​The Essential Eight comprises eight mitigation strategies local governments should employ to help address cybersecurity concerns, reduce the impact of cyber-attacks, and improve security controls.

Recommended by the Australian Signals Directorate (ASD), in conjunction with the Australian Cyber Security Centre (ACSC), the Essential Eight are a strong foundation for building your cybersecurity framework – particularly as businesses are increasingly targeted and at risk of incurring significant losses.

What does the ASD Essential Eight cover?

1. Application Control
   Monitors and restricts applications from executing malicious codes and can assist in the prevention of installing unapproved applications.

2. Patch Applications

   Patch management is critical to ensure systems and applications stay updated. Patches can often fix known vulnerabilities which could provide hackers with easy entry points into your business environment.

3. Configure Microsoft Office macro settings

   Macros are very powerful and are commonly used to automate regular tasks to save time. However, they can pose a security risk. Cyber criminals can embed macros in MS Office documents which have the capability to manipulate and delete files or download malware. A user or third party with malicious intent has the ability to introduce very destructive macros in order to spread a virus onto your computer or into your network.

4. User application hardening

   This is essentially a regular clean out of old tools or applications, keeping only what is required.

5. Restrict administrative privileges

   Users that carry admin privileges can make significant changes in the IT environment. They are able to reconfigure devices, modify critical controls, access critical systems, applications and sensitive data. Hackers constantly target individuals with this level of access to give them greater avenues to distribute malicious code.

6. Use Multi-factor authentication

   Multi-factor authentication requires the user to provide two or more verification methods to access applications, accounts and VPNs. This additional verification makes it more difficult for a hacker to get into your business network and limits their ability to move around.

7. Patch Operating Systems

   Patching is essential for keeping your IT systems and applications safe from hackers attempting to exploit vulnerabilities. When a high severity vulnerability is found, it is important to patch this within 48 hours to lessen the likelihood of it being exploited.

8. Daily backups
   To protect your business data, it is crucial to ensure it is backed up and stored with the appropriate level of retention. There are a number of different backup strategies you can use to suit your organisation's risk appetite.

There are three maturity levels that have been defined for each mitigation strategy. These have been created to help organisations determine the maturity of their implementation of the Essential Eight and make an assessment on their cybersecurity posture. The maturity levels are:

• Maturity Level One: Partly aligned with the intent of the mitigation strategy.
• Maturity Level Two: Mostly aligned with the intent of the mitigation strategy.
• Maturity Level Three: Fully aligned with the intent of the mitigation strategy.

There is a view that ACSC will update their advice around the essential eight with  a strengthened focus on using a risk-based approach rather than a compliance-based approach, as many organisations have legacy systems, carry technical debt or have systems that aren't based upon secure-by-design principles which inhibits full implementation of  advice.

The Essential Eight is broadly aimed at providing organisations with a baseline of maturity on some of its key cyber security measures. It aims to reduce the threat landscape, implement key tools to better control access and assist organisations in recovering their data in the event of a cyber-attack.

To discuss your current cyber protection, please contact your LGIS member services account manager, or for more information on the Essential Eight, please contact the LGIS risk management team on 94838868.