Overview
The Essential Eight is a set of mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to help organisations protect themselves against cyber attacks. Implementing these strategies is essential for any organisation that wants to prevent a large percentage of common cyber attacks. This page provides information about the different strategies included in the Essential Eight, as well as detailing our services to help organisations implement these strategies and stay secure. By implementing the Essential Eight, organisations can improve their security posture, reduce the risk of cyber attacks, comply with regulatory requirements, and improve customer trust and reputation.
Maturity Levels
To assist organisations in determining the maturity of their implementation of the Essential Eight, three maturity levels have been defined for each mitigation strategy. The maturity levels are defined as:
Maturity Level One
Partly aligned with the intent of the mitigation strategy
Maturity Level Two
Mostly aligned with the intent of the mitigation strategy
Maturity Level Three
Fully aligned with the intent of the mitigation strategy
alltasksITs Essential 8 Webinar
Watch our Essential 8 Webinar recording to learn more about the Essential 8 and the different maturity levels to suit your business.
The Essential 8 Maturity Model
Discover the power of the Essential Eight Maturity Model and unlock a comprehensive view of how your business can effectively defend against cyber threats across all aspects of your operations.
Application control
Prevent executable, script, HTML, and control panel applet execution on workstations from standard user profiles & temporary folders.
Microsoft Office macros
- Disable Office macros without demonstrated business need.
- Block macros from internet files.
- Enable macro antivirus scanning.
- Restrict macro settings.
Application patching
- Automate asset discovery fortnightly for vulnerability scanning.
- Use an up-to-date scanner daily for internet-facing services, and fortnightly for office suites.
- Apply patches within weeks, remove unsupported software.
User application hardening
- Block Java & web ads from the internet in web browsers.
- Restrict Internet Explorer 11 content from the internet.
- Limit browser security settings.
Administrative privileges
- Validate privileged access requests.
- Restrict internet access for privileged accounts.
- Use separate operating environments.
- Prevent unprivileged access to privileged environment.
Operating system patching
- Automate asset discovery for vulnerability scanning
- Use daily up-to-date scanner for internet-facing services
- Apply patches quickly, replace unsupported operating systems
Multi-factor authentication
- Apply multi-factor authentication to org users accessing internet-facing services and sensitive data.
- Enable by default for non-org users.
Regular backups
- Perform backups according to business continuity needs.
- Synchronise and retain securely.
- Test restoration during disaster recovery.
- Prevent unauthorised access and modification.
What maturity level should your business aim for?
To ensure robust protection against cyber threats, it is recommended that organisations strive to achieve Maturity Level Three for each mitigation strategy outlined in the Essential 8 framework. However, certain organisations may face greater risks due to factors such as the level of targeted attacks or the nature of their operations. In such cases, the Australian Cyber Security Centre (ACSC) may determine that a higher level of maturity is necessary and will provide customised guidance to meet the unique needs of the organisation.