What’s the ASD Essential 8? A guide and checklist for your business
How cyber threats could impact your business
Data breaches and impacts from cyber security threats are becoming more common for Australian businesses. From July to December 2023, The Office of the Australian Information Commissioner (OAIC) received 483 breach notifications. This was up 19% in the period January – June 2023.
Dealing with the aftermath isn’t cheap either. According to the Australian Signals Directorate’s “Cyber Threat Report 2022-2023” the average cost of a data breach in Australia went up by 14% in 2023, with a total reported loss of almost $80 million.
You may already have measures in place to protect your business. But regardless of your cyber maturity level, no business is immune to security breaches. So, it’s important to proactively consider what you more you could do.
Read on to explore how the Essential Eight can help protect your business and customers.
What is the Essential Eight?
The Essential Eight is a set of risk mitigation strategies developed by Australian Cyber Security Centre (ACSC) based on their real-world experiences and insights. They help lead the Australian Government’s efforts to improve cyber security for Australia. These measures can help businesses of any size limit their exposure to cyber security threats.
The Essential Eight was first published in 2017. It was then updated in 2021, with further updated controls added in November 2023. Each update better aligns the controls and maturity model to help reduce risk. This is based on actual activity seen across the cyber landscape.
Essential 8 Checklist
- Put in place application controls
- Patch your applications
- Restrict Microsoft Office macro settings
- Implement user application hardening
- Restrict administrative privileges
- Patch operating systems
- Regular backups
- Set up multi-factor authentication.
What are the Essential Eight mitigation strategies?
Including the Essential Eight in your cyber security plan can make it harder for hackers to get into your systems and help safeguard your most important data in the event that they do. Below we unpack these key strategies and why are they important.
Put in place application controls
This is about only allowing approved and trusted programs, or identified entities, access to your network. Doing this helps prevent the execution of malicious programs from harming systems in your environment.
Learn more about implementing application control
Patch applications
Patching is about making sure you upgrade software to the most recent versions. This includes things like your web browser, Microsoft Office or PDF viewers and includes apps running on your mobile phone. It is one of the most effective ways of securing your network and environment.
The Australian Signals Directorate (ASD) saw that 1 in 5 vulnerabilities were exploited within 48 hours of a patch or mitigation guidance being circulated.
Fully patched applications are an essential foundation on which other security controls can be improved. They help fix known vulnerabilities or flaws that could otherwise provide an entry point for hackers to access your systems.
The 2023 updates to the Essential Eight also recommend aligning maturity level patching and control review timelines to meet threat actor tactics, techniques and procedures. Be sure to read about the relevant Essential Eight maturity model changes.
Learn more about assessing security vulnerabilities and applying patches
Restrict Microsoft Office macro settings
Microsoft Office applications often use macros to automate routine tasks. These are embedded codes and powerful tools that can be easily created to help improve productivity.
However, Microsoft macros can also be used to deliver and execute malicious code on systems. This can cause unauthorised access to sensitive information. If you use Microsoft Office, it’s important to include macro security in your cyber security strategy.
Learn more about restricting macros
Implement user application hardening
User application hardening means making sure you review and configure your applications. This helps ensure they work correctly and are secure.
Application hardening can also include regularly updating old tools or applications. You can also consider blocking or uninstalling items you do not use such as Flash, PDF viewers or Java on the internet.
Learn more about user application hardening
Restrict administrative privileges
Admin privileges give certain users the ability to make major changes to systems. For hackers, access to these accounts means they can use them to gain full access to company information and systems.
It helps to restrict admin privileges based on employee duties. Consider regularly revalidating the need for privileges you grant to users. For example, someone who mainly uses their computer for email and browsing the internet doesn’t need admin rights. Similarly, privileged accounts shouldn’t access internet email and web services.
Controls should also be put in place to address organisational changes. This includes staff turnover or movements in the organisation.
In the 2023 updates to the Essential Eight, the ACSC also recommends admin privileges are considered in cloud services. This is important as many organisations continue to adopt cloud-based applications.
Learn more about restricting administrative privileges and related Essential Eight maturity model changes.
Patch operating systems
Hackers often target vulnerabilities in operating systems, like Office 365, to breach organisations. This means patching these systems is important.
Patches help improve the security of operating systems by fixing known vulnerabilities. The ACSC also recommends working with the latest versions of operating systems and to not use unsupported versions.
Learn more about patching operating systems
Regular backups
Backing up your data can help you recover more quickly if an incident impacts your ability to access your systems. It also ensures your information can be accessed following an incident, such as a ransomware attack.
Before you begin, consider what data you'll need to recover in the event of a security breach. This most likely includes sensitive information, customer data, software, and configuration settings. It can also be very worthwhile to check that your backed up data can be restored effectively. It's good to get confidence around this in advance of being in any active breach situation.
Learn more about the importance of regular backups and the 3-2-1 backup strategy.
Set up Multi-Factor Authentication (MFA)
Stronger user authentication makes it harder for threat actors to compromise sensitive information, even if they have a password. MFA is particularly important for any of your high-risk transactions or activities, such as payments or updating billing information.
There are different grades of MFA and the recent updates to Essential Eight have prioritised stronger and more robust forms of MFA and application control techniques.
The new minimum standard requires ‘something users have’, besides ‘something users know’.
This has been adopted across all maturity levels. Phishing-resistant MFA requirements start at maturity level 2. Explore the relevant Essential Eight maturity model changes.
Learn more about multi-factor authentication
What is the ASD Essential 8 Maturity Model?
The ASD Essential 8 Maturity Model helps to define how advanced a business is in regards to cyber security. To help with the implementation of the Essential Eight, the ACSC has identified four maturity levels (zero through to three).
When implementing the Essential Eight, it helps to identify and plan for a target maturity level suitable for your business.
We recommend you read the information on the Essential Eight published by the ACSC. This gives more information on the Essential Eight maturity model. It can also help you get a firm understanding of your requirements. The ACSC recommends progressively implementing each maturity level until that target is achieved.
What are the Essential 8 Maturity Levels?
- Maturity Level 0: There is minimal cyber security defence.
- Maturity Level 1: There is a basic level of cyber security implemented.
- Maturity Level 2: There is an advanced level of cyber security defence and education.
- Maturity Level 3: The highest level of cyber security is achieved, by the essential 8 being fully implemented and updated, with all staff properly educated, allowing agile responses to cyber threats.
How to begin your Essential Eight journey
The best place to start is to familiarise yourself with the Essential Eight by using resources provided by the ACSC. This can help you start to think about ways to implement the risk management strategies within your organisation.
The recent 2023 updates also saw the ACSC update their process guidance. This helps organisations assess their implementation of the Essential Eight strategies. It can also help you understand how effective that implementation is against their desired maturity level.
Recommended reading on the Essential Eight
- Strategies to Mitigate Cyber Security Incidents. Guidance to help your business mitigate cyber security incidents caused by cyber threats.
- Essential Eight. An online hub to help you integrate the Essential Eight into your cyber security strategy.
- Essential Eight maturity model. A framework to help your business put in place the Essential Eight using a risk-based, step-by-step approach.
Insights to power your business today and tomorrow
Download your Tech State of Play report to help propel your business further through technology.
Explore more on this topic
Cyber security and your business
Insights to help you review your cyber security strategy and help you protect your business and customers.