ACSC’s Essential Eight Mitigation Strategies
Protect your business against cyber threats by implementing the ACSC's Essential Eight mitigation strategies with ShadowSafe.
Cyber crime is costly
According to the Australian Cyber Security Centre (ACSC), the average cost associated with cyber crime is growing rapidly:
Small business: $46,000
Medium business: $97,200
As businesses increasingly depend on technology for growth, it's essential to stay aligned with cyber security best practices to minimise the risk of becoming targets (and victims) of cyber threats.
What is the Essential Eight?
The Essential Eight is framework developed by the Australian Cyber Security Centre (ACSC) aimed at enhancing the resilience of Australian businesses against cyber threats.
First introduced in 2017, this framework expands upon earlier security measures by incorporating eight critical strategies (security controls) designed to prevent cyberattacks, mitigate their impact, and ensure data availability.
By establishing a baseline of cybersecurity practices, the Essential Eight provides businesses, particularly small and medium-sized enterprises, with a structured approach to measure and improve their defenses in an increasingly digital landscape.
The eight strategies are as follows:
patch applications
patch operating systems
multi-factor authentication
restrict administrative privileges
application control
restrict Microsoft Office macros
user application hardening
regular backups
Primary Objectives
The eight strategies are better understood when categorised into their primary objectives: prevent attacks, limit attack impact, and data availability.
Understanding and implementing these strategies is vital for businesses seeking to protect their information technology networks from the growing array of cyber threats.
Is it mandatory?
Under both statutory and common law (Corporations Act 2001), Australian company directors have a responsibility to effectively govern the management of cyber security as a critical business risk. The World Economic Forum has identified cyber risk as “the most immediate and financially material sustainability risk that organisations face today”.
The federal government is working to mandate the entire Essential Eight framework for all non-corporate commonwealth entities. Previously, only the first four security controls in objective 1 (Prevent Attacks) were mandatory, but now compliance across all eight strategies is expected.
Reporting breeches
All businesses with an annual turnover of $3 million or greater are required to report data breaches to both impacted customers and the Office of the Australian Information Commissioner (OAIC) within 72 hours. Any breach that is likely to result in serious harm to individuals must be reported
This requirement is known as the 'Notifiable Data Breach Scheme' (NDB), and its compliance is also mandatory for entities in the health service sector, credit providers and reporting.
How to implement the Essential Eight
The following steps will help your business effectively implement the Essential Eight strategies.
1
Assess your current state
It's said that "you can't improve what you don't measure"—this holds especially true in cybersecurity. To effectively implement the Essential Eight, it is crucial to first assess your current organisations maturity level.
There are two primary methods for conducting this assessment:
Self-Assess: Utilise the maturity model and resources available on the government's cybersecurity website at cyber.gov.au. This approach requires a comprehensive technical understanding of IT and cybersecurity practices to accurately evaluate your current standing.
Request a professional Audit by ShadowSafe: Receive a comprehensive IT and cyber security audit conducted by our experienced team. Our audit process examines the key cyber risks facing your business and evaluates your IT systems for performance and potential improvements. Our team presents the findings clearly and concisely, free from technical jargon, providing you with the clarity and actionable plan needed to improve your cyber security and grow your business with confidence. Schedule a Call to learn more about our assessment process.
2
Plan for a target maturity level
Businesses should strategically plan for a target maturity level that aligns with their specific environment and fulfils the directors' obligations to manage key business risks. Establishing a clear target maturity model is essential for ensuring that cybersecurity measures are both effective and sustainable.
A ShadowSafe Cyber Security and IT Audit provides a detailed roadmap with step-by-step strategies to help you achieve your desired maturity level. This plan not only addresses immediate vulnerabilities but also supports long-term resilience. Typically, our clients reach their target maturity within 12 months, although staff awareness training generally requires a minimum of 6 months to be fully effective.
3
Progressively implement each level
To achieve your target maturity level, it's crucial to implement each level progressively, ensuring no critical steps are missed. As you address each level incrementally, you can identify new vulnerabilities and resolve them. When executed properly, this process will gradually enhance your cyber security awareness and resilience, recognising that building a robust security framework takes time and consistent effort.
Partnering with our ShadowSafe team can reduce the complexity and frustration that comes with implementation, so that you can stay focused on your business priorities.
4
Continue building cyber resilience
Continue to strengthen your long-term cyber security resilience and stay ahead of evolving threats by partnering with cyber security experts.
At ShadowSafe, we provide 24/7 monitoring services, regular assessments, cyber insights and other tools to safeguard your business now and into its future. Cyber security is not a one-time project, it’s a life-long habit.
Partner with the experts
At ShadowSafe, we treat the Essential Eight as fundamentals of a baseline cyber security posture.
Our cyber security audits, SME service packages, SOC-2 and ISO-27001 consulting all reference or refer to the Essential Eight as a baseline maturity model.
If you're ready to partner with a world-class cyber security firm with local, personal and friendly support, speak to our team today.
OR PHONE 07 3185 1777
Further Resources:
Essential Eight | Cyber.gov.au
Podcast: ShadowSafe CEO James discussing the Essential Eight Spotify