Does my business need to implement every aspect of Essential Eight?
Essential Eight aims to get organisations to achieve a varied Cyber Security framework that spans the eight strategies so that they can improve their maturity of whichever strategy they are lagging. It’s an initiative that helps businesses understand the importance of Cyber Security within their organisation and gives them a framework on how to improve.
As the strategies are varied and quite specific, a business will not reach the maturity level it needs without any dedicated effort. We understand it can be a struggle to navigate the challenges of Cyber Security, especially since the higher the maturity level you reach, the more costs involved and the inconvenience it can be on yourself and your staff. It’s necessary though, as any cyberattack that occurs can be detrimental to your business, including unproductive staff, downtime, data breaches, ransom attacks, lost customer trust and reputation, high expenses plus any legal fees that may occur, and potentially could even see the closure of your company.
Does my business need to implement all eight strategies?
If you’re unsure what the eight strategies are, read this article here to learn.
Originally when Essential Eight was introduced by the Australian Cyber Security Centre (ACSC), now part of the Australian Signals Directorate (ADS), it suggested all organisations should aim to reach Maturity Level three. Businesses had to implement only four of the strategies — application control, patch applications, restrict administrative privileges and configure Microsoft Office macro settings — with the remainder being optional, and they were also able to self-assess their compliance.
With the updated version released in 2023, it aims for businesses to reach the same maturity level across the strategies before moving up to the next. What this means is that each of the eight strategies needs to be improved and lifted to your needed level. If seven of the strategies are at Level Two and one is at Level One, then your organisation’s Maturity Level is One. The newer version also introduces audits to check proper compliance.
For that reason, yes, your business needs to implement every strategy in Essential Eight. It’s the target level that determines how intensely you then implement these strategies.
Your business may not need to reach Level Three. This will be determined in your initial risk audit and assessments that you complete alongside a Cyber Security audit. Business owners and stakeholders must understand the risks that your business faces, as well as the costs associated with these and the consequences if they happen.
Is Essential Eight enough to protect my business?
Other than Essential Eight, your business should also have other Cyber Security practices in effect, including proactive monitoring of your networks and devices for malicious activity and regularly testing data recovery solutions so that when a cyberattack occurs, you can get your business back up and running. Essential Eight also doesn’t approach the task of the initial risk assessment that your business must undergo before implementing any Cyber Security strategy.
Essential Eight is simply a starting point for businesses to protect their digital assets. At current, the framework is about to become compulsory for all non-corporate Commonwealth Entities (NCCEs) so that Australia conducts business securely in the future to protect the country and its citizens. Now that so much of our lives and information is online, action needs to take place to protect this information. The government will be auditing NCCEs for compliance and, as part of their contracts, the NCCEs may require businesses they work with to also comply, meaning businesses may lose opportunities if they do not comply.
The framework is also highly recommended by the Australian Government for all other businesses, but we believe this will change soon to become mandated. Cyber Security attacks are growing, both in number and complexity. Criminals are using social engineering to trick staff into believing they are legitimate actors which then leads to disaster for businesses. Your business needs to aim to decrease as many of these opportunities, plus other complex threats, from reaching your staff, which Essential Eight can help achieve.
The ACSC themselves mention that:
“While no single mitigation strategy is guaranteed to prevent Cyber Security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the essential eight, makes it much harder for adversaries to compromise systems.”
What now?
Implementing Essential Eight is something we, as an MSP specialising in Cyber Security, have been working with our clients to do and is something we do with every new client we take on board. Cyber Security can ruin businesses, so it’s something that must be applied.
The maturity level your business requires depends on your business and circumstances, so during the assessment, make sure to ask questions like ‘What is the risk of an attack’ and ‘What does my business have to lose.’ Once you’ve determined the level, it’s then time to achieve this through implementation, reviewing and monitoring.
If you’re unsure where to go from here, we can help you along the journey. In addition, Pronet Technology can also help with broader and stronger Cyber Security strategies and offer services with advanced threat protection and detection.
Contact Pronet Technology today to learn how prepared your business is for Essential Eight and how we can improve your Cyber Security.
