The ASD's Essential Eight

How to Implement Cyber Security Strategies with Training

Sydney (AU), October 2024 - In 2017, the Australian Cyber Security Centre (ACSC) of the Australian Signals Directorate (ASD) produced the Essential Eight framework. Their goal was to help organisations protect themselves against various cyber threats. Since then, more groups in Australia have been utilising it to set their baseline security. In fact, according to Trustwave, Government agencies now list E8 compliance as a criterion in tender documents.

How can you set your team up for success when they implement Essential Eight Strategies in your organisation? Due to the wide range of systems, it has no dedicated training course. However, many of the recommended mitigation strategies align with the Microsoft ecosystem. At Lumify, we want to help skill your people so they can put this cyber security framework in place. So, we mapped out some recommended training pathways. Most are from our Microsoft portfolio, with some certification courses on backups and cyber security fundamentals from Veeam, ISC2 and ISACA.

Essential Eight explained

The Essential Eight framework aims to provide a national standard for reducing cyber security incidents. It was designed to protect internet-connected information technology networks. It focuses on preventing attacks, limiting the effect of incidents, and ensuring data availability by addressing vulnerabilities.

The ACSC's Essential Eight online resources offer fantastic guides. Their website is updated regularly. Versions include any Essential Eight Maturity Model updates, ISM Mapping, FAQs and more. You can visit the ACSC website to help you make an informed decision about whether implementing Essential Eight is right for your organisation.

Learn more about the Strategies to Mitigate Cyber Security Incidents. To provide an overview, these strategies involve eight focus areas

  1. patch applications
  2. patch operating systems
  3. multi-factor authentication
  4. restrict administrative privileges
  5. application control
  6. restrict Microsoft Office macros
  7. user application hardening
  8. regular backups

There are also Essential Eight Maturity Levels that help you improve cyber security measures step by step. You can determine what level your organisation is at and what steps you need to take to move up. You should aim for maturity level three across all strategies. A toolbox of assessments is available to help gauge your current security maturity.

Who should use the Essential Eight?

On whether the Essential Eight framework is right for you, the short answer is 'yes.' The Australian Government encourages the public and private sectors to use the strategies.

Any Australian organisation or business that uses digital systems, handles sensitive data or is concerned about cyber security should consider the E8. This is even more relevant if your systems are on Microsoft.

  • Government Agencies - Essential Eight is mandatory for Australian public sector. It helps protect Government systems and citizen information from domestic and international threats.
  • Businesses and Enterprise - Large organisations, especially in finance, healthcare, energy, and telecoms, should adopt E8 to protect the massive amounts of customer data they handle.
  • Small to Medium-Sized Businesses (SMBs) - Small businesses may have fewer resources for cyber security. But they are still prime attack targets. Using the Essential Eight can provide a simple, cost-effective and foundational level of security.
  • Critical Infrastructure Providers - Providers of critical services like energy, water, telecommunications should use these strategies to protect against attacks that could disrupt essential services
  • Educational Institutions - The E8 helps schools, universities, think tanks and research institutions safeguard student information and intellectual property.
  • Not-for-Profit Organisations - Non-profits handle sensitive donor and volunteer information. The Essential Eight provides a clear set of guidelines to protect their operations.
  • Managed Service Providers (MSPs) - These are responsible for the IT services of many clients. The Essential Eight framework can help MSPs protect their and their clients' systems.

Why implement Essential Eight?

The Essential Eight framework helps businesses follow Australian and international cyber security laws and regulations. But beyond that, it offers the following benefits

  • Enhanced Security - It makes it much harder for adversaries to compromise IT systems. Implementing the Essential Eight has been found to reduce the risk of targeted attacks by up to 85%.
  • Cost-Effectiveness - Proactively implementing E8 can save time, money and effort compared to responding to a major incident. Start with what you have and do what you can now. You can address individual requirements of a higher maturity level if it suits you better overall.
  • Fast Recovery - These strategies help you limit the impact of attacks, and you can recover quickly if they happen.
  • Culture of Security and Growth - Adopting E8 strengthens a company's commitment to cyber security, compliance and continuous improvement.

Considerations before implementing the Essential Eight

  • Successful implementation of the E8 is more than just a one-and-done deal. It requires a strategic approach and ongoing improvement. Before you begin, we recommend you review your current security systems, policies, skill gaps and communication.

The ASD's Essential Eight How to Implement Cyber Security Strategies with Training planning

  • Do your staff have enough training? Adequate training equips your teams with the skills to adopt the strategies. The Lumify Work team has mapped out some recommended training courses to support you.
  • What's your current security maturity level? Audit your company to understand where you are right now and how to reach the desired maturity level. The leader who owns your organisation's Essential Eight initiative must understand crucial cyber security concepts to do this. You can find recommended fundamental courses to guide you.
  • How do you communicate E8 adoption? Resistance to change among staff and stakeholders can obstruct the successful implementation of Essential Eight controls. You need to explain why, how, and what, and you need to do this regularly.
  • What automations can you use? You can explore how your existing tools can enforce application control policies. For example, review your security and access for end user office apps and cloud environments.
  • How do you divide the implementation into phases? A structured plan can address challenges by breaking down the adoption of Essential Eight into manageable, smaller projects.

DCOmon E8 Challenges and Solutions

  • Implementing the Essential Eight can present challenges related to managing resources, training staff and staying above board.
  • Some of these include   
  • Compliance Drift - Some teams experience seemingly constant changes in requirements. For example, previously, only the top four strategies of the Essential Eight were mandatory. Microsoft recommends using Purview Compliance Manager for ongoing compliance. There are also Essential Eight Premium templates within Purview Compliance Manager and premium templates for IRAP at Official and Protected levels.
  • Priorities All Over the Place - Periodic reviews provide progress reports, show current gaps, and determine what to focus on during different continuous improvement phases.
  • Lack of Training - Regular training and awareness programs ensure that current and new staff are on board and knowledgeable. You can explore Lumify Work skilling options.
  • Skilling your team for Essential Eight adoption
     

Each Essential Eight mitigation strategy requires configuring various platforms or software systems. Due to the variety of these systems used across organisations, there is no dedicated E8 training course. However, many of the recommended mitigation strategies align with the Microsoft ecosystem.

The Lumify Work team listed some recommended training pathways. Most are from our Microsoft portfolio. You can find a few certification courses on backups and cyber security fundamentals from Veeam, ISC2, and ISACA as supplements. The list of training courses for each of the eight strategies (from patch applications to regular backups) is here.

Coming back to the topic of audits and preparation, we have recommended the fundamental cyber security courses to help those in charge of E8 adoption understand crucial concepts.

Don't hesitate to contact the Lumify Work team for awareness training or advanced training. Lumify offers a wide range of cyber security courses that align with all experience levels. Download our cyber security brochure to learn more.