The essential 8 maturity model for cyber security 

Cyber crime is one of the biggest problems within society today. The impact that it has on businesses and the public is becoming more severe every day.

It is estimated that cyber crime will cost global businesses $6 trillion by the end of this year, rising to more than $10 trillion by 2025. It is striking small and medium businesses in particular, as they're often viewed as weak targets - and it's taking place at a rate that has been deemed 'out of control' by many experts interviewed on 6clicksTV.

Unfortunately, they have seen dozens of high-profile successful attacks over the last few months. Since the start of the COVID-19 pandemic, there has been a 300% increase in reported cyber attacks. It takes at least 280 days for a company to notice a breach, of which 56% go undetected! All of this calls for an urgent need to take action. 

The cyber security landscape has changed dramatically in the last decade and it continues to evolve at a rapid rate. A cyber-attack on an organisation can be devastating financially, reputationally and even for national security. This is why cyber security is now such a high-priority concern for any business of any size, globally.

In Australia, there is a prominent concern that most Australian small businesses do not have cyber security awareness, strategies or plans in place. This is usually attributed to them not having the necessary cyber defence skills and expertise.

To help close this gap, the Australian Signals Directorate (ASD)  launched its Essential 8 Framework - aimed at helping Australian organisations improve their cyber resilience and cyber defences.

What is the ASD Essential 8 Maturity Model?

The Australian Signals Directorate (ASD) created the Essential 8 Framework. It is based on the original Top-37 and provides a prioritised list of baseline security controls that businesses can use to protect and improve their cybersecurity. According to ASD, these eight controls alone have the potential to prevent up to 85 percent of cyberattacks.

The Australian Signals Directorate, in conjunction with the Australian Cyber Security Centre (ACSC), has updated the list of recommendations based on feedback from the Australian cyber security community to help minimise the risk of cyber attacks. Hence, this maturity model is sometimes also referred to as ACSC essential 8. Read more in the practical guide for ACSC essential 8.

It is important that these recommendations are implemented where possible, as they will increase your cyber strength. These recommendations generally provide a good return on investment and provide a great baseline when evaluating a cyber security strategy.  

Establishing the Essential 8

The eight strategies were first published in February 2017. However, in 2014 the Australian Government had already made the top four compulsory for Australian Government departments and agencies. The remaining four are made mandatory by the Attorney-General’s Department’s PSPF (Protective Security Policy Framework).  

Moreover, the December 2019 release by ASD of the Australian Government Information Security Manual (ISM) stated that organisations should implement the eight essential mitigation strategies as a baseline. 'This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise an organisation’s information security system'. 

The Essential 8 Maturity Levels

Three maturity levels have been defined for each mitigation strategy to assist organisations in determining the maturity of their implementation of the Essential 8. 

The maturity levels are defined as: 

• Maturity Level One: Partly aligned with the intent of the mitigation strategy 
• Maturity Level Two: Mostly aligned with the intent of the mitigation strategy 
• Maturity Level Three: Fully aligned with the intent of the mitigation strategy. 
  

What Maturity Level Should You Aim For? 

Organisations should aim for Maturity Level Three for each mitigation strategy as a starting point. On the other hand, some organisations are constantly targeted by highly skilled adversaries or otherwise operate in a higher risk environment. If the ACSC believes that an organisation requires a maturity level higher than Maturity Level Three, the ACSC will provide tailored advice to meet the needs of the organisation. 

Strategies of the ASD Essential 8

The cyber maturity model also helps businesses build their cyber capability by using a whole-of-organisation approach. It creates focus on cyber attack and cyber defence threats faced by individual departments and functions within an organisation. It ensures alignment of cyber security strategies, cyber processes and cyber awareness throughout the organisation.

Regardless of the jurisdiction or framework your government recommends, these eight key security controls are recognised as critical to cyber resilience, as they help prevent attacks, limit the impact of attacks and recover data and system availability. 

The following is a summarised version of the Essential 8 strategies:

1. Application Control: to protect from malicious code, including executable files such as .exe and DLLs. Antivirus software can't detect all unapproved programs, so this control is necessary to add the extra level of security needed for business systems.
   
   
2. Configure Microsoft Office Macro Settings: since they can contain malicious code. If you are running a macro, then it is best to enable it only from a trusted location, giving limited access or ensuring that the certificate used in signing the macro is trustworthy.
   
   
3. Patch Applications: like Flash Player, Microsoft Office and web browsers. Repairing vulnerabilities on your system helps it stay updated to the latest version of software or avoid defective patches that hackers may use to break-in.
   
   
4. User Application Hardening: the process of deciding what an application is allowed to do on a system. Disable any features in Microsoft Office, PDF viewers or web browsers that are not needed.
   
   
5. Restrict Administration Privileges: allow employees to only access applications and systems programmed for their job duties. Users with minimal computer privileges should not be given any more than is necessary to carry out daily tasks.
   
   
6. Multi-factor Authentication: passwords alone are no longer adequate means of authenticating users and protecting them against hacks. With stronger authentication, it is much more difficult for threat actors to gain unauthorised access.
   
   
7. Patch Operating Systems: this is a strategy that not only mitigates the risk of attack, it also reduces any potential damage. Upgrade to the newest operating system and patches instead of using unsupported versions.
   
   
8. Daily Backups: of course not every action you take will prevent a cyber incident, but the one thing we know for sure is that if you have backups or an alternate system all ready to go, in the event of ransomware or another kind of operational failure, your data and software are more likely to be recoverable.

Conclusion

Organisations should start by implementing the Essential 8 cyber security controls rather than following a specific cyber security framework. These eight key cyber security controls will help your organisation stay cyber resilient and protect your data, systems and services from cyber threats.

A realistic approach to protecting your business is to not stop with the Essential 8; instead, you should regularly review your systems and strengthen them against cyber attacks.

To make it easier for you to protect your company, we have created a checklist for you to track the progress of your company's cyber resilience. These basics alone can stop 85% of cyberattacks. Click here to download this handy list.  

The latest version of the ASD Essential 8 and an accompanying maturity assessment is available now in the 6clicks Content Library.

At 6clicks, we can also help you in assessing various risks. Book a demo with our team today to know more. 

Related useful resources

• Use case spotlight: Information Security Management System (ISMS)

• 5 key questions every CEO must ask about the cybersecurity program

• What do the Gartner cybersecurity trends for 2022 mean for CISOs?