Skip to main content

The Australian Cyber Security Centre (ACSC) has developed a set of mitigation strategies to help cybersecurity professionals prepare against cybersecurity threats.  
The mitigation strategies are developed to prepare against :

  • targeted cyber attacks
  • data theft attacks
  • ransomware attacks
  • attacks initiated by malicious insiders

There are 37 mitigation strategies, that are grouped in the following effectiveness ratings:
1) Essential
2) Excellent
3) Very Good
4) Good 
5) Limited

What is essential eight (8)?

An organisation needs to adopt multiple strategies to become cyber resilient. The most effective of these mitigation strategies are known as the Essential Eight (ACSC Essential 8). The essential eight strategies are a subset of 37 mitigation strategies. The ACSC emphasise these 8 strategies, as ACSC consider these as critical for responding and preparing for cyber attacks.

More details on the essential eight can be found on the ACSC website

Is Essential eight (8) mandatory?

To date, only four of the eight (application control, application patching, restriction of admin privileges and OS patching) have been mandated by the Protective Security Policy Framework (PSPF). However, it’s been reported that the Attorney-General’s department is preparing draft amendments to the PSPF to make all 8 mandatory, and is currently considering timeframes for implementation. This could have knock-on implications for service providers who wish to provide IT support, implementation and other services to Non-Corporate Commonwealth Entities (NCCEs), as their customers will be looking to meet the Essential Eight’s requirements.

Numerous clients reach us for essential eight compliance or assessments. We have found that in most cases the sole purpose of the engagement is either identifying gaps or assessing the maturity level of their organisation. The outcome of the engagement is usually a set of recommendations in achieving the targeted maturity level of essential eight. Another myth in regards to essential eight is that if any organisation is compliant with essential eight then they are protected from all cybersecurity threats. This is not true. Essential Eight will protect an organisation from cyber intrusions (i.e. those executed by advanced persistent threats such as foreign intelligence services), ransomware and external adversaries with destructive intent, malicious insiders, ‘business email compromise’, and industrial control systems.

We, at Rabbon, strongly believe that compliance to essential eight is just the tip of the iceberg. Compliance with essential eight is an outcome of defined processes, procedures, technologies and good governance. Essential Eight is not the target but the result.

Good cybersecurity governance acts as the platform to build a resilient cybersecurity program and an action plan. The roles and responsibilities must be clearly defined and practised. Compliance, technology and resource requirements must be documented. The senior management must ensure that policies, procedures and standards are developed, implemented and monitored.

A cyber resilient strategy, aligned with business goals, must be developed. KPIs to measure the success of strategies must be validated by the board. In a nutshell, a good governance model must be in place to execute cybersecurity programs.

Before implementing any of the mitigation strategies, organisations need to identify their crown jewels / Critical assets and data assets. An organisation must have a risk framework/ standard that is implemented consistently in the organisation. A good example is ISO 31000 standard. Organisations must perform a risk assessment to identify the level of protection required from various cyber threats. The board must emphasise cyber risk-aware culture within the organisation.

We, at Rabbon, assist organisations in determining the maturity of their implementation of the Essential Eight, three maturity levels have been defined for each mitigation strategy. The maturity levels are defined as:

Essential 8 Maturity Model

  • Maturity Level One: Partly aligned with the intent of the mitigation strategy
  • Maturity Level Two: Mostly aligned with the intent of the mitigation strategy
  • Maturity Level Three: Fully aligned with the intent of the mitigation strategy

Assessing the current maturity level is the first step to a long journey. We help organisations to build a solid baseline to reach Maturity Level Three and maintain a strong security posture. We aim to become a strategic partner to provide continuous support to your organisation.

Cybersecurity is what we do

Rabbon is a Cybersecurity company with offices in Sydney and Melbourne. We lead a team of Cyber Security Consultants and GRC Consultants, who help organisations become cyber resilient by providing access to effective and affordable cybersecurity services. We believe that “Cybersecurity is for everyone

You can contact our Cyber Security Consultants for an obligation free consultation.

Phone : +61 2 80513207

Email: [email protected]