The Federal Government is renewing its focus on agency compliance with the ‘Essential Eight’ strategies to reduce the risk of cyber-attacks, three months after the Australian National Audit Office (ANAO) issued a report in March 2021 showing cyber-risk compliance was patchy in several Federal agencies.
On 12 July, the Australian Cyber Security Centre (ACSC) announced changes to strengthen the degree to which the Essential Eight strategies are prioritised by agencies.
It has been almost three years since the October 2017 Joint Committee of Public Accounts and Audit Report 467 on Cyber compliance recommended that the Australian Government mandate the Essential Eight cybersecurity strategies for all Public Governance, Performance and Accountability Act 2013 entities by June 2018. The recommendation was not acted upon at that time.
The Attorney General’s Department announced that the Essential Eight would become mandatory in response to the Joint Committee of Public Accounts and Audit’s inquiry on a cyber resilience report by the Auditor-General. Previously, only four strategies were compulsory.
The Auditor-General had found that, of the 18 agencies audited, fewer than half reported maturity in three of the top four mitigation strategies.
Agencies will now have to set a ‘maturity level’ (between zero and three) and implement cyber security changes to meet the maturity requirements. Level zero applies to organisations with minimal protections, while level three is set for agencies that require maximum security due to the nature of data they hold and the heightened levels of cyber threats.
The Essential Eight model was first published in 2017 and has been regularly updated since. The model has been designed to protect Microsoft Windows-based networks. According to the ACSC, the model may be applied to cloud or enterprise mobility services. However, more appropriate alternative strategies can be used to mitigate unique cyber threats to these environments. The ACSC also provides guidance for protecting alternative operating systems.
The Essential Eight processes for effective systems control, as mandated, are:
- Application control
- Patching applications
- Restricting administrative privileges
- Patching operating systems
- Restricting Microsoft Office macros
- User application hardening
- Multi-factor authentications
- Daily back-ups.
As the Essential Eight model becomes mandatory, agencies will be forced to reevaluate their cyber environments and implement new controls. As the Essential Eight only outlines the bare minimum preventative measures, agencies will also have to implement additional measures to reach the desired maturity level.