sure administrative privileges are only assigned to users who need administrative access. You should also review user account settings for all network devices like routers, any IoT devices, etc.

Set up a policy for admin accounts and any user accounts with different privileges (you may have some people who need access to some extra systems, but they shouldn't automatically get full admin access). At the same time, you can also check your password settings and policy.

Read more information from the ACSC on restricting administrative privileges and secure administration.

Multi-factor authentication

Multi-factor authentication means users need to provide another form of identification to access systems. The first ‘factor’ is your username and password, and multi-factor authentication adds another layer of security. This type of authentication can be achieved by additional SMS codes, mobile apps, smart cards, etc. Multi-factor authentication should be used for remote access and when users are doing certain actions or accessing sensitive data.

Implementation: Once you’ve implemented a strong username and password system, you can look at adding in the next layer of security. At this stage, you should think about which systems need multi-factor authentication (e.g. all remote access) and investigate your options before deciding on the type of multi-factor authentication to use.

Read more information from the ACSC on multi-factor authentication.

Patch applications

All applications (e.g. web browsers, Microsoft Office, web content management systems, payroll software, etc.) should be patched within 48 hours of an ‘extreme risk’ patch being released and should be updated regularly outside of extreme risk patches. To ensure optimum protection, you should also use the latest version of all applications. This helps to reduce the risk of malicious code using a security vulnerability in your applications to damage your systems or data.

Implementation: Again, a policy listing all applications and the frequency of regular patching is a good idea. Patching should be carried out by your IT department or administrator. Web content management systems need to be patched by your web team or web vendor (you may like to read more information on open source security patching and updates).

Read more information from the ACSC on assessing security vulnerabilities and applying patches.

Application hardening

‘Hardening’ applications means looking at your existing applications and making them more secure. For example, in some applications, you might disable certain features that your organisation doesn’t use/need or only enable them for some users. This particularly applies to web browsers, because Flash, ads and Java are often used to distribute malicious code. Ensuring Flash, ads and Java are blocked increases your organisation’s cyber security.

Implementation: You should go through all applications and web browsers currently used in the organisation and make sure unused and at-risk features are disabled. Features that only need to be used by some people should only be enabled for them, not the whole organisation.

Read more information from the ACSC on hardening Microsoft Office 2013, hardening Microsoft Office 2016 and minimising the threat from Java-based intrusions.

Patch operating systems

Use the latest operating system version available (and certainly don’t use unsupported versions). When ‘extreme risk’ vulnerabilities are identified and patches released, patch within 48 hours. Just like applications, out-of-date and unpatched operating systems make a system more vulnerable to malicious activities.

Implementation: Set up a policy for operating system patches that includes how often operating systems should be reviewed and patches applied (for the regular patches as opposed to the extreme risk ones, which should be applied within 48 hours). Set up organisation-wide patching implementation so you’re not individually patching every machine. And don’t forget other operating systems, such as anything on your network (e.g. printers), IoT devices and smartphones.

Read more information from the ACSC on assessing security vulnerabilities and applying patches.

Daily backups

Daily backups for all important (or perhaps all new/altered) data ensures your data is still available in the event of a cyber incident. Of course, you probably already have a system in place for data backups (to protect against technical issues), but with the Essential Eight in mind it’s a good idea to review that backup feature.

Implementation: First of all, work out who’s responsible for your data and whether it’s stored on-premises, hosted or in the cloud. Next, decide if you’ll update all data daily, or at specific intervals (e.g. you might do a weekly full backup with a backup of only essential items daily).

If you haven’t already got one, write a disaster recovery plan that sets out what happens in the event of a cyber incident or other disaster.

Our Services

CONSULTANCY

Tailored network plans to meet your business needs.

SOLUTIONS

Industry-proven solutions designed for complete peace of mind.

SUPPORT

Reliable managed services providing support when it is needed.