What is the Essential Eight framework and why is it important?
Cybersecurity has never had more focus from a board and executive perspective, and for good reason. On a weekly basis, we are seeing serious cybersecurity breaches on the front pages of the media with direct financial, customer trust and reputational impacts. In addition to this the threat landscape is constantly evolving as are the cyber insurance minimum requirements and government regulations.
The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. One of the most effective of these mitigation strategies is the Essential Eight. Each of these mitigation strategies have three levels of maturity:
Configure Microsoft Office macro settings
User application hardening
Restrict administrative privileges
Patch operating system
The Essential Eight framework is a great starting point, particular for organisations with limited security resources. It provides the biggest “bang for buck” in terms of assessment and control implementation effort to improve your maturity and protection against common attack vectors. It is a highly effective place to start your cybersecurity maturity journey however there are other controls centric frameworks that come into play after you establish a strong baseline with the Essential Eight.
An important note to consider is the Essential Eight has been designed to protect Microsoft Windows-based internet-connected networks. While the principles behind the Essential Eight may be applied to cloud services and enterprise mobility, or other operating systems, it was not primarily designed for such purposes and alternative mitigation strategies may be more appropriate to mitigate unique cyber threats to these environments.
Why should I use other frameworks such as NIST-CSF and ISO27001
NIST CSF is a more holistic framework that can be used by organisations to assess and improve their cybersecurity posture. NIST 800-53 / 800-171 are comprehensive sets of security controls and guidelines that can be assessed and implemented. These are the frameworks most leveraged as a follow on to Essential Eight for larger or more security conscious organisations due to their breadth and depth of coverage.
Government (local, state and federal) as well as large corporates are incorporating requirements into their procurement and third-party risk management processes to have suppliers who are ISO27001 certified. Organisations who service these clients have a strong incentive to attain ISO27001 certification.
There are other industry and use case specific frameworks that come into play such PCI-DSS (payments centric), CPS234 (APRA regulated entities) which we will cover separately.
What are we seeing?
One of the key gaps we see most often is how an Essential Eight assessment report is transposed for business stakeholders. Boiling this down, how do I articulate to my CEO and board our current cybersecurity posture and risk exposure, target maturity and investment modelling, when the assessment report I have is focussed on controls and evidence.
Nexon’s Essential Eight assessment service aims to provide some of these high level, business contextualised insights into more of a presentation style formal to help in decision making around prioritising resources and activities.
We are beginning to see organisations seeking to implement Governance, Risk and Compliance (GRC) platforms, such as Avertro or de.iterate, to drive assessments and other functions like Third Party Risk assessment. Using an approach of continuous assessment and compliance makes assurance programs a lot simpler to run.
We’re also seeing some organisations consider automated compliance monitoring platforms to pro-actively assess whether controls such as application whitelisting are consistently applied across all devices.
Want to know more?
Our Essential Eight assessment provides a simple and practical guide which works for Australian organisations looking to scale up cyber protection. If this sounds like you, talk to us!