The ACSC Essential Eight in review
Now that we have covered all the ACSC Essential Eight domains; Application Control, Patch Applications, Configure Microsoft Office Macro Settings, User Application Hardening, Restrict Administrative Privileges, Patch Operating Systems, Multifactor Authentication, and Regular Backups, it is a good time to pause and reflect on how they will impact on your own business as well as your customers.
I avoided focusing on specific tools, strategies, or processes for each control we covered as I intended to assist you in understanding what the ACSC Essential Eight is and help build talk tracks for customer discussions. The other reason for avoiding focusing on specific tools or processes is that every managed service provider (MSP) has variations to meet their requirements. Having said that, my discussions with partners indicate that many of you already have the tools and processes to get very close to Maturity Level One.
Why the Essential Eight?
The goal of the Essential Eight from the MSP or MSSP perspective is to provide a market and risk-relevant strategy to establish a baseline of technical controls to protect yourself and your customers. Using the term baseline, fundamental, or essential here is important as you and your customers will need additional controls above and beyond the scope of the Essential Eight when implementing a comprehensive cybersecurity strategy.
While not a regulatory requirement, the ACSC Essential Eight is published by the government and is regularly referenced in the media. I also hear from many end users and MSPs that it appears in commercial contracts, cybersecurity insurance surveys, and policies.
For an MSP or MSSP, the organisational impact of the Essential Eight is a much more significant consideration than it is for an individual business because you have your customers’ internal requirements to consider on top of your own. This will often mean that different tools or processes are required to minimise broader user resistance and make it effective to manage multiple customers. For example, a tool to solve an Essential Eight challenge might be cost-prohibitive at a single organisational level but may provide significant benefits in time or effort when distributed over multiple customers.
The Essential Eight maturity levels
Broadly speaking, you should aim for you and your customers to be at a minimum of Level One, but ideally, Maturity Level Two.
The decision criteria is based on the customer risk profile and the likely capability of a threat actor trying to gain access to their environment. It’s important to be aware that drivers to push to Maturity Level Two and Level Three are not always directly based on the organisation’s risk profile; it can also be influenced by the industry they operate in, compliance or commercial contracts.
Assessing the Essential Eight
Once you have implemented Essential Eight, you will be required to report on compliance, and as an MSP/MSSP, you will eventually want to build an automated process for this reporting. The ACSC has released the Essential Eight Assessment Process Guide, which includes a report template and a guide for assessors.
If you’re building out your reporting module, it helps to pay attention to this reporting process to ensure you provide as much appropriate information as possible to smoothen the assessment process. When necessary, remember to highlight any compensating controls that may have been implemented and ensure you meet the appropriate evidence requirements.
In summary, the ACSC Essential Eight provides valuable guidance on the eight controls rated essential from the Strategies to Mitigate Cybersecurity Incidents.
The goal is to establish a fundamental security baseline to harden the operating environment and to significantly improve an organisation's cybersecurity posture without incurring excessive overhead.
While not mandatory, this series of guidelines aim to protect Australian businesses from malicious actors and is increasingly becoming a requirement for cybersecurity insurance policies and commercial agreements.
For regular maintenance, I recommend referring to cyber.gov.au for the most up-to-date policies and guidelines.