Get ahead of the game: Ensure your business is ACSC Essential 8 compliant

While many Australian businesses and government agencies may feel confident that their security systems are robust enough to protect against malicious actors, recently released ABS data showed that one in five Australian businesses suffered a cyber security attack between the 2021-2022 financial year. This shows why there has been such a focus on the Australian Cyber Security Center (ASCS) Essential 8 Framework in recent years.   

This alarming statistic indicates that many Australian businesses are underprepared to face this new digital reality. While all industries with digital components are at-risk — sectors such as health, finance, and additional professional services are especially susceptible and suffer a larger number of these malicious attacks. As incidents of cyber-attacks continue to rise and the sophistication and creativity of cyber criminals grows, cyber security becomes an ever-important necessity in the digital landscape.  

A baseline of protection and cybersecurity best practices is fundamental to longevity and digital health. To assist with this, we’re looking at why we highly recommend the ACSC Essential 8 framework be integrated into your cyber strategy.


What is the ACSC Essential 8?

The ACSC, under the umbrella of the Australian Signals Directorate (ASD), recognised the growing need for a comprehensive mitigation strategy that Australian businesses and agencies could implement into their cyber-security processes. In June 2017, they introduced the ACSC Essential 8, a model of strategies and controls designed to protect against digital threats.  

The ASD essential 8 maturity model exists to support organisations adopting the Essential 8, to implement the practices that best reflect their maturity level and provide a baseline for scalable and progressive steps to achieve mature protection levels. 

There’s no one strategy or trick to creating the baseline of protection and as digital capabilities expand and cyberattacks become increasingly insidious, the ACSC Essential 8 will continue to refresh and be a cyber leading framework . 

The ASD Essential 8 maturity model covers the following strategies (please note that the definitions are a short overview and not representative of the entire objective):

  • Application control: Checking programs against a pre-approved checklist and blocking unvetted programs.  
  • Patch applications: Quick patches (repair jobs) of programs and computers with vulnerabilities, such as out-of-date programs plus non-use of out-of-support or unpatchable applications.  
  • Configure Microsoft Office macro settings: Only allow Microsoft Office-approved macros and block ‘untrusted’ macros from the internet.  
  • User Application hardening: Configuration of digital basics such as web browsers or PDF software to minimise the threat of malicious actors taking control and interacting with your digital environment or installing malware.    
  • Restrict administrative procedure: Limitation of accounts, tools, and resources to create a more secure environment.  
  • Patch operating systems: Application of patches/fixes on operating systems such as updates.   
  • Multi Factor authentication: User login validation with additional steps such as codes, unique questions, or fingerprint scans.  
  • Daily backups: Backing up data, software, and configuration settings with a three-month retention period.

Each objective is broken down into the ASD Essential 8 controls, and compliance is measured against a four-stage process. 

  • Maturity level 0: not aligned 
  • Maturity level 1: partly aligned 
  • Maturity level 2: mostly aligned  
  • Maturity level 3: fully aligned

While your enterprise may have some of these objectives in place, each is required for a comprehensive cybersecurity framework.  


Why is the ACSC Essential 8 important?

Australian cyber security figures from July to December 2022 indicated that 70% of data breaches were caused by malicious or criminal attacks, with the top five industries most affected being health, finance, insurance, legal, and recruitment. These large-scale breaches impacted millions of Australians, and the figures indicated a 26% increase in attacks on the previous years’ recordings. These numbers are not only alarming but contribute to a growing community consciousness and concern around digital privacy preservation and the willingness of stakeholders to share personal data (especially in the health sector).

In professional industries where stakeholder management and client trust are paramount, cyber-attacks can create severe financial, reputational, and efficiency repercussions—not to mention the flow on from leaks of sensitive data and customers’ personal details. For this reason, there are policies that are regulated by governing bodies to ensure customers and businesses are protected and we suspect that in the future the regulation of these policies will be tightened further.

As these incidences of malicious action continue, more and more customers and business partners will be seeking companies and agencies that are Essential 8 compliant. It’s not long until the ACSC Essential 8 will become a more widespread mandatory requirement, and the ACSC recommends the Essential 8 as the best way to defend against cyber-attacks. In fact, it’s already mandatory for 98 Non-Corporate Commonwealth Entities (NCCE).

Additionally, Microsoft has adapted these guidelines into their services while cyber insurance policies require Essential 8 compliance, positioning the ACSC Essential 8 as a growing global benchmark in security.  

At a snapshot the Essential 8: 

  • Protects against 85% of data breaches 
  • Ensures compliance and future certification 
  • Is a first step in preventing data or financial theft  
  • Provides a baseline of security for your business  
  • Helps to improve overall cybersecurity policies and procedures.  


Getting ahead of the curb, having baseline coverage, and aligning team members on digital security best practices are fundamental steps to building digital trust with your customers and stakeholders.


How do we use and implement Essential 8?

Like an Essential 8 checklist we’ll jump in and see where you’re at with an Essential 8 audit to determine where your business stands against the Essential 8 standard.  

We’ve established the Essential 8 as our baseline for security, meaning we can scale higher up depending on your business needs. Some of the processes we’ve integrated with ACSC Essential 8 include:

  • Daily backups  
  • Multi-Factor authentication 
  • Patching op systems 
  • Restricting admin privileges  
  • User applications hardening 
  • Java plugins for browser 
  • Configuration Microsoft macro setting  
  • Patching applications

Additionally, our expert knowledge from a security standpoint and understanding of the threat landscape means we can equally prepare your business to a degree from unexpected sources of cyber-attacks, such as the use of personal devices in the workspace 

Our security bundle works as a safeguard and, in some cases, such as the Microsoft power apps platform, a second line of defence against threats. We will tailor and scale your security, always backed by the ACSC Essential 8. Whether you require higher level protection such as identity protection, automatic response or AI-based add-ons or need to be brought up to maturity level 4, we’re there.


What do I need to do next?

The most important step is to get on the front foot and determine whether your companies IT service provider is aligning to the ACSC Essential 8, not necessarily from a compliance standpoint but making sure you are aligned to the principles from a general security perspective. If they’re not, it’s likely you’re at a higher risk of attack. If you’re a Retrac Complete Cloud Security Bundle customer already, You already have all the tools and subscriptions required to meet the Essential 8 and, in most cases, we already have you covered. We’ll work with you to look at what Essential 8 maturity level you are currently on and how we can ensure you are progressing to reach maximum cyber protection. 

Assessing your current level of compliance either internally or by a third-party provider can help provide context and highlight holes in your cybersecurity framework.  

If you’re wanting to know where you stand, reach out to the Retrac team for an audit of your current essential 8 standing.


Get ACSC Essential 8 aligned today

As the digital landscape shifts and cyber-attacks continue to rise, digital trust becomes an important currency between professional service providers and their customers. 

The best way to ensure complete protection is to work with the Essential 8 objectives and partner with a trusted managed service provider for implementation and ongoing support.  

At Retrac, we’re here to help you align your IT systems with an internal audit and answer any questions you may have about the Essential 8 or security in general.  

Get in touch now to future-proof your business and guarantee digital security.