The Australian Signals Directorate (ASD) Essential Eight framework has become a yardstick for cybersecurity in Australia but proper implementation still eludes many businesses and keeps threats like ransomware an ever-present problem.
The ASD Essential Eight is regarded as a foundational component to resilience in online security and while it doesn’t cover every possible element, it offers arguably the best guidelines for IT security posture.
The recommended implementation order of the Essential Eight is as follows:
- Application whitelisting – to control the execution of unauthorised software.
- Patching applications – to remediate known security vulnerabilities.
- Configuring of macro settings – to block untrusted macros.
- Application hardening – to protect against vulnerable functionality.
- Restricting administrative privileges – to limit powerful access to systems.
- Patching operating systems – to remediate known security vulnerabilities.
- Multi-factor authentication – to protect against risky activities.
- Daily backups – to maintain the availability of critical data.
Each component is critically important for the modern IT setup however, most businesses in Australia would be lucky to have even half of the Essential Eight implemented.
Why?
In our discussions with customers, the reason usually falls to three key challenges. Time, resources and costs. The underlying challenge for IT security specialists is illustrating and communicating the risk to senior leaders and contextualising it to the security posture of their company.
Too often, IT security professionals ignore learnings from the industry examples that can help build a business case to meet these obstacles.
For context, the Australian Cyber Security Centre (ACSC)* responded to an average of 31 cyber security incidents per week in 2020-21 with self-reported losses totalling more than $33 billion.
The frequency of incidents in Australia needs to form a part of your risk assessment and be a key pillar of building your Essential Eight strategy.
It’s not just a matter of losing data. The biggest long-term consequence of a data breach is the loss of customer confidence. If your organisation was compromised and customer data was released, how would they react?
Implementing the Essential Eight as a baseline is more effective for saving time, money and effort than reacting to a large-scale cyber security incident.
Avoiding a reactive scenario and bringing your organisation into line with Essential Eight requires a structured approach.
- Discover your information assets and estimate their value – Scan and physically inspect your environment. Input your data into a CMDB if you have one or keep well documented records of the location, details and connectivity of your assets.
- Perform a risk assessment – Think through potential attacks against your systems and data including initial entry points, spread and damage scenarios. Prioritise control of your most at risk assets.
- Review – Use the outline of the Essential Eight to note the areas where no security capabilities exist or where additional work is required.
- Develop a plan – Adopt new required security controls and improve the operational effectiveness of your existing controls.
- Gain management buy-in – Form line-of-business commitments for necessary financial and personnel support.
- Implement the controls – Measure progress and risk reduction and communicate your findings. Also, keep an eye on trends that could introduce new risks to your organisation.
A key oversight I’ve often encountered with Essential Eight implementation is the lack of review and improvement of risk mitigation strategies. A successful security posture is not stagnant.
Rather, it requires maturity of the implementation to reach full alignment with the intent of strategy.
See the Essential Eight and resources from the Australian Cyber Security Centre here.
Author Clint Walters has held a range of specialist roles in IT integration and solutions architecture for more than 15 years. He was previously a Senior Solutions Architect at Digital Sense, an Over the Wire company.