In August 2024, the Meow ransomware gang claimed to have stolen 90GB of sensitive data from All Parks Insurance, a small Australian underwriting agency in Wyong, NSW. The stolen data was then immediately offered for sale on the dark web for $10,000 to $20,000.
Every data breach like this is a reminder that all businesses are targets, regardless of size. Those with weak security are more vulnerable, and so strengthening one’s cyber security is a must.
To help organisations do that, the Australian Cyber Security Centre (ACSC) developed the Essential 8 framework, which provides a structured approach to managing cyber security risks. With newer frameworks coming to life, is the Essential 8 still relevant in mitigating cyber risks in Australia?
The Emergence of New Cyber Security Frameworks
New cyber security frameworks claim to address specific needs or fill gaps left by existing ones. However, this doesn’t necessarily render the Essential 8 obsolete. It only means that every framework has a different approach and focuses on a different aspect from the rest.
Here’s a quick comparison of some cyber security frameworks used in Australia:
| FRAMEWORK | FOCUS | COMPONENTS & KEY FEATURES | STRENGTHS & BEST USE |
| Essential 8 | Core security hygiene for mitigation of cyber security threats | With 3 maturity levels and 8 controls: Application control Patch applications Configure Microsoft Office macro settings User application hardening Restrict administrative privileges Patch operating systems Multi-factor authentication Regular backups | Designed for Australian businesses, easy to understand and implement; best for small-to-medium businesses (SMBs) |
| SMB1001 | Business cyber security for SMBs | With 5 tiers covering a wider range of security practices | Provides a granular level of detail; suitable for organisations with more advanced security needs; best for SMBs seeking a more comprehensive approach |
| ISO/IEC 27001 | Information security management system (ISMS) | Controls are grouped into 14 domains, covering a broad range of security topics | Globally recognised standard, suitable for organisations with international operations; best for businesses of all sizes seeking to establish a comprehensive ISMS |
| CIS Controls | Prioritised security controls | With 18 controls covering essential security practices | Provides a flexible and adaptable framework, suitable for different industries and organisational structures; for businesses of all sizes |
| NIST Cybersecurity Framework (CSF) | Risk-based approach to cyber security | Uses 5 core functions: Identify, Protect, Detect, Respond, Recover | Provides a common language and framework for assessing and managing cyber security risk; best for organisations seeking a flexible and customisable framework |
The Enduring Relevance of the Essential 8
The Essential 8 framework has been proven among the most highly effective cyber security strategies. Amidst newer frameworks, it continues to be a valuable tool for protecting against cyber threats. Here’s why:
Focus on Core Security Hygiene
The eight key controls address the most common cyber security vulnerabilities. Implementing them significantly reduces the attack surface, making it harder for cybercriminals to gain access to sensitive data.
Proven Effectiveness and Widespread Adoption
The Essential 8 has a strong track record of success in preventing cyber security incidents. According to the ACSC, organisations that implement all eight controls are significantly less likely to be compromised.
Flexibility and Customisation
While the framework provides a baseline, it’s not a “one-size-fits-all” solution. Businesses can customise the Essential 8 to fit their specific needs and resources. A small legal firm might focus on implementing application control and multi-factor authentication as a priority, while a larger healthcare provider might invest in more robust user application hardening measures.
Customising the Essential 8 for Your Business
The key to effective Essential 8 implementation lies in prioritisation. Here’s a simple guide to do that:
- Conduct a Risk Assessment: Identify your organisation’s critical assets and potential vulnerabilities. Consider factors such as the sensitivity of your data, the types of threats you face, and the potential impact of a successful cyberattack.
- Prioritise Controls: Based on your risk assessment, prioritise the Essential 8 controls that will have the greatest impact on mitigating your specific risks. Focus on controls that address your most critical vulnerabilities and protect your most valuable assets.
- Consider Resources and Capabilities: Evaluate your organisation’s resources and capabilities to determine which controls can be implemented most effectively. Consider factors such as your IT capabilities, your budget, and your overall security maturity.
- Develop an Implementation Plan: Create a detailed plan outlining the steps required to implement each prioritised control. This plan should include timelines, responsibilities, and resources.
- Implement and Monitor: Implement the controls according to your plan and monitor their effectiveness on an ongoing basis. Continuously assess your risk profile and adjust your priorities as needed.
By following these steps, you can tailor the Essential 8 framework to your specific needs, ensuring your adequate protection against cyber threats.
Beyond the Essential 8
While the Essential 8 can provide a strong foundation, it shouldn’t be the end of your cyber security journey. Consider additional controls like cyber security awareness training for staff and incident response planning.
Are you ready to take the next step? Future IT’s cyber security experts can help you implement the Essential 8 and build a robust defence against cyber threats. Contact us today or learn more about our cyber security solutions:
