What is the Essential Eight?
Developed by The Australian Signals Directorate (ASD), the “Essential Eight” is a cyber security incidents mitigation strategy, designed to protect organisations’ internet-connected information technology networks.
The mitigation strategies that constitute the Essential Eight are:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
Essential Eight Maturity Model Levels
The Essential Eight Maturity Model is the official documentation published by the ASD on effectively implementing the Essential Eight. There are four defined maturity levels, each level based on mitigating increasing levels of malicious tradecraft and targeting.
Organisations must reflect on their cyber security history, the likelihood of malicious targeting, and the consequences of a potential cybersecurity incident on their organisation. With this in mind, organisations can determine the ideal target maturity level to implement.
Maturity Level Zero: Weaknesses in an organisation’s overall cyber security posture.
Maturity Level One: Organisations are vulnerable to malicious actors who are opportunistic. These malicious actors may seek common weaknesses in many targets rather than investing heavily in gaining access to a specific target.
Maturity Level Two: Organisations are vulnerable to malicious actors who may be more capable compared to the previous maturity level. These malicious actors are willing to invest more time in a target and in the effectiveness of their tools.
Maturity Level Three: Organisations are vulnerable to malicious actors who are more adaptive than previous levels. These malicious actors seek weaknesses in their target’s cyber security posture that they can exploit. There is a stronger focus on particular targets within an organisation, and they may utilise social engineering tactics.
What to Consider When Choosing a Maturity Model Level
- Financial risk
- Reputational risk
- External and internal stakeholder impact
- Data sensitivity
- Legal liability