How to implement the Essential Eight: A guide for government organisations 

Essential for a reason

There’s no doubt that cybercrime is on the rise. Across the globe, stories of phishing, social engineering, ransomware, malware and more are hitting the headlines with growing frequency – and the attacks are proving costly.

For example, an Australian government agency responsible for providing access to government services suffered an email compromise attack against staff members in 2021, resulting in over 100,000 customer records being stolen and tens of millions of dollars in remediation costs. More generally, business email compromise scams alone cost Australians $79 million in the 12 months to July 2021.

With cybercriminals getting smarter and organisations embracing cloud-based workloads, these costs have the potential to skyrocket. It’s why the federal government has mandated the aptly-named Essential Eight for almost all Australian federal government departments. The recommendations from the Australian Cyber Security Centre are considered the eight most effective controls when it comes to mitigating cybersecurity incidents.

What are the Essential Eight?  

According to the ACSC, the Essential Eight are cybersecurity risk mitigation strategies “designed to protect Microsoft Windows-based internet-connected networks.” In a nutshell, the eight strategies include:

Strategies to prevent attacks

1. Application whitelisting (or control) – to block users from running applications that the organisation has not whitelisted
2. Patching applications – applying updates to protect against potentially malicious security issues
3. Configuring Microsoft Office macros – to counter the threats of ransomware and phishing, your security policy should restrict macros
4. Application hardening – to protect applications from IP theft, misuse, vulnerability exploitation, tampering or even repackaging

Strategies to limit the extent of attacks

5. Restricting administrative privileges – restrict global admin privileges to the bare minimum
6. Patching operating systems – to ensure they have the latest security updates and safeguards in place
7. Multi-factor authentication – much more powerful than passwords alone, MFA adds an extra layer of protection when users open devices and apps

Strategies to recover data and system availability

8. Regular backups – important data, software and configuration settings should be regularly backed up in accordance with business continuity requirements

Within each of these eight strategies, there are differing degrees of maturity – the ACSC clearly spells out the criteria you need to meet for each maturity level.

It’s important to note that not every government department needs to reach the highest level of maturity. Using daily backups as an example, while the Department of Defence may need to hit a 5x9's (99.999%) availability target with their backups, other departments may only need to reach 3 or 4x9's. It’s a matter of weighing up costs versus risk, as well as potential for adversarial behaviour against your digital systems.

Top tips on how to implement the Essential Eight

1. Understand the level of compliance you need

An important first step for any government department seeking to bolster its cybersecurity credentials is identifying exactly what you need to be compliant with. Look at the relevant maturity model and seek guidance if you’re unsure which level you should be aiming to achieve.  

2. Assign resources to get the job done

Even if you are engaging a third party, such as the experts here at Empired, to help you implement the Essential Eight, it’s important to realise that it will take some effort on your part – and that of your employees. As a simple example, setting up MFA requires your staff to add their proof of identity to the apps and devices they use.

3. Start small and build on your security credentials

While a graduated approach to achieving the Essential Eight may take longer, it is often   Look at what you can do at a base level – again, MFA is a great example here – and then tackle the harder strategies, like application whitelisting, down the track.

4. Map out what you need for a tech standpoint

Accepting that some technical debt is inevitable when implementing the Essential Eight, focus on the business benefits – that is, how much you could save from a cost and reputational standpoint by avoiding cyberattacks. The tools identified as being critical for Essential Eight compliance include:

• Azure MFA with Conditional Access
• Microsoft Endpoint Manager
• Microsoft Defender for Identity
• Microsoft Defender for Endpoint
• Azure Security Centre
• Privileged Identity Management
• Azure Backup
• Azure Active Directory

5. Work with an experienced Essential Eight partner

To fast-track the important task of implementing the Essential Eight, choose a partner who understands these technologies inside out and can help you set them up to suit the unique needs of your organisation. As a Gold certified Microsoft Partner for Security, Empired has extensive experience both working with government departments and implementing Microsoft’s Security Platform.

To find out how we can help you implement the Essential Eight, get in touch today.