We know cyber threats are constantly evolving, and there’s no silver bullet. That’s why we’ve adopted the Essential Eight—developed by the Australian Cyber Security Centre as our baseline. These eight key strategies help us raise the bar against potential attackers and build stronger, more resilient systems.

The Essential Eight Maturity Model, originally released in June 2017 and regularly updated, is designed to support the implementation of the Essential Eight strategies. It draws on the Australian Signals Directorate’s (ASD) extensive experience in cyber threat intelligence, incident response, penetration testing, and helping organisations apply these mitigation strategies effectively.

The Eight Mitigation Explained

1. Application Control
   Prevent unauthorised applications from executing, particularly on workstations.
2. Patch Applications
   Apply security patches for applications (e.g., web browsers, Microsoft Office, Java) within two weeks of release, or sooner if an exploit exists.
3. Configure Microsoft Office Macro Settings
   Block macros from the internet and only allow vetted macros to run in trusted locations.
4. User Application Hardening
   Restrict functionality in applications like web browsers (e.g., disabling Flash, ads, and Java unless required).
5. Restrict Administrative Privileges
   Limit admin privileges to those who need them and regularly review accounts. Admin tasks should be performed on separate devices.
6. Patch Operating Systems
   Patch OS vulnerabilities quickly, ideally within two weeks, or sooner if actively exploited.
7. Multi-Factor Authentication (MFA)
   Require MFA for remote access and privileged accounts to prevent unauthorised access.
8. Regular Backups
   Perform regular backups of important data, systems, and configurations, and ensure they can be restored.

Maturity Levels

The Essential Eight includes Maturity Levels 0–3 to help organisations assess and improve their implementation:

• Level 0 – Not implemented.
• Level 1 – Partially implemented; protects against basic threats.
• Level 2 – Protects against more sophisticated threats.
• Level 3 – Strong protections against advanced cyber threats.

Implementing the Essential Eight

Contact us to find out how we can help your organisation’s cyber security posture by adopting the Essential Eight.