The Essential Eight is a set of strategies recommended by the Australian Cyber Security Centre (ACSC) to help organisations bolster their cybersecurity defences. Understanding these eight guidelines is crucial for maintaining a strong security posture. Without them, your organisation runs a high risk of being compromised. The eight essential strategies comprise:
- Application Control – Restricts the execution of unapproved applications.
- Patch Applications – Ensures that applications are up to date with the latest patches.
- Configure Microsoft Office Macro Settings – Limits macro execution to trusted sources.
- User Application Hardening – Reduces vulnerabilities in common applications.
- Restrict Administrative Privileges – Minimises the risk associated with powerful user accounts.
- Patch Operating Systems – Keeps the OS secure by applying updates promptly.
- Multi-factor Authentication – Adds an extra layer of security beyond passwords.
- Regular Backups – Ensures that data can be recovered in the event of an incident.
Implementing each of these across your entire organisation is essential for achieving effective cybersecurity. The ACSC stresses that these you should assess and implement these strategies as a complete package – not individually – to ensure comprehensive protection.
The Essential Eight differs from other cybersecurity frameworks, such as ISO 27001, in that it is not risk-based. This means that you cannot simply accept residual risks; instead, you either meet the control requirements or you do not. This black-and-white approach makes it challenging for many organisations to align with even Maturity Level 1. Achieving Maturity Level 1 requires meeting all 43 control requirements, without exceptions. This strictness ensures that organisations truly adhere to a robust cybersecurity posture. The Essential 8 is regularly reviewed and additional controls are added with each revision.
Why are the Essential Eight important?
In recent years, cybersecurity breaches have surged, impacting organisations across all sectors.
Globally, Cybersecurity Ventures predicts that cybercrime will cost the world $10.5 trillion (USD) annually by 2025, up from $3 trillion (USD) in 2015 (Cybercrime Magazine). These statistics underscore the critical need for organisations to implement comprehensive cybersecurity frameworks like the Essential Eight to protect against increasingly sophisticated cyber threats.
How to assess the Essential Eight against your business
To properly protect your organisation, you need to partner with a provider that takes the Essential Eight seriously. At VITG, we tackle cybersecurity by strictly following the ACSC’s guidelines for the Essential Eight assessments.
As you’ll see in the graph below, most MSPs and MSSPs tend to assess each control individually and present a mixed maturity level, which can be misleading. This method gives organisations a false sense of security and fails to highlight critical vulnerabilities.
Essential Eight Control | VITG’s Assessment | Other MSP/MSSP Assessment |
Application Control | Maturity Level 2 | Maturity Level 2 |
Patch Applications | Maturity Level 2 | Maturity Level 3 |
Configure Office Macros | Maturity Level 2 | Maturity Level 1 |
User Application Hardening | Maturity Level 3 | Maturity Level 2 |
Restrict Admin Privileges | Maturity Level 2 | Maturity Level 1 |
Patch Operating Systems | Maturity Level 1 | Maturity Level 2 |
Multi-factor Authentication | Maturity Level 2 | Maturity Level 1 |
Regular Backups | Maturity Level 2 | Maturity Level 3 |
Overall Maturity Level | Maturity Level 1 | Average 1.875 (Invalid) |
Implementing the Essential Eight can be quite challenging for many organisations. Achieving Maturity Level 1 alone requires meeting 43 distinct control requirements, which can be daunting. Each subsequent maturity level adds more requirements, increasing the complexity. For example, Maturity Level 2 involves an additional 60 control requirements beyond those needed for Level 1. This rigorous standard underscores why it is essential to follow a structured, comprehensive approach to implementation and assessment.
What sets VITG E8 assessment apart from our competitors
- Holistic assessment: We look at all eight mitigation strategies together, which aligns with the ACSC’s recommended methodology and provides a true reflection of the security posture.
- Accurate reporting: By avoiding the practice of averaging maturity levels, we prevent inflated or inaccurate security statuses. This helps clients understand their actual security gaps and address them effectively.
- Transparency and integrity: We are committed to delivering honest assessments, even if it means presenting less favourable results. This is crucial for helping clients recognise their vulnerabilities and take appropriate actions to mitigate them.
- Expert guidance: After the initial assessment, we’ll continue to offer comprehensive support to help clients achieve their target maturity levels progressively. This includes detailed planning, implementation assistance, and continuous monitoring to ensure ongoing compliance and security.
Adhering to the ACSC’s guidelines is crucial for ensuring a valid and reliable assessment of your cybersecurity posture. According to the ACSC’s E8 Assessment Process Guide, the Essential Eight must be implemented and assessed as a complete package. This approach ensures that organisations validate the correctness and robustness of their implementation at each maturity level before progressing to the next. Skipping levels or averaging out maturity scores can lead to an inaccurate and potentially dangerous perception of security.
In a landscape where cybersecurity matters more than ever, properly implementing and assessing the Essential Eight is critical to reducing the risk of breaches. When you partner with VITG, you’re working with an organisation that’s deeply committed to helping you make meaningful changes and move towards a more secure future.
For more information on how we can enhance your cybersecurity posture with a true Essential Eight assessment, contact us here.