Cybercrime continues to surge in Australia as well as other parts of the world. According to the latest Cyber Threat Report by the Australian Signals Directorate (ASD), a cyber attack occurs every six minutes on average.

To help businesses defend themselves against the rapidly evolving cyber threat landscape, the ASD developed prioritized mitigation strategies in an IT security framework known as the Essential Eight. 

In this blog, we’ll explore the Essential Eight, its maturity model, and how organizations can implement it to strengthen their cybersecurity posture.

What are the Essential Eight?

The Essential Eight refer to a baseline of eight mitigation areas and strategies developed by the Australian Signals Directorate to help organizations protect themselves against various cyber threats. Each of these baselines is made up of relevant security controls to protect Australian companies, systems, and data. 

You can find an overview of each of the strategies below. 

1. Patch applications

This strategy involves two key components.

First, organizations should leverage technology, such as vulnerability scanners and patch management tools, to identify and address vulnerabilities. Vulnerability scanners help detect outdated applications and missing patches in the system.

Second, a robust vulnerability management process is essential. This process should outline steps to scan, discover, assess, prioritize, and address vulnerabilities. Organizations must also ensure systems are integrated with automated scanners or implement alternative solutions, like setting up email notifications from vendors. When automated tools aren't feasible, organizations should rely on vendor documentation to assess patch levels and conduct manual audits. 

It’s also important to remove or discard any services once they’re not used or up to date anymore. 

Achieving maturity under this control depends on timely patch deployment and management, a defined patching schedule, and clearly assigned responsibilities, including roles and responsibilities related to the ownership of vulnerability scanning and patch management.

2. Patch operating systems

Operating systems, especially those on workstations and internet-facing servers and network devices, must be patched promptly and/or automatically to reduce exposure to threats.

Malicious actors frequently target unsupported operating systems or those with known vulnerabilities and public exploits. Regular patching helps safeguard against these threats and ensures systems remain secure.

3. Multi-factor authentication

Multi-factor authentication (MFA) is one of the most effective measures to prevent unauthorized access to sensitive systems and data.

By requiring users to verify their identity using an additional factor—such as a physical token, smartcard, mobile device, or biometric (e.g., fingerprint or iris scan)—MFA creates an additional layer of defense. Proper implementation significantly hinders attackers from exploiting stolen credentials for malicious activities.

4. Restrict administrative privileges

Administrative privileges are a prime target for attackers as they allow control over critical systems, applications, and infrastructure.

Limiting privileged access through a multi-layered security approach makes it more difficult for adversaries to compromise these credentials. This includes implementing least privilege as well as ensuring that unauthorized users cannot access privileged operating environments. This reduces the risk of unauthorized changes and malicious activity within the network.

5. Application control

Application control restricts the execution of unauthorized or malicious software on systems. This approach ensures that only pre-approved executables, libraries, scripts, installers, websites, and drivers are allowed to run. It’s important for organizations to control internet-facing servers and implement blocklists as well. Application audit logs and timely incident response measures in case of events are important components of application control as well.

In addition to blocking malware, application control can prevent the use of unapproved or potentially harmful applications, enhancing overall security.

6. Restrict Microsoft Office macros

Microsoft Office files can contain embedded code written in the Visual Basic for Applications (VBA) programming language, known as macros, that can be used to automate repetitive tasks. While macros can improve user productivity, they can serve as a vector for malicious activity. 

To mitigate this risk, organizations can implement secure macro management practices, such as disabling macros by default, scanning of macros, macro access controls, allowing only those signed by trusted publishers, or restricting their use to secure locations.

7. User application hardening

Hardening applications on workstations reduces the risk of exploitation through malicious websites, emails, or removable media. This strategy involves applying security configurations to software including web browsers, PDFs, and Microsoft Office to minimize vulnerabilities, helping protect sensitive information from potential attacks.

8. Regular backups

Regular backups protect vital data from loss due to hardware failures, theft, natural disasters, accidental deletions, corruption, or malware infections. Implementing a robust backup strategy can vary depending on an organization’s needs but is critical for maintaining operational continuity and recovering from incidents effectively. It’s also important to implement access controls around who has access to data backups. 

While this baseline isn’t guaranteed to protect against all cyber threats, these eight essential mitigation strategies are designed to work together to reduce the risk of cyber incidents and their impact.

What is the purpose of the Essential Eight?

The Essential Eight aims to help organizations, mainly those in Australia and/or working with Australian companies or users, mitigate cyber risks effectively, enabling them to address common vulnerabilities and attack methods to reduce the likelihood of security breaches. 

More specifically, the Essential Eight has been designed to protect internet-connected information technology networks. It may be applied to enterprise mobility and operational technology networks, but that is not its purpose.

This framework is particularly valuable as it emphasizes proactive defense rather than reactive measures, aligning with best practices for long-term cybersecurity resilience. So while implementing the Essential Eight takes time, money, and effort, it is less costly than what it takes to respond to a large-scale cyber security incident.

Who do the Essential Eight apply to?

The Essential Eight is mandatory for all non-corporate Australian Commonwealth entities. However, the Essential Eight are universally applicable and are considered best practices for enhancing cybersecurity globally. Any organization, regardless of size or industry, can adopt the framework voluntarily as the strategies provide foundational security measures applicable to any environment. 

Essential Eight maturity model

The Essential Eight maturity model (E8MM) can be used in two ways. First, and primarily, it can be used to assist organizations in implementing the Essential Eight in a gradual manner based on the different levels of tradecraft and targeting used by malicious actors. Second, it can also be used to assess an organization’s cybersecurity maturity. 

The E8MM consists of three levels. The maturity levels build off of each other, with each level representing a step towards a more resilient cybersecurity posture. This ensures the framework adapts to different organizational needs. Higher maturity levels require organizations to implement more controls associated with each mitigation strategy. For example, there are seven controls associated with multi-factor authentication at Level One and twelve controls at Level Two. 

Organizations will need to meet the previous level in order to get compliant with the next level. For example, an organization must be compliant with Maturity Level One prior to getting compliant with Maturity Level Two. 

Some organizations may be contractually obligated to implement a particular maturity level. Maturity Level 2 is a mandatory baseline for non-corporate Commonwealth entities subject to the Department of Home Affairs’ Protective Security Policy Framework, for example. Other organizations may target a maturity level based on their size and risk profile.

Below is an overview of the three maturity levels. Note that the maturity model does include Maturity Level Zero for organizations that fail to meet the requirements of Maturity Level One. 

Maturity Level One

Generally, Maturity Level One is suitable for small to medium businesses. 

This level focuses on protecting against adversaries who use widely available tools and basic techniques in order to gain access to a system. They tend to seek common weaknesses in as many victims as possible, rather than target specific victims, such as a publicly-available exploit for a vulnerability in a popular online service.

Maturity Level Two

Generally, Maturity Level Two is suitable for medium to large enterprises.

This level is designed to protect against adversaries with more sophisticated methods, time, and targeting than the previous level. These adversaries are likely to invest more time and employ well-known but effective tools to bypass a target victim’s controls and evade detection. They tend to be more selective in their targeting, seeking user accounts with special privileges, but are still somewhat conservative in the time, money and effort they may invest in a target.

Maturity Level Three

Generally, Maturity Level Three is suitable for critical infrastructure providers, large corporate businesses with mature compliance and security postures, and other organizations that operate in high threat environments.

This level is designed to provide the highest level of defense against adversaries that use adaptive, highly sophisticated, and lesser known methods to target specific victims. These malicious actors act swiftly when exploits become publicly available or if the target victim has other weaknesses in their security posture, like using older software or inadequate logging and monitoring, in order to gain access to their networks. 

Their goal is to not only gain a foothold, but to evade detection so they have time to gain privileged credentials or password hashes in order to spread to other parts of the network. These adversaries typically have the skills and time to invest in inflicting serious damage on their targets, like destroying all data including backups. 

How to implement the Essential Eight

Implementing the Essential Eight effectively requires a strategic approach. Below is a detailed breakdown of each step to guide your organization:

1. Assess current security measures

Begin with a comprehensive audit of your existing cybersecurity controls and practices to identify gaps in your defenses, such as unpatched systems, a lack of multi-factor authentication, or insufficient data backup processes. This assessment should include input from IT teams, security experts, and external consultants if necessary. 

Use this information to map your organization’s current state against the Essential Eight maturity model.

2. Determine the desired maturity level

Next, choose the maturity level that aligns with your organization's contractual requirements, risk profile, and/or operational needs. 

For example, smaller organizations with lower risk profiles may initially target Maturity Level 1 while planning for gradual advancement. Conversely, if your organization handles highly sensitive data or is a frequent target of cyberattacks, aim for a higher maturity level.

3. Develop an implementation plan

Create a detailed plan that outlines the steps, resources, and timelines required for each strategy. 

This may involve:

• Assigning clear roles and responsibilities to team members to ensure accountability.
• Considering potential challenges, such as system compatibility issues or resource constraints.
• Develop contingency plans to address those challenges.
• Including milestones for regular progress checks to keep the implementation on track.

4. Prioritize strategies within each level

Not all strategies need to be implemented simultaneously. Start with those that address your most critical vulnerabilities or have the greatest impact on reducing risks. For instance, implementing multi-factor authentication (MFA) and restricting administrative privileges can significantly enhance security quickly. 

Use a risk-based approach to sequence the implementation of the remaining strategies.

5. Use a staged approach

The ASD recommends that organizations progressively implement and assess their implementation of each maturity level until their target maturity level is achieved. That means if you’re targeting Maturity Level Three, you should consider implementing all Level One requirements and validating the correctness and robustness of your implementation before doing the same for Level Two and then Level Three requirements.

6. Conduct an assessment

In order to achieve your target maturity level, an assessor needs to determine whether all controls associated with each of the mitigation strategies at the target level were implemented effectively or not. 

This assessment can be conducted through internal audits or by external auditors. Since there is no list of authorized auditors for Essential Eight, any certified independent assessor or auditor can conduct the assessment. 

7. Regularly review and update your implementation

Cyber threats are constantly evolving, making it essential to regularly review and update your implementation of the Essential Eight. 

Conduct periodic reassessments to ensure continued alignment with your desired maturity level and make adjustments as needed. Incorporate feedback from security incidents, audits, and threat intelligence to improve your strategies over time.

How Secureframe can help simplify Essential Eight implementation

Secureframe simplifies compliance for organizations aiming to implement frameworks like the Essential Eight. In a recent survey conducted by UserEvidence, 86% of Secureframe users said they reduced time and effort maintaining compliance. 66% said they have saved 5-10 hours per week on security and compliance tasks since implementing Secureframe. 20% said they saved more than 20 hours per week. 

Here are some key features and capabilities that make it faster and easier to meet your target maturity level requirements:

• Automated workflows: Secureframe simplifies Essential Eight control implementation with automated workflows for evidence collection, risk assessments, policy management, continuous monitoring, and more.
• Expert guidance: Secureframe customers can work with our in-house team of compliance managers to address any complex requirements and get personalized advice based on their unique risks, industry requirements, and clients.
• Policies developed by experts: Secureframe offers policies and procedure templates, developed and vetted by compliance experts for all out-of-the-box frameworks, including Essential Eight. You can easily publish this documentation, assign them to owners, and track policy acceptance and regular review with Secureframe's policy management tools.
• Control mapping: Secureframe automatically maps the controls you already have in place for one framework like Essential Eight to other in-demand frameworks like SOC 2 to make it faster and easier to achieve compliance with multiple standards.
• Automated gap analysis: With over 220 deep integrations, you can pull in all the compliance data you need and get a constantly evolving and up-to-date gap analysis for each framework your organization is pursuing so you know exactly where your system falls short in protecting customer data and can create a remediation plan to bring them in line before an assessment.
• AI innovations: Secureframe continues to lead in AI-driven compliance innovation. You can use AI to automate the process of remediating failing controls, completing risk assessments, creating and editing policies, and more, further simplifying the path to audits and continuous compliance.
• Readiness dashboard: Secureframe’s centralized dashboard provides real-time insights into compliance status, helping your organization quickly identify and address potential gaps in your Essential Eight implementation so you have peace of mind going into an assessment. 
• Continuous monitoring: Secureframe continuously monitors your security controls, automatically identifying compliance gaps, misconfigurations, and failing controls. This enables you to maintain a strong security posture and continuous compliance without the need for constant manual checks.

Request a demo of Secureframe to see how you can streamline the Essential Eight implementation process, save time, and focus on building a resilient cybersecurity posture.

About the UserEvidence Survey

The data about Secureframe users was obtained through an online survey conducted by UserEvidence in December 2024. The survey included responses from 154 Secureframe users across the information technology, consumer discretionary, industrials, financial, telecommunications, consumer staples, and healthcare industries.