How SMEs can leverage the Essential Eight to raise cybersecurity maturity

An uptick in devastating cyber attacks in recent times has resulted in many organisations realising that it is no longer a question of ‘if’ but a matter of ‘when’ they too may be targeted. Without an in-house security expert, the task of preparing for a cyber attack is a daunting task – so where to start?

The Essential Eight

The Essential Eight Maturity Model, developed by the Australian Cyber Security Centre (ACSC) in collaboration with the Australian Signals Directorate, is recommended by many cybersecurity experts as a baseline framework for organisations to protect themselves against cyber attacks. The Essential Eight comprises the top eight strategies out of a broader 37 which, if implemented effectively, will help organisations protect themselves against the most common cyber threats. Implementation of the model is scored on a scale from Level One, which addresses simple cyber risks, to Level Three, which helps protect against complex and sophisticated threat actors.

The Essential Eight are:

1. Application control to ensure only approved programs and applications can execute on servers, workstations and devices.

2. Configure Microsoft Office macro settings to ensure that Office documents embedded with malicious code cannot impact the IT environment.

3. Restrict administrative privileges to ensure that privileged accounts are only supplied when needed, and access is restricted on a ‘need to know’ basis.

4. Multi-factor authentication is enabled to securely connect all users remotely accessing the network or accessing important data.

5. Patch applications to address vulnerabilities that can threaten the security of the IT environment.

6. User application hardening by disabling old and vulnerable technologies in web browsers and applications.

7. Patch operating systems to address vulnerabilities in old or unsupported versions that can threaten the security of the IT environment.

8. Regular backups of important systems are collected and stored offline, to ensure the protection of important data and systems.

How can the Essential Eight build cyber resilience?

For the most part attackers are lazy and will choose victims who expose themselves with obvious, exploitable system weaknesses. One glaring example is the attack against Colonial pipeline in the US, whereby an essential piece of infrastructure was brought down by a single compromised attack password. Indeed, the experience of our cyber team shows that the overwhelming majority of cyber attacks can be prevented through basic cyber practices and good IT hygiene. The Essential Eight strategies provide a starting point for organisations to reduce their exposure and make it harder for attackers to gain a foothold, by implementing controls such as multi-factor authentication to prevent accounts from being compromised.

The diagram below demonstrates the typical ‘attack vector’ of a ransomware attack, a type of attack whereby cyber criminals extract payment from organisations to unlock systems or release stolen data. At every point during the process, the Essential Eight strategies will enable an organisation to severely disrupt or totally avoid the attack.

• Internet exposed login to a server is identified by attackers through routine scanning. Password guessing attack is launched against login.

• Account username and password guessed almost instantly:
  Username: admin | Password: admin
  Mitigating strategy: Multi-factor Authentication

• Once inside the network, attacker deploys password mining software to gain administrator access.
  Mitigating strategy: Application Control

• Using ransomware software, the attacker encrypts the entire ICT environment and deletes all viable backups, which were accessible via the network.
  Mitigating strategies: Application Control, Administrative Privileges, Backups

• Attack results in significant loss of revenue due to operational disruption, remediation costs, and reputation damage, and recovery takes months.

• This attack could have been avoided if simple but effective controls were in place, such as those recommended in the Essential 8.

Keeping pace with the threats

The Essential Eight is a great reference model for organisations to start addressing their cybersecurity risk today. However, the evolving nature of the threat landscape means that the Essential Eight strategies are also constantly evolving. This can present some difficulty in benchmarking levels of maturity. For example, a maturity of ‘3’ one year may only qualify as a ‘2’ the following year. For this reason, frameworks such the ISO 27001 standard or NIST cybersecurity framework are often better suited for tracking the performance of a cybersecurity program. Ideally, business leaders also need to consider a wide scope of security controls, introducing awareness and training, governance and policy, and continuity planning across the organisation.

SMEs should take a risk based approach when choosing to invest in cybersecurity, which takes into consideration their information assets and the criticality of their services. The regulatory landscape will also impact this decision, as compliance in certain sectors may call for particular requirements for data security.

Any organisation, regardless of size and industry, should be urgently addressing their cybersecurity risk. The McGrathNicol Advisory team works with organisations across all sectors to plan and effectively implement the Essential Eight, in combination with other cybersecurity frameworks, to achieve an appropriate level of cyber maturity for their organisation. We help businesses and IT stakeholders to identify gaps in processes and technology and develop a strategic plan to reach a target future state of resilience. For more information on the Essential Eight, the complete framework can be accessed on the ACSC website (https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model).