Get in touch to see
how we can help.
Australia
Perth - Head Office
Melbourne
Sydney
Brisbane
Adelaide
Canberra
New Zealand
Auckland
Wellington
Christchurch
Dunedin
Australia
Perth - Head Office
PO Box Z5439 St Georges Terrace Perth WA 6831
Melbourne
Sydney
Brisbane
Adelaide
Canberra
New Zealand
Auckland
PO Box 5183 151 Victoria Street West Auckland City 1010
Wellington
PO Box 24112 Manners Street Wellington 6142
Christchurch
Dunedin
USA
Seattle
How to implement the Essential Eight: A guide for government organisations

Essential for a reason
There’s no doubt that cybercrime is on the rise. Across the globe, stories of phishing, social engineering, ransomware, malware and more are hitting the headlines with growing frequency – and the attacks are proving costly.
For example, an Australian government agency responsible for providing access to government services suffered an email compromise attack against staff members in 2021, resulting in over 100,000 customer records being stolen and tens of millions of dollars in remediation costs. More generally, business email compromise scams alone cost Australians $79 million in the 12 months to July 2021.
With cybercriminals getting smarter and organisations embracing cloud-based workloads, these costs have the potential to skyrocket. It’s why the federal government has mandated the aptly-named Essential Eight for almost all Australian federal government departments. The recommendations from the Australian Cyber Security Centre are considered the eight most effective controls when it comes to mitigating cybersecurity incidents.
What are the Essential Eight?
According to the ACSC, the Essential Eight are cybersecurity risk mitigation strategies “designed to protect Microsoft Windows-based internet-connected networks.” In a nutshell, the eight strategies include:
Strategies to prevent attacks
- Application whitelisting (or control) – to block users from running applications that the organisation has not whitelisted
- Patching applications – applying updates to protect against potentially malicious security issues
- Configuring Microsoft Office macros – to counter the threats of ransomware and phishing, your security policy should restrict macros
- Application hardening – to protect applications from IP theft, misuse, vulnerability exploitation, tampering or even repackaging
Strategies to limit the extent of attacks
- Restricting administrative privileges – restrict global admin privileges to the bare minimum
- Patching operating systems – to ensure they have the latest security updates and safeguards in place
- Multi-factor authentication – much more powerful than passwords alone, MFA adds an extra layer of protection when users open devices and apps
Strategies to recover data and system availability
- Regular backups – important data, software and configuration settings should be regularly backed up in accordance with business continuity requirements
Within each of these eight strategies, there are differing degrees of maturity – the ACSC clearly spells out the criteria you need to meet for each maturity level.
It’s important to note that not every government department needs to reach the highest level of maturity. Using daily backups as an example, while the Department of Defence may need to hit a 5x9's (99.999%) availability target with their backups, other departments may only need to reach 3 or 4x9's. It’s a matter of weighing up costs versus risk, as well as potential for adversarial behaviour against your digital systems.
Top tips on how to implement the Essential Eight
- Understand the level of compliance you need
An important first step for any government department seeking to bolster its cybersecurity credentials is identifying exactly what you need to be compliant with. Look at the relevant maturity model and seek guidance if you’re unsure which level you should be aiming to achieve.
- Assign resources to get the job done
Even if you are engaging a third party, such as the experts here at Empired, to help you implement the Essential Eight, it’s important to realise that it will take some effort on your part – and that of your employees. As a simple example, setting up MFA requires your staff to add their proof of identity to the apps and devices they use.
- Start small and build on your security credentials
While a graduated approach to achieving the Essential Eight may take longer, it is often Look at what you can do at a base level – again, MFA is a great example here – and then tackle the harder strategies, like application whitelisting, down the track.
- Map out what you need for a tech standpoint
Accepting that some technical debt is inevitable when implementing the Essential Eight, focus on the business benefits – that is, how much you could save from a cost and reputational standpoint by avoiding cyberattacks. The tools identified as being critical for Essential Eight compliance include:
- Azure MFA with Conditional Access
- Microsoft Endpoint Manager
- Microsoft Defender for Identity
- Microsoft Defender for Endpoint
- Azure Security Centre
- Privileged Identity Management
- Azure Backup
- Azure Active Directory
- Work with an experienced Essential Eight partner
To fast-track the important task of implementing the Essential Eight, choose a partner who understands these technologies inside out and can help you set them up to suit the unique needs of your organisation. As a Gold certified Microsoft Partner for Security, Empired has extensive experience both working with government departments and implementing Microsoft’s Security Platform.
To find out how we can help you implement the Essential Eight, get in touch today.