Understanding and Implementing the ACSC’s Essential Eight

In the complex world of cybersecurity, it’s easy for businesses to feel overwhelmed. Where do you even begin? In Australia, the answer is clear: the ACSC’s Essential Eight.

Developed by the Australian Cyber Security Centre, the Essential Eight is a powerful, yet simple, set of baseline mitigation strategies designed to make it much harder for cybercriminals to compromise your systems. For many businesses, particularly those looking to enhance their cyber resilience and meet foundational compliance standards, it is the most crucial first step.

At Orro, we see the Essential Eight not just as a checklist, but as a framework for building a truly secure and resilient business. We provide the expertise and technology to help you implement these controls and assess your security maturity, turning a compliance requirement into a competitive advantage.

The Eight Strategies That Matter Most

The Essential Eight is broken into three main objectives: Preventing attacks, Limiting their impact, and enabling quick Recovery. Each of the eight strategies contributes to at least one of these goals.

1. Application Control

• What it is: A policy that prevents the execution of unapproved applications on your systems. It’s like a security bouncer at a club, only letting in those on the approved guest list.
• Why it’s essential: It directly prevents the most common types of malware (including ransomware) from running on your computers.

2. Patch Applications

• What it is: The process of applying security patches to fix vulnerabilities in your software.
• Why it’s essential: Cybercriminals actively seek out and exploit unpatched vulnerabilities in common applications. Regular patching closes these security loopholes before they can be used against you.

3. Configure Microsoft Office Macro Settings

• What it is: Disabling or restricting the use of macros in Microsoft Office files that originate from the internet.
• Why it’s essential: Malicious macros are a very common way that malware is delivered via email attachments. This simple control blocks a primary attack vector.

4. User Application Hardening

• What it is: The process of disabling unnecessary features in web browsers, PDF viewers, and other common applications that could be exploited.
• Why it’s essential: It reduces your “attack surface,” making it harder for an attacker to use legitimate software for malicious purposes.

5. Restrict Administrative Privileges

• What it is: Limiting who has high-level access to your systems and data.
• Why it’s essential: If an account with administrative privileges is compromised, an attacker can take full control of your network. Restricting these accounts minimizes the damage a single breach can cause.

6. Patch Operating Systems

• What it is: Regularly updating and patching operating systems like Windows and macOS.
• Why it’s essential: Similar to patching applications, this is a critical step to fix vulnerabilities that could be exploited by an attacker to gain access to your network.

7. Multi-Factor Authentication (MFA)

• What it is: Requiring a second form of verification (like a code from your phone) in addition to a password to log in.
• Why it’s essential: It’s arguably the single most effective control. It makes it extremely difficult for a criminal to gain access to an account, even if they have a stolen password.

8. Regular Backups

• What it is: Creating and storing copies of your critical data in a separate, secure location.
• Why it’s essential: This is your last line of defence. In the event of a successful ransomware attack or system failure, a robust backup strategy ensures you can recover all your data and continue business operations without paying a ransom.

Your Path to Maturity: The Essential Eight Model

The Essential Eight isn’t an “all-or-nothing” framework. It’s built on a maturity model, allowing you to progressively improve your security posture over time.

• Maturity Level 1: Your defence against opportunistic, widely available cyber threats. This is the recommended baseline for any Australian SMB.
• Maturity Level 2: A strong defence against more targeted, sophisticated adversaries who are willing to invest time and effort to compromise your business.
• Maturity Level 3: Resilience against highly advanced and well-resourced cyber adversaries.

Orro’s Approach: Your Partner in Essential Eight Implementation

While the framework is simple, implementation can be complex, especially for small to medium businesses with limited IT resources. This is where Orro’s expertise becomes your most valuable asset.

Our services are designed to help you not only understand but also achieve the right level of maturity for your business.

• Security Maturity Assessment: We start with a comprehensive assessment to determine where you currently stand against the Essential Eight framework. We provide a clear, actionable report that outlines your current maturity level and the specific steps needed to improve.
• Managed Services: We can take the burden of implementation off your hands. Orro’s Managed Security services include ongoing management of patching, MFA, and vulnerability management, all aligned to the Essential Eight. Our Australian-based Security Operations Centres (SOCs) work 24/7 to monitor and protect your assets.
• Expert Guidance: Our team of certified security consultants works with you to develop a customised roadmap to achieve your target maturity level, balancing security with the practical needs of your business. We ensure that your security investments deliver a measurable return by protecting your business from the most pressing threats.

For any Australian business, the Essential Eight is the foundation of a secure future. Partner with Orro to build that foundation with confidence.