Is Essential Eight Required by Law?

October 6, 2022

Author: computit

Australian users' data of Optus breached
3 Differences between MSP and MSSP

3 Differences between MSP and MSSP

      Main points: Differences between managed IT services and managed security IT services include administration, commitment, and features. Cost is the deciding factor of stopping business leaders employing MSSPs (managed security service providers), but there are...

Oops, still few people think about managed IT services?

Oops, still few people think about managed IT services?

A management trend has developed since June 2022 as to whether enterprises should subscribe to managed IT services for their business IT support. Icon Water, which is the ACT’s water and wastewater utility, has partnered with a managed IT service company in a $15.5...

What Should You Do If Your Business Suffers Disasters?

What Should You Do If Your Business Suffers Disasters?

    Main points:  A potentially dangerous piece of functionality in Office 365 or Microsoft 365 allows ransomware to encrypt files stored on the cloud to make them unrecoverable.  Main disaster recovery plans include multiple backups (including offsite), encryption...

What Can A Company Learn From Twitter “Unmention”?

What Can A Company Learn From Twitter “Unmention”?

  Main points:    1. There are three types of data backups: full backup, incremental backup, and differential backup.    2. Small businesses that consistently deal with small amounts of data can find a full backup a good option as it doesn't take up their storage...

 

            Main Point:

            1. Essential Eight is a good baseline to prevent cyber threats from your business.

            2. The benefits of implementing Essential Eight strategies include defence in depth, accessible to all,

                 cost-effective, deployment, and automation.

 

 

This week, people raised up concerns of an issue that millions of Optus users’ data were hacked with cyber attacks, which is one of the biggest data breaches in Australia. Big companies are the main target of cybercrime, not to mention small and medium companies. It may also put Optus at risk of organisation reputation and a trust crisis from their clients.

At present, Australian Federal Police have been working with FBI for the investigation on the data breaches. However, Optus’ issue gave a big warning for security across all industries. Cyber security is always considered important, as it determines if your business is sustainable and successful.

 

What is the Australian Signal Directorate (ASD) Essential Eight cyber security and why do you need it?

No IT solutions are guaranteed to prevent all threats from the internet. Recently, the increasing cyber attacks have raised enterprises and government’s concerns on the safety of the cyber environment. Your IT department should Implement primary strategies to your business, otherwise your online operation will not be safe, even data breaches. In response to cyber threats, Australian Cyber Security Centre (ACSC) launched the mitigation strategies in 2017, which calls Essential Eight Maturity Model, to organisations in Australia.

The Essential 8 is the strategy to reach the maturity level that can be customised to each organisation’s risk profile and the adversaries that they are most concerned about. Simple putting, the Essential Eight consists of eight elements, including application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication and regular backups.

On the other hand, this model has a lot of benefits and can be fitted into small business idea lists regarding security plans and security management. Compared to suffering a large-scale cyber security issue, implementing Essential Eight is so economical and affordable that companies weak at cyber security are able to pay for it.

 

Is Essential Eight mandatory for all organisations?

With aim of assisting organisations’ security, Essential Eight is designed for almost organisations in Australia. The Essential Eight Maturity Model, however, is accessible to everyone and is not mandatory for all organisations. Australian Government encouraged it to fit into business ideas as a baseline. The further information of Essential Eight can be found in this link.

An overview of Essential Eight Maturity Level has been shown below:

                                                                                              Maturity Levels
Maturity Level OneMaturity Level TwoMaturity Level Three
Partly aligned with the intent of the mitigation strategyMostly aligned with the intent of the mitigation strategyFully aligned with the intent of the mitigation strategy.

The benefits of Essential Eight include: 

(https://macquariegovernment.com/wp-content/uploads/sites/4/2017/03/Government-Essential-8-eGuide.pdf?utm_source=PDF&utm_medium=website&utm_campaign=Ess8)

Cost-effective.

Cost is the deciding factor in the decisions. Essential Eight aims at being economical and affordable to cater all companies’ needs. Also, it can go a long way in protecting companies from potentially damaging malware and serious cyber security threats. While implementing these strategies will require an investment of staff time and possible hardware/software upgrades, the costs involved will be significantly lower than cleaning up in the wake of a compromise.

Defence in Depth.

In general, essential Eight is a stack of strategies that people can customise. Several strategies working together can provide multi-level protection on business’ networks. Hence, they are powerful tools to protect operations of individual networks. 

Accessible to All.

One of the benefits of the mitigation strategies of Essential Eight include providing a baseline cyber security posture. IT experts can perform ASD recommendations as a quantifiable benchmark, according to their needs. More importantly, they are all tried and true. Implementing these strategies correctly will bring nearly 100% of comprehensive protection to your network operations.

Deployment.

When implementing these strategies in a correct manner, the company’s security posture based on a single comprehensive framework will keep safe. With a comprehensive security fabric, the IT experts would be able to manage most of the strategies.

Automation.

Automation is another benefit of implementing ASD Essential Eight because IT experts can implement automation for these strategies to reduce management overheads. Most security solutions can be set up with thresholds and alerts to monitor network traffic so that any unusual activity can be quickly identified and investigated. However, massive unauthorised downloads wouldn’t have happened with the right mitigation strategies in place.

 

Because the mitigation strategies can be implemented widely in terms of backup, application control, patch applications and so on. In this blog, we have listed the backup strategy as an example below.

 

Daily backups of maturity level as an example: 

Maturity Level OneMaturity Level TwoMaturity Level Three

Perform restoration of important data, software and configuration settings monthly

 

Store backups for between one to three months.

 

Test partial restoration of backup on an annual or more frequent basis.

Act the client’s important data, software and configuration settings weekly.

 

Store backups offline, or online but in a non-rewritable and non-erasable manner.

 

Restoration of files (include data) are stored for between one to three months.

 

Test full restoration of backups at least once.

 

Test partial restoration of backups  on a half-year or more frequent basis.

performed Backups of important information software and configuration settings at least daily.

 

Store backups offline, or online but in a non-rewritable and non-erasable manner.

 

Store backups every three months or greater.

 

Test full restoration of backups at least once when initially implemental information technology infrastructure changes occur.

 

Test partial restoration of backups on a quarterly or more frequent basis.

 

Prevent unprivileged accounts, and privileged accounts (excluding backup break glass accounts), from modifying or deleting backups

 

Get professional assistance: 

The above is a simplified explanation of the Essential Eight. Installing and implementing these mitigation strategies to specific or various maturity levels would be challenging. Probably, you’ll need the assistance of expert IT professionals, partnering with a reliable cybersecurity service provider.

Computit has an IT expert team who delivers service offerings, including managed IT security, managed IT network and cyber security audit as well as implementing these Essential Eight strategies depending on the exact needs of your business. It is often most effective to check Computit’s client referrals from other successful companies who get its service offerings.

 

 

Additional resources:

https://computit.com.au/

https://www.dw.com/en/australia-millions-of-optus-customers-affected-by-data-breach/a-63250939#:~:text=Optus%2C%20which%20Australia%27s%20second%2Dbiggest,country%27s%20biggest%2Dever%20data%20breaches.

https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model-faq

https://macquariegovernment.com/wp-content/uploads/sites/4/2017/03/Government-Essential-8-eGuide.pdf?utm_source=PDF&utm_medium=website&utm_campaign=Ess8

You May Also Like…

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *