Get expert help with Essential 8 assessment and implementation
From one of the first organisations in Australia to achieve ISO 27001:2022
Our cyber security specialists help Australian businesses confidently complete Essential 8 assessments and apply the cyber strategies long-term.
The MyEmpire Group difference
"We’re big enough to support all manner of businesses, from ma and pa’s to enterprise, but small enough to still obsess over detail."
We don’t obsess over detail to the point of paralysis, but we do take great pride in delivering exceptional work. And it’s not just because we get a thrill receiving elated client feedback, although that’s something we all share in common. Primarily it’s because we genuinely care about building cyber security systems that protect businesses. That means really learning your business and your people so we can develop a cyber security strategy suited to you, not a close-enough template pulled from a file. That’s what makes us different; we only feel satisfied when we know a job’s been done right.
Our People
Our cyber security specialists are a mixture of seasoned veterans, many with 30+ years’ experience in IT, management and security. We also have young faces on the team, our rising stars–those whose talents we recognised early and chose to invest in.
Beyond being experts in their fields, our people share a few things in common, a result of how we hire. Prior to any skills being tested in an interview, we look for personable people. Authentic, honest people who are passionate about their field and good communicators. In other words, we look for people who light up when they talk about their line of work. People whose passion is contagious. Only candidates who meet this criteria are taken through the typical interview steps where we probe skills and work history.
Leadership Team
Alex Woerndle
HEAD OF OPERATIONS
(CO-FOUNDER & DIRECTOR)
Alex is an experienced director, IT consultant and infosec professional. He provides security management and leadership to a range of organisations from start-ups through to governments and ASX50 listed enterprises. He has also served over 10 years in voluntary roles as a Non-Executive Director of the Australian Information Security Association,.au Domain Administration Ltd and the Australian Conservation Foundation’s Finance, Audit and Risk Committee.
Carl Woerndle
HEAD OF SALES AND MARKETING
(CO-FOUNDER & DIRECTOR)
Carl has more than three decades’ experience in IT, security and business leadership. Prior to MyEmpire Group, he and Alex built DistributeIT which held approx. 10% market share of .com.au domains. As well as a business owner and manager, Carl has worked as a Cyber Security Advisor consultant for Deloitte. He is a regular keynote speaker on cyber security.
Chris Self
HEAD OF SERVICE DELIVERY
Chris is a highly experienced information security principal. He has worked as a senior cyber security consultant for KPMG, CQR Consulting (now part of CyberCX) and Deloitte. Prior to starting with MyEmpire Group, he was the Information Security Manager at Adelaide Airport where he led a full rebuild of the airport’s cyber security processes and infrastructure. Chris holds a master’s in information systems security and a number of information security certifications, including CISSP and CRISC.
Let our Cyber Specialists help
Essential 8 is eight areas organisations can focus on to prevent and manage the most common cyber security attacks.
The Essential 8 principles originate from the Australian Cyber Security Centre (ACSC) which is part of the Australian Signals Directorate (ASD) and the Australian Federal Government. The 8 controls are extracted from hundreds originally focused on national security defence and tailored as a starting point for all organisations.
The origin of Essential 8 is very defence heavy. Originally developed to protect Australia’s national security, the ACSC put together a list of several hundred controls to sure up Australia’s cyber security national defence. The Australian Government first took this comprehensive list and extracted it down to a more digestible list of 35 key controls. These were all selected with organisations in mind. That list has since been distilled down further to 8 essential controls. These controls focus on defending against the most common cyber attacks and mitigating the impacts of any successful attacks.
Improve your organisation’s cyber security
Essential 8 gives organisations a focused way to protect themselves against the most common cyber attacks. The controls focus on protecting areas of businesses most commonly targeted and mitigating the impacts of successful attacks. Following the principles can radically improve your cyber defence.
Increase your business opportunities
As well as giving your business a solid control baseline to improve your cyber security, Essential 8 demonstrates this fact to other businesses, consumers, regulators etc. This can lead to new business opportunities because it helps third parties trust you are taking cyber security measures seriously to protect their (and their customers) information.
Ideal for small businesses
Essential 8 is suitable for any sized organisation, but is particularly valuable to small, entry-level businesses looking to achieve a base level of cyber security. The strategies allow organisations to invest in high return controls to level up their cyber security and defend against most cyber attacks.
Maturity levels to fit any sized organisation
A three-stage maturity level is attached to each control to help organisations correctly size their implementation based on their risk appetite. It means you can enhance your cyber security incrementally. For instance, you can start by achieving maturity level 1 across all Essential 8 strategies, or you can focus on a key control and take it to maturity level 3, whichever helps mitigate the largest risk to your business.
How we help with Essential 8 assessment and implementation
1. Understand your ‘why’
We start by understanding your reasons for wanting to apply Essential 8 to your organisation. This could be generally improving your cyber security risk posture, getting guidance identifying and addressing cyber security gaps in existing implementations, or maybe you’ve been told it’s an industry requirement.
2. Scope the deliverables
We’ll interview key stakeholders in your organisation to understand which environments you want included in-scope for the assessment. For instance, information technology (IT), operational technology (OT) etc.
3. Identify your key stakeholders
We’ll help you identify who’s required for Essential 8 discussion workshops, e.g., teams involved with IT applications, cyber security, networks or systems, external MSPs/MSSPs etc. We recommend those responsible for implementing and managing the technical controls be involved in workshops.
4. Matching to a Maturity Level
Prior to the cyber health assessment, we’ll work with you to identify the right Essential 8 Maturity Level for your business goals. This ranges from Maturity Level 1 to Maturity Level 3.
5. Assessment against Essential 8
We’ll measure your level of alignment with a focus on the Essential 8 strategies and highlight key misalignments with control implementation.
6. Technical Essential 8 recommendations
We’ll develop business-specific technical recommendations for each Essential 8 strategy. Each recommendation will focus on uplifting the Essential 8 response to the target maturity level.
7. Assessment report
We’ll provide you with an easy to digest E8 Assessment Report. In the report, we’ll describe each E8 mitigation strategy and your business’ current alignment with its target maturity level, as well as guidance on quick wins, tasks to be prioritised, and suggested timelines to uplift each control.
8. Support with implementation
We can help implement partner technologies needed to uplift your Essential 8 maturity. We can also perform reviews of technology and provide ongoing cyber security strategy and guidance.
Complete Essential 8 assessment, and implement your cyber security strategies, with confidence.
The Essential 8 Strategies...
1. Application control
This refers to the level of control and constraints you have over applications. It involves stopping software libraries, scripts, installers, and other executables from running on workstations.
2. Patch applications
This refers to applying security updates and patches as quickly as feasible. The strategy requires frequent usage of vulnerability scanners to detect missing patches and updates, as well as removing solutions no longer supported by their vendors.
3. Configure Microsoft Office macro settings:
This refers to the amount of freedom your users have to run macros in Microsoft Office applications. Most users should have macros blocked as default, unless they have a business requirement not to.
4. User application hardening
This refers to the limitations placed on users’ applications. At minimum, web browsers shouldn’t be able to process ads or Java content from the internet, Internet Explorer 11 should be disabled and users shouldn’t be able to change these security settings.
5. Restrict administrative privileges
This involves managing users with administrative privileges. It includes validating requests for privileged access to systems and applications, blocking privileged accounts from accessing the internet and using separate operating environments for privileged and unprivileged users.
6. Patch operating systems
This strategy focuses on keeping operating systems up to date to ensure operating system patches, updates and security mitigations for internet-facing services are applied within two weeks of release (or 48 hours if an exploit exists). Vulnerability scanners should be used to identify any missing patches and software not supported by vendors should be replaced.
7. Multi-factor authentication
This involves enforcing multi-factor authentication (MFA). Maturity starts by enforcing MFA for all users before they access internet-facing services and third-party providers.
8. Regular backups
This involves ensuring critical systems and information is securely backed up and readily available. All backup and restoration systems are tested and unprivileged accounts restricted to their own backup environments.