September 27, 2021

What is the Essential Eight Maturity Model?

What you need to know about the ACSC’s Essential Eight Maturity Model and how your organisation can implement it to protect against cyber threats.

All About the Essential Eight Maturity Model

In July this year, while the whole of Australia was preoccupied with talks of lockdowns and COVID-19 spreads, the Australian Cyber Security Centre (ACSC) was busy rolling out new advice on the implementation of the Essential Eight for organisations.

The Essential Eight Maturity Model defines how Australian organisations should protect themselves against various cyber threats. Still feeling baffled? Let’s talk some more about what Essential Eight is, and how you can comply.

What is the Essential Eight Maturity Model?

The Essential Eight Maturity Model is a set of mitigation strategies developed by the ACSC that can help organisations fight off common attack vendors. This framework is specifically designed for Microsoft Windows-based Internet-connected networks, and is particularly useful for small to medium businesses that want to improve security controls.

The model is divided into eight strategies (hence the name) which fall under three broader objectives:

  1. Prevent malware attacks
  2. Limit the extent of cybersecurity incidents
  3. Recover data & systems

But what’s all this talk about “maturity”? Basically, there are increasing levels of maturity to an organisation’s cybersecurity measures. Once a business has reached Level 3 maturity, it is fully aligned with the intent of the mitigation strategy. 

What does that mean for your organisation?

The idea is that organisations use the Essential Eight Maturity Model as a baseline for their cybersecurity strategies. Once Maturity Level One is implemented, your business should aim to move up until you make it to Level Three, and your data is as protected as it can be.

How to implement the Essential Eight

In order to implement the Essential Eight, the first step for organisations is identifying the most suitable target maturity level. It’s then a case of working through each maturity level until you achieve that target.

Before moving onto a higher level, it’s important that you achieve the same maturity level across all eight mitigation strategies. Use a risk-based approach and take measures to minimise impact to users and systems. 

Organisations are required to self-assess themselves against the guidelines - there’s no need to call in an independent party to certify your Essential Eight implementation.

What are the Essential Eight strategies?

Mitigation strategies to prevent malware attacks

  • Application whitelisting - define the programs you trust to prevent the execution of malicious applications.
  • User application hardening - the ACSC recommends locking down, uninstalling and disabling the features and applications you don’t need. Configure web browsers to block Flash, ads and Java.
  • Patch applications - update or patch those applications with publicly identified vulnerabilities.
  • Configure Microsoft Office macro settings - block macros from the internet, to protect against word documents with malicious code.

Mitigation strategies to limit the extent of cybersecurity incidents

  • Restrict administrative privileges - restrict privileges to operating systems and applications based on user duties, and carry out regular audits.
  • Patch operating systems - patch/mitigate computers that have extreme risk vulnerabilities. Always use the latest, supported versions.
  • Implement multi-factor authentication - all users should require MFA to get access to systems.

Mitigation strategies to recover data & systems

  • Carry out daily backups - backup data and software, store it off-site and keep hold of it for at least three months.

Book a consultation

The updated guidelines from the Australian Cyber Security Centre are a lot to take in - we know! That’s why The IT Department helps to make sure your organisation is in compliance and has maximum protection from cyber threats. Book a consultation and let us take the weight off your shoulders.

Contact us

Let's talk
Learn more about

Learn more

Keep reading

What is VoIP?

Business Continuity Planning

Need help with your IT services?

See all Services
Subscribe to our newsletter for great monthly business resources.
Join Us!