The Essential 8, developed by the Australian Cyber Security Centre (ACSC), provides a baseline of mitigation strategies to defend against cyberthreats. Many organisations are obliged to implement the Essential 8 to a specific maturity level. The Essential 8 comprises eight key mitigation strategies designed to protect against various threats. While risks change all the time, this table can provide a high-level overview of the risks addressed by the Essential 8.
| Application Control | Patching Applications | Office Macro Settings | User Application Hardening | Restricting Administrative Privileges | Patching Operating Systems | Multi-Factor Authentication | Daily Backups | |
|---|---|---|---|---|---|---|---|---|
| Malware and ransomware attacks | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Unauthorised software installation | Yes | Yes | Yes | |||||
| Exploitation of software vulnerabilities | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Insider threats | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Phishing attacks | Yes | Yes | Yes | Yes | ||||
| Data breaches | Yes | Yes | Yes | Yes | Yes | |||
| System instability and crashes | Yes | Yes | Yes | Yes | ||||
| Data loss | Yes | Yes | ||||||
| Credential stuffing | Yes | Yes |
Where the Essential 8 are not legislated, adopting a risk-based approach allows organisations to tailor their cybersecurity efforts to their unique risk profile. By prioritising the most critical threats and efficiently allocating resources, organisations can enhance their overall security posture and better protect their assets and data. In an ever-changing cybersecurity landscape, a risk-based approach provides the flexibility and adaptability needed to stay ahead of emerging threats.
Proactive strategy
To implement a risk-based approach to the Essential 8, organisations should:
- Conduct a risk assessment: Identify and assess the risks and vulnerabilities specific to your organisation. This assessment should consider factors such as the value of assets, potential threats, and the likelihood and impact of cybersecurity incidents.
- Prioritise mitigation strategies: Based on the risk assessment, prioritise the implementation of the Essential 8 strategies. Focus on addressing the most critical risks first, while also considering the feasibility and cost-effectiveness of each strategy. It can be helpful to identify ‘quick wins’ at this stage.
- Develop a risk management plan: Create a comprehensive risk management plan that outlines the steps and resources required to implement the prioritised mitigation strategies. This plan should include timelines, responsibilities, and metrics for measuring success.
- Monitor and review: Continuously monitor the efficacy of the implemented strategies and review the risk assessment regularly. Adjust the risk management plan as needed to address new threats and vulnerabilities.
Talk to Flame Tree about how we can support you implement the Essential 8 or measure your maturity level.