Essential 8
Get expert help with Essential 8 assessment and implementation
We help Australian businesses confidently complete Essential 8 assessments and apply the cyber strategies long-term.
Let our Cyber Specialists help
Essential 8 is eight areas organisations can focus on to prevent and manage the most common cyber security attacks.
The Essential 8 principles originate from the Australian Cyber Security Centre (ACSC) which is part of the Australian Signals Directorate (ASD) and the Australian Federal Government. The 8 controls are extracted from hundreds originally focused on national security defence and tailored as a starting point for all organisations.
The origin of Essential 8 is very defence heavy. Originally developed to protect Australia’s national security, the ACSC put together a list of several hundred controls to sure up Australia’s cyber security national defence. The Australian Government first took this comprehensive list and extracted it down to a more digestible list of 35 key controls. These were all selected with organisations in mind. That list has since been distilled down further to 8 essential controls. These controls focus on defending against the most common cyber attacks and mitigating the impacts of any successful attacks.
Improve your organisation’s cyber security
Essential 8 gives organisations a focused way to protect themselves against the most common cyber attacks. The controls focus on protecting areas of businesses most commonly targeted and mitigating the impacts of successful attacks. Following the principles can radically improve your cyber defence.
Increase your business opportunities
As well as giving your business a solid control baseline to improve your cyber security, Essential 8 demonstrates this fact to other businesses, consumers, regulators etc. This can lead to new business opportunities because it helps third parties trust you are taking cyber security measures seriously to protect their (and their customers) information.
Ideal for small businesses
Essential 8 is suitable for any sized organisation, but is particularly valuable to small, entry-level businesses looking to achieve a base level of cyber security. The strategies allow organisations to invest in high return controls to level up their cyber security and defend against most cyber attacks.
Maturity levels to fit any sized organisation
A three-stage maturity level is attached to each control to help organisations correctly size their implementation based on their risk appetite. It means you can enhance your cyber security incrementally. For instance, you can start by achieving maturity level 1 across all Essential 8 strategies, or you can focus on a key control and take it to maturity level 3, whichever helps mitigate the largest risk to your business.
How we help with Essential 8 assessment and implementation
1. Understand your ‘why’
We start by understanding your reasons for wanting to apply Essential 8 to your organisation. This could be generally improving your cyber security risk posture, getting guidance identifying and addressing cyber security gaps in existing implementations, or maybe you’ve been told it’s an industry requirement.
2. Scope the deliverables
We’ll interview key stakeholders in your organisation to understand which environments you want included in-scope for the assessment. For instance, information technology (IT), operational technology (OT) etc.
3. Identify your key stakeholders
We’ll help you identify who’s required for Essential 8 discussion workshops, e.g., teams involved with IT applications, cyber security, networks or systems, external MSPs/MSSPs etc. We recommend those responsible for implementing and managing the technical controls be involved in workshops.
4. Matching to a Maturity Level
Prior to the cyber health assessment, we’ll work with you to identify the right Essential 8 Maturity Level for your business goals. This ranges from Maturity Level 1 to Maturity Level 3.
5. Assessment against Essential 8
We’ll measure your level of alignment with a focus on the Essential 8 strategies and highlight key misalignments with control implementation.
6. Technical Essential 8 recommendations
We’ll develop business-specific technical recommendations for each Essential 8 strategy. Each recommendation will focus on uplifting the Essential 8 response to the target maturity level.
7. Assessment report
We’ll provide you with an easy to digest E8 Assessment Report. In the report, we’ll describe each E8 mitigation strategy and your business’ current alignment with its target maturity level, as well as guidance on quick wins, tasks to be prioritised, and suggested timelines to uplift each control.
8. Support with implementation
We can help implement partner technologies needed to uplift your Essential 8 maturity. We can also perform reviews of technology and provide ongoing cyber security strategy and guidance.
Complete Essential 8 assessment, and implement your cyber security strategies, with confidence.
The Essential 8 Strategies...
1. Application control
This refers to the level of control and constraints you have over applications. It involves stopping software libraries, scripts, installers, and other executables from running on workstations.
2. Patch applications
This refers to applying security updates and patches as quickly as feasible. The strategy requires frequent usage of vulnerability scanners to detect missing patches and updates, as well as removing solutions no longer supported by their vendors.
3. Configure Microsoft Office macro settings:
This refers to the amount of freedom your users have to run macros in Microsoft Office applications. Most users should have macros blocked as default, unless they have a business requirement not to.
4. User application hardening
This refers to the limitations placed on users’ applications. At minimum, web browsers shouldn’t be able to process ads or Java content from the internet, Internet Explorer 11 should be disabled and users shouldn’t be able to change these security settings.
5. Restrict administrative privileges
This involves managing users with administrative privileges. It includes validating requests for privileged access to systems and applications, blocking privileged accounts from accessing the internet and using separate operating environments for privileged and unprivileged users.
6. Patch operating systems
This strategy focuses on keeping operating systems up to date to ensure operating system patches, updates and security mitigations for internet-facing services are applied within two weeks of release (or 48 hours if an exploit exists). Vulnerability scanners should be used to identify any missing patches and software not supported by vendors should be replaced.
7. Multi-factor authentication
This involves enforcing multi-factor authentication (MFA). Maturity starts by enforcing MFA for all users before they access internet-facing services and third-party providers.
8. Regular backups
This involves ensuring critical systems and information is securely backed up and readily available. All backup and restoration systems are tested and unprivileged accounts restricted to their own backup environments.
