Feb 15, 2022

The Essential 8 - How Does Your Organisation Stack Up?

The Log4j vulnerability is one of many cyber security incidents that have made global headlines in recent months, highlighting the growing need for organisations to pay attention to their cyber security posture. 


Some notable incidents have proven costly, such as last year’s cyber attack on a US oil pipeline, which caused a nationwide oil shortage and significantly increased fuel prices. Another attack targeted a global meatpacking firm, closing factories worldwide, causing employment concern for around 11,000 Australian workers.


Research indicates that neither of these attacks were political. Instead, these threat actors were monetarily motivated – and thoroughly organised.


The Australian Cyber Security Centre (ACSC) have reported that the current trend in cyber criminal activity is specialisation. To elaborate, one group might organise phishing attempts, another could specialise in malware or data mining ,and a third could offer ransomware as a service. The solutions vary, but the point remains: the people involved are professionals.


The tools they use vary from publicly available hardware and software to bespoke programming that requires specialised skills to deploy effectively. However, an increasing trend seems to be the growth of the copy-paste attack.


While no set of mitigation strategies are guaranteed to protect against all cyber threats, the ACSC recommends implementing eight essential mitigation strategies from the ACSC's Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes it harder for adversaries to compromise systems, specifically Microsoft Windows-based internet-connected networks. The ACSC's Essential 8 is quickly becoming the gold standard when implementing strategies against cyber threats for Australian businesses. So much so, it is becoming mandatory for many public and private organisations given their relationship with the federal government, the data they control, and several other attributes.

What is the Essential 8?

The Essential 8 consists of eight essential mitigation strategies designed by the ACSC to help organisations mitigate or prevent cyber security incidents. These strategies cover three key areas – prevention, limitation, and recovery – ranked by maturity.


The eight components include:

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict administrative privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Regular backups

How does the Essential 8 measure cybersecurity?

The different strategies that make up the Essential 8 are measured according to the level of cyber criminal tradecraft they aim to mitigate.


The strategies are ranked across four maturity levels:

Level 0 – Indicates weaknesses in an organisation's overall cybersecurity posture.

Level 1 – Mitigates commodity tradecraft with publicly available tools.

Level 2 – Mitigates adversaries who invest more time in a target with more effective techniques.

Level 3 – Focused on more adaptive adversaries and less reliant on public tools and methods.

Past iterations of the Essential 8 sought to have an organisation reach Maturity Level 3. However, in the latest release, the Essential 8 aims to get an organisation to achieve a homogenous maturity level across the prevention, limitation, and recovery sections before moving to the next level. Additionally, organisations are encouraged to focus on achieving a maturity level that makes sense for their risk management level.

The Essential 8 cybersecurity strategies

Here is a brief overview of the 8 mitigation strategies:

Application Control – This refers to the level of control and constraints you have over users' applications. It involves stopping software libraries, scripts, installers, and other executables from running on workstations.


Patch Applications – This guideline refers explicitly to updating third-party applications. It focuses on applying security updates and patches as quickly as feasible. The strategies require frequent usage of vulnerability scanners to detect missing patches and updates and remove solutions that their vendors no longer support.


Configure Microsoft Office Macro Settings – This refers to the amount of freedom your users have to run macros in Microsoft Office applications. Most users would have macros blocked as default – unless they have a demonstrated business requirement.


User Application Hardening – This refers to the limitations in place on users' applications. At its most basic, web browsers should not be able to process ads or Java content from the internet, Internet Explorer 11should be disabled, and users should not be able to change these settings.


Restrict Administrative Privileges – This strategy involves managing users with administrative privileges. It consists in validating requests for privileged access to systems and applications, blocking privileged accounts from accessing the internet, and using separate operating environments for privileged and unprivileged users.


Patch Operating Systems – This strategy focuses on keeping operating systems up to date. The main outcome is to ensure that OS patches, updates, and security mitigations for internet-facing services are applied within two weeks of release – or within 48 hours if an exploit exists. Vulnerability scanners should be used to identify any missing patches, and any OS that is no longer vendor-supported should be replaced.


Multi-Factor Authentication (MFA) – This section involves enforcing MFA for all privileged access. Maturity starts by implementing MFA for all users before accessing internet-facing services and third-party providers.


Daily Backups – this strategy involves ensuring critical systems and information is securely backed up and readily available. This flexible strategy requires organisations to back up important data, software, and configuration settings "in accordance with business continuity requirements". All backup and restoration systems are tested, and unprivileged accounts are restricted to their own backup environments.

Do I already comply with ACSC's Essential 8?

Given the specific technical nature of the Essential 8 requirements, it is improbable that organisations will reach their appropriate maturity level without dedicated effort, especially with the maturity model changing again in late2021.


The new strategies aim to get organisations to achieve a blanket level of maturity across all sections. If your organisation has a mixed maturity across the eight strategies, then the focus should be on improving the maturity in the areas that are lagging.


Organisations are also encouraged to focus on achieving a maturity level that makes sense for the organisation's risk management level. This usually means performing a risk audit in tandem with a cyber security audit.


Before advancing to the next maturity level, organisations need to understand the risks they face, the costs of addressing these risks, and the likely outcomes that could occur should they fail.


If you are unsure if you currently meet the Essential 8 requirements for your risk profile, the answer is almost certainly no.

What Maturity Level should I be? What are my risk management needs?

Different companies will require different solutions and strategies, so the best way to determine your path to compliance is to receive an IT security assessment. Service Quality can facilitate an assessment for you and help you evaluate your current maturity level in each strategy, then implement the practices that will help you remain in full accordance with the guidelines.


It's also important to note that although the Essential 8 are a set of critical technical controls that organisations should maintain, they aren't the only cyber security measures that businesses should take. For example, they don't include risk assessments or risk management methodology provisions.


Complying with the Essential 8 is a good starting point for a business looking to protect its digital assets better. The team at Service Quality have the skills and track record to help you on the journey to compliance. In addition, Service Quality can also assist with more holistic cybersecurity strategies and offer packaged security suites with advanced threat protection and detection features.


Contact Service Quality today to see how prepared your business is for the Essential 8 and how we can help you improve your cybersecurity leveraging the Ivanti Security Suite of Solutions.

About Service Quality:

Founded in 2007, Service Quality survives on a simple but powerful idea: empower you to do more with your Service Management and Security solutions. With cutting-edge support and award-winning security and service management practices, you can be sure that Service Quality will help maximise your Service Management investment. Today, hundreds of thousands of users rely daily on Service Management and Security solutions designed and implemented by Service Quality to make their work flow.

Written By: Angus Kenny - Director, Enterprise Solutions


  1. https://web.archive.org/web/20210508050319/https:/www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/
  2. https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-007-log4j-vulnerability-advice-and-mitigations
  3. https://www.cyber.gov.au/acsc/view-all-content/essential-eight
  4. https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model
  5. https://www.firstfocus.com.au/insights/article/essential-8-cybersecurity/