24 Oct Is Essential Eight enough protection for your organisation?
In 2021, the Australian federal government introduced a mandate for their non-corporate agencies to comply with the Essential Eight cybersecurity controls by July 2022. Since then, it’s become even more clear that organisations of every kind have a responsibility to strengthen their cybersecurity protections. But as a framework described by its cyber-savvy creators as ‘a series of baseline mitigation strategies’ is Essential Eight worth bothering with?
The answer can only be yes. For any organisation that wants to stand up and be counted as taking a responsible approach to – customers, employees, shareholders and even the public interest in some cases – Essential Eight is a compelling framework that will undoubtedly improve any organisations security posture.
What is Essential Eight? In summary, it’s a set of best-practice recommendations defined by the Australian Cyber Security Centre (ACSC). The controls for the Essential is a pillar among others in the Strategies to Mitigate Cyber Security Incidents. Its intent is to provide guidance on 8 key themes, which can be found here – Essential 8
Like all things security there is a maturity model which provides you a way to measure and manage your current state and supplies a pathway to your future state. Whilst this journey is different for every company, the goals in attaining your desired level of maturity is the same.
How Essential Eight can help
As we’ve seen through many client engagements, organisations can be challenged in finding the time and resources to make an effective assessment of their cyber defences and then developing a plan and taking action to fill the gaps. Cyber protection is high on the agenda for the C-suite referenced by a report from – KPMG Keeping us up at night report. This report highlights, that for 2022, dealing with cyber-vulnerability is the second most pressing issue for CEOs after talent acquisition and retention to meet a more digitised future.
Whilst it is one of the most pressing issues most businesses face, there are other factors and blockers that may slow down the rate of adoption for enhancements such as the Essential Eight. With many organisations still dealing with the with the aftershocks of COVID, increased costs of doing business, not to mention the downward pressure of our economic climate.
Any form of transformation will put a lot of pressure on the bottom line which, so many business are asking, now more than ever, if it’s the right time? Can they balance the immediate need vs the economic forces such as reduced revenue and a much more competitive market to ‘weather the storm’. Inversely, can businesses afford to be recalcitrant, can they afford a breach and the impact this would have on their brand and their customers? I think not, so what do you do?
The immediate move would be to rapidly evolve their technology offering to make sure they can compete in the employee experience stakes which would drive higher value with employees and therefore output. An increase in quality and value of quantity.
With a more mature technology adoption strategy these advances can be achieved in tandem with a cyber security uplift. But when organisations are making the pivot to remote or hybrid working, there can be a trade-off between the flexibility employees expect and the protections needed to secure devices and data.
Embedding all of the Essential Eight standards to the highest level of maturity isn’t the be all and end all for cyber protection. But it can help an organisation come up with a checklist for the next steps to take. An Essential Eight gap analysis may not be an exhaustive assessment of vulnerability but it will move towards a more secure governance and operating framework for identity and authentication, applications and infrastructure.
As the ACSC recommends working on all eight controls at the same time, it can also be a springboard for organisations to coordinate and consolidate their cybersecurity efforts and likewise determine the best path forward for them to adopt. As the Essential Eight Maturity Model is updated regularly, organisations can check in to see if their operating practice for cyber security is keeping up with changes in best-practice as prescribed by the ACSC.
What it leaves out
So what are the areas of cyber security overhaul that Essential Eight doesn’t typically address? What this baseline framework supports is a tactical plan to beef up operational processes that may be lacking or below standard. It might be the frequency of back-ups or patching schedules, or a more rigorous approach to user access and identity management.
While it can seem demanding enough to adopt and maintain these standards, it is foundational to cyber resilience, however, it doesn’t give organisations an approach to key areas such as Cyber Awareness and also Security Operations (SOC).
Operational controls can only do so much to neutralise the insider threat that comes from employees responding to phishing attacks and other breaches that exploit human vulnerability. Organisations need to plan for and invest in a more cyber aware work culture with education, frequent communication and cyber simulations to remind their people of the risks that are ever evolving and to always remain vigilant.
By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform. Single-vendor solutions provide significant operational efficiency and security effectiveness compared with best-of-breed solutions, including tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected and re-encrypted.
Top Eight Cybersecurity Predictions for 2022-23, Gartner
The benefit of best practice
Just like any other new program, getting to grips with Essential Eight comes with resourcing and adoption challenges, however if it gains traction with stakeholders, it can help to deliver a detailed and actionable plan instead of a report that highlights the gaps. And if this roadmap to maturity can put forward efficient ways to overcome these fundamental hurdles to cybersecurity best-practice, then IT leaders can more easily make the case to sponsors for the resources they need.
As a Microsoft Partner, and with our expertise in security across the Microsoft stack in M365 and Azure, we can deliver an Essential 8 assessment which can be used as a lynch pin to drive your organisation from maturity level 0 to level 3 with confidence and speed. However, many internal teams don’t have the experience in implementing Essential Eight, therefore by asking the right questions in an Essential Eight audit, we can identify the appropriate security controls needed to drive your business to your strategic security state. This can reassure senior leaders that their past investments in technology are delivering on the important strategic goals of building cyber resilience. It’s a far more positive message than they might expect to be getting from an Essential Eight gap analysis and roadmap.