Cyber security can sometimes seem unapproachable. How do you defend against so many different threat vectors? How can you secure your data when even industry leaders like Medibank get breached? How do you even know where to start?
Luckily, frameworks like the Essential Eight make it easy. In this article, we’ll explore exactly what the Essential Eight is and how SMBs can use it to build effective cyber security postures. We’ll also explain exactly what resources you need to implement each of the 8 strategies.
What Is the Essential Eight Maturity Model?
The Essential Eight is a set of cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD), a federal government body.
Each of the 8 strategies has multiple controls – technical requirements that organisations need to meet to stay compliant. Those controls increase in complexity across each of the 4 Essential Eight maturity levels. Maturity Level Zero (ML0), which indicates cyber security weaknesses, is the lowest maturity level and ML3, which is designed for high-risk organisations, is the highest.
The Essential Eight strategies are:
- patch applications
- patch operating systems
- multi-factor authentication
- restrict administrative privileges
- application control
- restrict office macros
- user application hardening
- regular backups.
Why Is the Essential Eight Necessary?
Think of the Essential Eight as the baseline cybersecurity standard for organisations. It’s necessary but not sufficient for a strong security posture.
Its value as a framework, though, comes from its structure. The 8 strategies have been selected through prioritisation – that is, they’re the minimum requirements to protect your organisation against cyber threats (as per the ASD’s own research). Implementing ML1, for example, will give most SMBs strong coverage without imposing an unnecessarily high security burden.
Virtually every business with 5 or more employees (and some with fewer) should aim to achieve Essential Eight ML1. In addition to the standard benefits of good cybersecurity (a lower risk of breaches equals less potential downtime, costs, and reputational damage), implementing the Essential Eight can be useful for meeting partner/supplier requirements and may actually be required by some cyber insurers.
Essential Eight Versus Other Models
The Essential Eight isn’t the only cybersecurity framework that your organisation should consider. Others include:
- the CIS Critical Security Controls Version 8, an international framework that’s essentially a more robust version of the Essential Eight
- the NIST Cybersecurity Framework 2.0, an industry-leading framework developed by the US’s National Institute of Standards and Technology
- the Information Security Manual, a holistic cybersecurity framework developed by the ASD, which has a broader scope than the Essential Eight
- ISO 27001, the international standard for infosec and cybersecurity.
Keep in mind that the above frameworks/standards may not be suitable for smaller organisations. They’re technically complex, costly to implement, and deliver an extremely high level of security coverage – which may not be necessary for SMBs with low risk profiles. Essential Eight ML1, on the other hand, is recommended for organisations of all sizes.
Implementing Essential Eight ML1
Essential Eight ML1 isn’t difficult to implement – it is designed for SMBs – but you’ll still need a competent managed service provider (MSP) or in-house team. To make the implementation process easier, this article will provide an overview of each strategy and explain the basic steps your team will need to take.
You can find the exact ML1 requirements in Appendix A of the ASD’s guide.
Patch Applications
To meet the ‘Patch Applications’ controls, you’ll need two resources:
- a vulnerability scanner like Microsoft Defender, Tenable or Rapid7
- a proactive in-house team or MSP.
Most of the controls can be addressed by deploying and correctly configuring a suitable vulnerability scanner.
Common vulnerabilities and exposures (CVE) patch application, though, requires manual intervention. Once a vendor has identified a CVE in their software, they’ll roll out a patch to address it, which your IT team needs to implement. (Your vulnerability scanner will tell your team when a patch is required.) To stay compliant with ML1, you’ll need to patch critical vulnerabilities in 48 hours and non-critical ones in 2 weeks.
Your team will also need to proactively remove unused services and apps, which means they’ll need to maintain documentation that lists in-use resources.
Patch Operating Systems
Meeting the ‘Patch Operating Systems’ controls requires the same approach as ‘Patch Applications’. A good vulnerability scanner, on-time patching, and proactive retirement of legacy operating systems will generally be enough to stay compliant.
The main difference is that your IT team will need to patch critical vulnerabilities in 48 hours, non-critical vulnerabilities for internet-facing systems in 2 weeks, and non-critical vulnerabilities for non-internet-facing systems in 4 weeks.
Multi-Factor Authentication
Multi-factor authentication (MFA) is a verification method that requires an end user to combine at least two proofs of identity. The standard is: something a user knows (such as a password) plus something a user has (such as a token) and/or something a user is (such as a biometric).
To meet ML1, you’ll need MFA across your apps. Microsoft Entra can be used to provide MFA for Microsoft 365 using Microsoft Authenticator; your IT team should set up number-matching push notifications in conjunction with passphrases of 14 characters or more. Non-Microsoft apps, like your CRM, should be secured with a similar method.
Keep in mind two things when you’re implementing the ML1 MFA controls. Firstly, more doesn’t equal safer. If you make your end users complete MFA every time they use an app, they’ll become fatigued and vulnerable to MFA phishing. Secondly, MFA doesn’t guarantee safety; if an adversary breaches your defences in some other way, they can bypass MFA through an adversary-in-the-middle attack.
Restrict Administrative Privileges
‘Restrict Administrative Privileges’ is a strategy based around the principle of least privilege: that all users should have minimum network access levels. If you don’t need it, you shouldn’t have it.
ML1 requires two categories of action:
- Create and use separate accounts for privileged and non-privileged actions (that is, a privileged account should never be used to access a non-privileged system, and vice versa).
- Where possible, prevent privileged accounts from accessing the internet.
The ML1 controls can be met by setting up separate accounts and then configuring role-based accesses in Microsoft Entra (which can also log privileged activity). Privileged accounts can be blocked from the internet by removing their relevant Microsoft 365 licenses and then implementing a cloud proxy.
Application Control
Application control refers to automatically blocking specific executables, which helps prevent malicious code from spreading through your systems. You can meet the ML1 controls through Microsoft AppLocker (which comes standard with all enterprise Windows editions) or Defender Application Control (which is necessary for more complex environments).
Many issues with application management can be solved by implementing the ML1 ‘Restrict Administrative Privileges’ controls. Once your IT team limits administrative access to essential personnel and implements an application allow list, you should eliminate the majority of unapproved downloads.
Restrict Office Macros
Microsoft Office macros are commands that allow users to automate tasks in Microsoft applications like Word and Excel. They’re also often used by adversaries to execute malicious code, which is why ML1 requires restricting their use.
As of July 2024, Office applications will automatically block macros from internet-originated files. That means your IT team can disable all macro usage by default using Intune (exempting users who have demonstrated business requirements). A security app like Defender will automatically scan for malicious macros.
User Application Hardening
Like ‘Restrict Office Macros’, ‘User Application Hardening’ is likely already implemented, to an extent, by your organisation’s use of Windows 11 and Microsoft 365. Internet Explorer 11 and Java aren’t installed on Windows 11, which means you’ll only need to disable them if your organisation is running on legacy systems.
The other two controls – disabling ad processing by browsers and removing the ability for end users to change security settings – can both be accomplished by setting Intune policies.
Regular Backups
Unlike most of the ML1 strategies, the ‘Regular Backups’ controls aren’t particularly specific. As long as you have a secure backup solution in place – and test it regularly – you’ll be compliant.
With that said, not all backups are created equal. Aim to follow the 3-2-1-1-0 rule, which means having:
- 3 different copies of data
- stored on at least 2 different media
- with one stored offsite
- and zero errors following backup recoverability verification.
We typically recommend combining a solution like Veeam or Commvault with air-gapped, offsite backups and immutable blob storage in Azure. (‘Air-gapping’ is almost exactly what it sounds like – tape backups that are physically separated from your network and isolated in cold storage, preferably in a different city).
Next Steps
Good cyber security doesn’t mean an enterprise software stack or a bloated annual budget. It can be as simple as Essential Eight ML1 – infosec fundamentals that, together, substantially reduce your attack surface.
Of course, ‘fundamental’ doesn’t equal ‘easy to implement’. You still need an IT partner that understands how the Essential Eight should be implemented, especially if you’re operating a more complex computing environment. And you need the right implementation approach, one that balances operational and budget realities with security requirements.
We’ve helped more than 500 organisations across Australia become Essential Eight-compliant across all three maturity levels. If you’re interested in what that could look like for your business – or if you want an unbiased evaluation of your current security posture – schedule a consultation with us.
