All articles in the "Introduction to Cyber Security" series
- Cyber Security. Not What I thought
- Basics of Cyber Security Requirements
- The CIA Triad
- Introducing the ASD
- Introducing the Essential 8
- Mapping Strategies to controls
- Threats, Vulnerabilities, and Risks
- Introduction to Risk and Risk Management
- ICT Assets and Asset Registers
- Cyber Threat Awareness
- Introduction to Cyber Incident Response Plan
- Risk Management and Cyber Controls
- Risk Mitigation Plans
- Implement Security Controls
- Measuring Security
- Exploring Implementation Discrepancy
- CIRP as a Mitigation Strategy
The Essential Eight
and Maturity Levels
The Essential Eight is a baseline set of mitigation strategies recommended by the Australian Cyber Security Centre (ACSC). These strategies help organisations defend against a broad spectrum of cyber threats—from low-level opportunistic attacks to more advanced, persistent threats.
A key feature of this framework is its four maturity levels, which enable organisations to progressively strengthen their security posture according to risk appetite, operational needs, and available resources. Importantly, to reach a specific maturity level, organisations must implement all eight strategies at that level—consistency is critical, rather than excelling in a few areas and neglecting others.
To achieve a maturity level, all Essential Eight strategies must be implemented at the same level.
The Eight Strategies
1. Application Control:
Restrict and whitelist which applications can run on systems. This prevents malicious or unapproved software from executing, protecting against many forms of malware and unauthorised applications.
2. Patch Applications:
Regularly update all software to remediate known vulnerabilities promptly. Keeping applications patched is fundamental for closing security gaps that could be exploited by attackers.
3. Configure Microsoft Office Macro Settings:
Block untrusted macros in Microsoft Office. Attackers often use macros to deliver malware, so disabling or restricting them helps prevent common social engineering attacks.
4. User Application Hardening:
focuses on configuring software to reduce its potential attack surface. Disabling or removing unnecessary features, plugins, or services that could be exploited by an attacker.
5. Restrict Administrative Privileges:
Limit administrative access strictly to those who absolutely need it for business purposes. Restricting privileges reduces the chance of attackers gaining elevated access if they breach a user account.
6. Patch Operating Systems: Apply updates and patches to all operating systems in a timely manner. This protects against exploits that specifically target OS-level vulnerabilities.
7. Multi-Factor Authentication (MFA):
Require multiple forms of identity verification for system and application access. MFA adds an extra layer of security, making it significantly harder for attackers to gain access even if credentials are compromised.
8. Regular Backups:
Regular and secure backups ensure quick recovery if data is lost, corrupted, or encrypted f or ransom. Backups are an important defence for business continuity.
The Four Maturity Levels
Maturity Level Zero:
There are significant weaknesses; few or none of the Essential Eight strategies are implemented. The organisation is highly exposed, even to basic threats.
Maturity Level One:
Basic protections are in place to defend against opportunistic threats, such as phishing, password reuse, or malware exploiting unpatched systems.
Maturity Level Two:
Enhanced controls are implemented to stop more targeted and capable threats. At this level, attackers encounter stronger resistance and more robust protections.
Maturity Level Three:
The highest level as defined by the ACSC. Security practices are mature, consistent, and resilient, with cyber resilience embedded into daily operations to defend against advanced, persistent threats.
The Essential Eight offers more than just technical guidance, it provides a practical, progressing strategy for improvement. Organisations do not need to reach the highest maturity level immediately; instead, they can progressively strengthen each of the eight strategies in parallel, reducing risk based on a threat risk assessment. This progressive approach in implementing controls is then sustainable, realistic, and measurable.
By adopting Essential Eight strategies into a broader cyber security framework, organisations can achieve a layered defencethat adapts to evolving threats and infrastructure. This consistency and adaptability are key to maintaining resilience in a rapidly changing threat landscape.