The Essential Eight, what it means to your business plus a bold prediction
The Essential Eight is a set of mitigation strategies developed by the Australian Cyber Security Centre (ACSC) designed to improve the cyber security posture of Australian Businesses. The overarching goal of the Essential Eight is to make it much harder for your I.T. systems to be compromised. The eight areas of interest are:
- application control
- patch applications
- configure Microsoft Office macro settings
- user application hardening
- restrict administrative privileges
- patch operating systems
- multi-factor authentication
- regular backups
The general idea is that organisations are rated on a scale, known as a ‘maturity model’ to determine what cyber security strategies it has in place in relation to each of the eight areas defined above. Sounds like fun, right?
There are four maturity levels for each item, maturity level zero just means it hasn’t been formally assessed yet, whereas levels 1, 2 and 3 offer increasing levels of protection or ‘system hardening’. Achieving maturity level 1 in most areas is relatively straight forward, in fact most of our MSP clients already meet the requirements to achieve a maturity rating of at least 1.
If you want to learn more about the Essential Eight start here.
Right now, as far as I know there is no requirement for any business in Australia to comply with any of the Essential Eight, I’m sure there would be private agreements that reference it already but nothing written in to law.
I promised you a bold prediction and here it is, I think we are going to start seeing a mandated requirement for Essential Eight compliance in the not too distant future. It will start with very specific types of businesses at first, for example the federal government might require all tax agents who have online access to their client’s data to be assessed for their Essential Eight maturity and maintain a particular maturity level. Businesses which operate trust accounts such as conveyancing, law firms and real estate agents will probably be next in line as will I.T. service providers like us. This will probably flow through to private business agreements as well and might even become a selling point – “Come do business with us, we’re Essential Eight certified!”.
Very big businesses such as banks and government departments are already implementing the Essential Eight and I wouldn’t be at all surprised if big businesses over a certain turnover threshold are mandated to be Essential Eight compliant no matter what industry they are in.
We all know the wheels of government turn slowly but I think these changes are probably only a few years away at most.
If you would like to know how your business stacks up against the Essential Eight maturity model and what can be done to improve your cyber security posture let us know.