What Is the “Essential Eight” and Why Is Its Adoption Critical to Minimise Cybersecurity Threats?

What Is the Essential Eight and Why Is Its Adoption Critical to Minimise Cybersecurity Threats

It’s easy for small and mid-sized businesses to get lost in a sea of cybersecurity options. They not only need to provide multiple IT security protections for network, data, and devices, they also must apply those across different environments (Windows, Mac, mobile, cloud).

The risk of not properly protecting your technology infrastructure includes falling victim to the costs of a malware attack or data breach. The average cost of a data breach in Australia jumped 31% year over year. It’s now up to AU$3.7 million.

A system that was developed by the Australian Cyber Security Centre (ACSC) to help organisations understand the most effective mitigation strategies to use is called the Essential Eight Maturity Model (“Essential Eight” for short).

Essential Eight refers to eight key cybersecurity tactics that should be in place to help prevent network breaches and data security incidents. While the system was originally designed for Microsoft Windows-based internet-connected networks, it can be followed for other areas of your IT security as well, such as Mac systems and cloud computing environments.

These 8 mitigation strategies are based upon the experience of ACSC in producing cyber threat intelligence, responding to cyber incidents, doing penetration testing for network security, and assisting Australian organisations with their security protections.

The Essential Eight includes different maturity levels, depending on the needs and size of the organisation. We will review the strategies to follow from the initial level – Maturity Level One.

Adopt These 8 Essential IT Security Threat Mitigation Tactics

Boiling the foundations of good cybersecurity down to 8 essential tactics helps make IT security more approachable, especially to smaller companies that aren’t sure where to begin.

Here are the Essential Eight that your business needs to adopt to reduce your risk of falling victim to an attack.

1. Application Control

A common way that malicious code is introduced into a network is if it’s allowed to execute on a connected user device. Application control is about shutting off the ability for unknown or suspicious code to execute on its own after a user opens a file or visits a phishing website.

This tactic includes preventing the execution of:

  • Executables
  • Software Libraries
  • Scripts
  • Installers
  • Compiled HTML
  • HTML applications
  • Control panel applets

These are prevented from executing on workstations, from within a standard (non-admin) user profile, in temporary folders used by the operating system, and in web browsers and email clients.

2. Patch Applications

Most company leaders understand that software applications should be patched regularly, which means updates need to be applied. But how soon should that be so you’re not at risk?

This Essential Eight strategy outlines a recommended timeframe for all application updates and patches as follows:

  • Two weeks from release for security vulnerabilities in internet-facing services
  • Within 48 hours if the patch/update includes a fix for a known exploit
  • Within one month from release for office productivity suites, web browsers, email clients, PDF software, and security products

Additionally, this recommendation includes using a vulnerability scanner to check daily for any missing patches or updates for security vulnerabilities, and every two weeks for other application updates.

3. Configure Microsoft Office Macro Settings

Microsoft Office macros are known to be exploited by attackers and used for injecting malware into a device. This tactic involves turning off the ability for MS Office macros to run at all if they’re not required for a user.

Additionally, turn off the ability for users to change that disabled setting and block any MS Office macros originating from the internet.

4. User Application Hardening

Application hardening means putting security settings in place that can automate a certain level of protection. Also included is not allowing users to change these settings.

Some of the application hardening settings mentioned in this IT security step include:

  • Web browsers should not be able to process Java from the internet
  • Web browsers should not be able to process web advertisements
  • If Internet Explorer 11 is used, it should not process any content from the internet

5. Restrict Administrative Privileges

It’s important to restrict the number of accounts that have admin-level privileges in your system and applications. Administrative privileges allow the user a much higher level of access to a system and the ability to change important security settings.

As part of restricting your admin privileges, you should:

  • Validate requests for an admin-level privilege
  • Prevent any privileged accounts from accessing the internet, email, and web services (you can do this by having a dedicated admin account that users do not use regularly)
  • Have privileged users use a separate privileged and unprivileged operating environment
  • Do not allow unprivileged accounts to logon to privileged operating environments

6. Patch Operating Systems

Just as applications need to be patched and updated regularly, so do operating systems. It’s another essential best practice to mitigate cybersecurity risk. 

This tactic follows a similar schedule as your software applications, where you should apply updates regularly, between 48 hours to one month after release, depending upon the type of update it is. 

7. Multi-Factor Authentication

Multi-factor authentication (MFA) is known to be one of the most effective ways to prevent compromised accounts. MFA enables an additional step for user verification before they can access a system or cloud account. This is usually the input of a real-time code that is sent to the user’s device.

8. Regular Backups

Backing up all data regularly is the last of the Essential Eight tactics for protecting your business from cyberattacks. Included with the instruction to backup data is that data restoration should be verified as part of disaster recovery exercises.

Unprivileged user accounts should also be restricted from accessing or deleting backups.

Get Help Putting Your Essential Eight Into Place!

GKM2 can help your Sydney area business with each tactic of the Essential Eight to help you reduce your risk of a costly cyberattack.

Contact us today to learn more. Call +61 2 9161 7171 or reach out online.