See how your cyber security strategy stacks up: Why an Essential 8 checklist is necessary

The growing speed, sophistication, and frequency of cyber attacks in the Australian digital landscape is alarming.

Small to medium-sized enterprises are especially susceptible to the growing threat of digital attacks. The Australian Cyber Security Centre (ACSC) received 76,000 cybercrime reports in the 2021-2022 financial year (one every seven minutes).

 Conscious of this growing threat, the ACSC, under the umbrella of the Australian Signals Directorate (ASD), developed a mechanism for Australian businesses to establish a baseline level of protection known as the Essential 8. The ACSC recommends that all Australian companies implement these mitigation strategies.

This blog goes a little deeper into the prevention strategies contained with the Essential 8 framework, how your business can assess its level of compliance with these government standards through a professionally audited Essential 8 checklist, and why the Retrac security offering includes the Essential 8 as a solution for SMEs.


Understanding the Essential 8 framework

The ASD Essential 8 maturity model allows businesses to assess their current alignment to the Essential 8 security measures and set an implementation goal that they can progressively move towards for greater protection.

The four maturity levels are based on restrictions–the higher the maturity level, the higher the restrictions and security settings.

The four Essential 8 maturity levels

  • Maturity level 0: No protection and potential weakness in the security framework. A maturity level of zero may be attributed to a ‘fresh’ business that has not implemented a mitigation strategy. 
  • Maturity level 1: Offers protection against malicious actors with a more aligned security framework. This maturity level serves as a deterrent to opportunist malicious actors.
  • Maturity level 2: Level 2 offers protection against modest to advanced attacks that may employ techniques such as phishing.
  • Maturity level 3: Protects against advanced malicious actors who commit targeted and sophisticated digital attacks. This is the government standard.

Knowing your ASD Essential 8 maturity model is critical for pinpointing weaknesses in your cybersecurity framework, preparedness, and establishing a foundation for your enterprise to move towards the necessary level of protection.


Setting the benchmark: Which level should you aim for?

As a starting point, we recommend that all SMEs aim for level one protection. From this point onwards, there must be internal agreement about where your business needs to sit.

High security is excellent, but a greater number of restrictions can also impact productivity. An analysis of your enterprise needs, capabilities, industry-mandated basic requirements, and data sensitivity level must all come into play.

Industries such as health, finance as well as governmental organisations deal with highly sensitive personal data and have an obligation to ensure a higher level of protection. As these large-scale attacks are on the rise within these industries— establishing Essential 8 controls is more necessary than ever.

After reaching level one, it’s Essential to do a deep dive into your procedures and policies to determine which benchmark is most applicable to your enterprise needs—it can be a big jump from maturity level 1 to level 2.


Why we work with the Essential 8 framework?

Regarding the Essential 8 framework, it’s not so much a question of choosing to adopt the procedure but rather understanding, implementing, and adhering to the recommendations.  

The Essential eight is updated to reflect contemporary challenges in the digital landscape, and has been adopted by Microsoft as the industry standard.  

By aligning your business to the Essential 8 frameworks, we can:

  • Enhance your business protection against common cyber attacks 
  • Reduce the risk of security incidents and leaks 
  • Build a framework to measure security risks internally 
  • Establish a guideline to implement on-going, cost-effective security measures  

As specialists in Microsoft operating systems and products such as Microsoft 365, we can build on top of the basics, introducing configurations and policies around Essential 8 from the top down. At Retrac, we leverage tools and software that your business may already be paying for but underutilising to achieve a higher alignment to the ASD essential 8 framework.  


Getting started with the Essential 8 checklist 

How do I get started? 

To get started, we recommend you speak to us so we can arrange an independent assessment with a specialist IT partner that can run an Essential 8 checklist. With the help of this partner, Retrac will then generate a report and get your business to the level you require by making these changes progressively. We can also arrange a DSIP auditor if certified compliance is a requirement.

Alternatively, you can reach out to your current service provider to ask if they employ the cybersecurity measures as outlined in the ASD Essential 8 framework and at what maturity level you’re currently at.

At Retrac, due to our experience with Microsoft, we can look into your licensing level and leverage tools such as Microsoft Compliance Manager to prepare reports and see where you sit on the maturity scale. Additionally, The Retrac security bundle provides customers with optimised and appropriately aligned managed security solutions. Through regular maintenance and the deployment of best practices, we ensure your enterprise security is up-to-date, sitting at the right maturity level for both performance and security.  

 This means you can focus on what matters most, growing your business. 

What do I do once aligned?  

The Essential 8 framework serves as a guideline and can change due to shifts in the digital space, emerging threats and is subject to updates and changes.  

 It’s not set and forget. Things will change, and revisiting every quarter is a sound strategy to ensure on-going compliance and maximum security.  


 Progressing through the strategies with an Essential 8 checklist 

An Essential 8 checklist covering the Essential 8 strategies can serve as a starting point. While it may be challenging to get a bearing on your maturity level without a professional audit, even some indication of the adoption level can give an idea of the road ahead.  

Explore the Essential 8 strategies and some non-technical questions that can help indicate your enterprise’s alignment level below.  

1. Application Control 

Application Control empowers you to block all applications, including ransomware, by default on any device. Then, you can selectively allow only the necessary apps while preventing malicious or unnecessary applications.  

What measures are in place to control which applications can run on our systems? Have we established a system to prevent unknown applications from running on our devices? 

2. Patch Applications 

Patching applications involves identifying missing patches and security updates through vulnerability scans. It also ensures timely patch installations and removes unsupported applications addressing vulnerabilities in the security framework.  

How often are software applications updated to protect against vulnerabilities? 

3. Patch Operating Systems 

 Patching operating systems means regularly checking for updates, analysing vulnerability data, and rigorously testing new patches to enhance your operating system security. 

 Do we upgrade our operating system regularly to address vulnerabilities?  

4. Microsoft Office Macro Settings Configuration 

This framework offers measures to mitigate and prevent potentially harmful macros that cyber attackers could exploit against your organisation. 

What safeguards do we have in place to secure Microsoft Office macros? Are we leveraging internal tools to maximise safety measures in office?  

 5. User Application Hardening 

User application hardening focuses on securing web-interacting applications like web browsers, Microsoft Office, and PDF software. It involves configuring settings to block ads, specific sites, and risky content that can lead to attacks.  

Are browsers and document software hardened against attacks such as malicious ads and content?  

 6. Restrict Administrative Privileges 

Restricting access to specific applications, files, and data bolsters your organisation’s defenses, ensuring that sensitive data is accessible only to authorised personnel. 

 Do we limit access and administrative privileges to authorised, pre-approved, and trained personnel?  

7. Multi-factor Authentication (MFA) 

MFA enhances security by requiring additional identifiers (beyond passwords) before granting access to applications or services. 

What steps beyond password control exist to authenticate users and permit access to our systems and accounts?  

 8. Regular Backups 

The Essential 8 emphasises the importance of regular backups for essential data, software, and configurations. It also outlines requirements for managing access, modifications, and deletions of backups. 

How often do we update data and test recovery systems in an emergency?  

According to the ACSC, “organisations should identify and plan for a target maturity level suitable for their environment. Organisations should then progressively implement each maturity level until that target is achieved“. 

As the strategies are complementary, you must plan to reach the same level of maturity across all 8 strategies before considering progression.  


For Expert-Level Essential 8 Alignment, Choose Retrac 

As Essential 8 specialists and Microsoft expert partner, we’ll step in to deliver Essential-8-based security solutions for your SME, whether this be an audit of your current set-up, collaborating with your team to build out a plan to reach the right maturity level for your company or educating your team on the proper steps to take for the right maturity level.  

Current Retrac customers can rest easy knowing our expertise and commitment to aligning with these government standards are at the forefront of every security measure we take. You’re well positioned to confront any cybersecurity challenges ahead. 

Reach out to the team at Retrac to find out how aligned your systems are to the Essential 8 today.