The Essential Eight is a journey, not a destination to reach. Your security posture improves significantly as you progress through the maturity levels.
If you look at cyber security like home security, then going from one Essential Eight maturity level to the next is more than just adding locks (controls) each time. It’s more about installing different security solutions (e.g., cameras, alarms, fences) one on top of another to multiply their strength.
This layered approach significantly deters attackers and reduces the damage they can inflict. By striving for higher maturity levels within the Essential Eight framework, a business amplifies its ability to withstand cyber threats.
Read on to demystify the Essential Eight Maturity Levels or skip ahead to:
- The Origin of the Essential Eight
- How the Eight Controls Were Chosen
- What the Essential 8 Maturity Levels Mean
- The Best Strategy to Cyber Security Maturity: Master Level 1 First
- Your Essential Eight Journey: Practical Steps to Maturity
The Origin of the Essential Eight
The Australian Cyber Security Centre (ACSC) believed that most cyber-attacks could be prevented if businesses implemented basic security measures. Hence, it introduced the Essential Eight in February 2017. It evolved from a document called Strategies to Mitigate Cyber Security Incidents.
The Essential Eight drew inspiration and key principles from the National Institute of Standards and Technology (NIST) cyber security framework (2014). Think of the NIST framework as a vast library of cyber security knowledge and best practices, and the Essential Eight as a curation of the eight most important books in it.
The NIST framework is broad, comprehensive, and designed to be flexible and adaptable. On the other hand, the Essential Eight is simpler, with only eight actionable controls to address the most common cyber vulnerabilities faced by Australian businesses.
How the Eight Controls Were Chosen
The Essential Eight was designed to protect internet-connected Microsoft Windows systems. The cyber security mitigation strategies are divided into three primary goals: prevent attacks, limit attack impact, and recovery.
The eight cyber security strategies are:
- Patch applications
- Patch operating systems
- Multi-factor authentication
- Restrict administrative privileges
- Application control
- Restrict Microsoft Office macros
- User application hardening
- Regular backups
Please check out our previous article if you would like to go into detail about What is the ‘Essential 8’ and Why is it Important to your Business?.
These strategies or controls were selected from dozens of cyber security solutions based on the ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, and assisting organisations to implement cyber security measures.
What the Essential 8 Maturity Levels Mean
The Essential Eight is more than a checklist that can make you feel secure if you tick off all eight controls. Your business must go on a maturity journey and continually improve its cyber security posture.
| MATURITY LEVEL | WHAT YOUR SECURITY AND STRATEGY LOOK LIKE |
| Level 0 | You have weaknesses in your security posture and it is not aligned with the mitigation strategy. |
| Level 1 | You have a good level of security resilience against a common attack. |
| Level 2 | You have protections against adversaries operating with a modest setup thanks to an extra layer of early detection and forensic analysis. |
| Level 3 | You are fully aligned with all 8 controls at all levels. |
At which level do you need to be? Know that only government agencies and organisations with a high degree of regulatory obligation or highly valuable data need to attain maturity Level 3.
At a minimum, all businesses should have Maturity Level 1 security measures in place. With a view to transition to Maturity Level 2.
While it can be tempting to rush to higher levels, just focus on mastering each control at its baseline.
The Best Strategy to Cyber Security Maturity: Master Level 1 First
When building a house, would you add a fancy roof if your foundation is shaky? To strengthen cyber security, each control in the Essential Eight must build upon the last. Implementing one control at a higher level, while neglecting others at Level 1, creates vulnerabilities.
For example: You might implement multi-factor authentication (MFA), but neglect patching your software regularly. Hackers can still exploit those unpatched vulnerabilities, rendering your fancy MFA lock somewhat useless.
Completing all controls effectively at Level 1 establishes a solid security baseline for your business. Subsequently, your maturity actions will look like this:
| TARGET MATURITY LEVEL | ACTION |
| Level 1 | Implement the core control, like patching applications regularly or using strong passwords |
| Level 2 | Refine your implementation by automating patching processes or conducting regular password audits |
| Level 3 | Further enhance your security with advanced measures, like vulnerability scanning or privileged access controls |
Remember: The Essential Eight isn’t a race but a journey of continuous progress. A well-executed Level 1 defence is far more valuable than a poorly implemented Level 3 one. Optimise your security within achievable limits instead of chasing an unattainable ideal. Focus on getting the basics right, then build your cyber security defences brick by brick.
Your Essential Eight Journey: Practical Steps to Maturity
You don’t have to feel overwhelmed with your Essential Eight implementation. There are easily actionable steps you can take.
- Seek Guidance: You can get general resources, guides, and tools from the ACSC website, but for tailored advice, a cyber security services provider can assist you.
- Start with an Assessment: Evaluate your current cyber security posture. Seek professional help to identify where you stand and areas that need improvement.
Future IT Services can provide you a free human risk report, one of the key elements of cyber security risk management. Discover areas where your employees might be unknowingly exposing your organisation to threats.
We’ll scan your domain name on the dark web to see if your emails might have been compromised, and we will test your employees with a phishing campaign.
Take this step now.