Introduced by the Australian Cyber Security Centre (ACSC), the Essential 8 Maturity Model offers a systematic approach to reducing cyber security risks. Here's an easily digestible breakdown of its crucial components.
The "Essential 8" refers to eight strategies that provide layered cyber defence:
1. Application whitelisting and/or configurations: Allowing only approved software to run, preventing potentially harmful applications from operating. Only verified applications and scripts can run on your systems like specifying a guest list for an event.
2. Patch applications: Regularly updating software to seal vulnerabilities. Think of software as a fortress. Over time, cracks may appear. Patching is the process of regularly repairing these cracks to keep the fortress secure.
3. Configure Microsoft Office macros: Disabling auto-execution of commands in office files to prevent malware attacks. It's akin to not accepting suspicious mail packages.
4. User application hardening: Configuring applications to minimise security risks. This is similar to removing unnecessary home appliances that could start a fire.
5. Restrict administrative privileges: Limiting the number of users with full system control to reduce potential security breaches. Think of it as only giving house keys to trusted family members.
6. Patch operating systems: Regularly updating the system's core software to protect against threats. Like maintaining your car's engine for optimal performance and safety.
7. Multi-Factor authentication: Requiring multiple methods of verifying a user’s identity for a secure login. Imagine a bank vault requiring a key, a code, and a biometric scan to access.
8. Daily backups: Regularly storing copies of data to recover information if a cyber incident occurs. It's like having a spare tire in your car boot, just in case.
The Maturity Model categorises each strategy into four levels:
Maturity level zero: There are likely weaknesses in the overall cyber security posture that have not been identified or mitigated.
Maturity level one: The basics are in place, but some elements might be missing.
Maturity level two: Implementation is good, but there's room for improvement.
Maturity level three: Most elements are beautifully executed, and the posture is very mature, however it will not stop adversaries that are willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Information Security Manual.
The Essential 8 provides a robust approach to cybersecurity, empowering organisations to shield their valuable digital assets effectively. Just like securing a house, consistent and thorough implementation is the key to a safe cyber environment.
Real Life Example
For this example, let's focus on one part of the 8; patching applications. Initially, an organisation at Maturity Level One might manually update their applications. This could mean an IT employee is tasked with periodically checking for updates and installing them, much like a homeowner, only fixing the patches in their roof when it leaks. The process is in place, but there's room for improvement.
As the organisation advances to maturity level two, they might employ automated patch management software that regularly scans for updates and applies them automatically, without the need for manual intervention. The process is more efficient, but there may still be some vulnerabilities if the software fails to detect certain updates, much like a homeowner sporadically checking their roof for patches.
Reaching maturity level three, the organisation not only uses automated patching but also conducts regular audits to verify that all updates have been applied correctly. They might also implement a comprehensive testing process to ensure updates don't conflict with their systems. This could be likened to a homeowner who conducts regular checks and maintenance on their roof to ensure its integrity.
Check out our course catalogue for more cyber awareness training content, and get in touch today for a demo of our training platform.