Home » Capabilities

ACSC Essential Eight Services

<time datetime='2023-03-06 00:00:00 +0000 UTC'>March 6, 2023</time>&nbsp;·&nbsp;4 min&nbsp;·&nbsp;Arjen Lentz

ACSC E8 Mitigation Risk Framework

The Essential Eight (E8) is a framework maintained by the Australian Cyber Security Centre (ACSC), and it provides a great path towards an enhanced Cyber Security Posture. The ACSC have determined the top eight attack vectors (and related mitigation strategies) used in the vast majority of compromises.

All of the E8 are important in no particular order, thus we depict them in a circular diagram:

ACSC Essential Eight diagram

Risk Based Approach

As with almost all Information Security concepts, we’re not aiming for Compliance with certain Controls, but rather about Risks and their appropriate Mitigation. Different organisations will have a different Threat Profile (what is important to you and what kind of attackers might target you), so there is no one-size-fits-all.

That said, we must always keep in mind that “the baddies don’t care”. Either opportunistic or targeted, your organisation can have a cyber security incident. An opportunistic burglar goes from house to house along a street to check out whether doors and windows are locked, and the house with less security has a higher chance of being targeted. Online, malicious actors do pretty much the same, from anywhere in the world, and they have automated tools to do most of the reconnaissance work!

Not everything can be automated though, and malicious actors also have limited resources. So if your organisation has, for instance, Multi-Factor Authentication (MFA) active for all staff, you have a much lower chance of becoming a victim. The ACSC research has clearly shown this, which is why MFA is in the E8. MFA is not perfect, but having it is much better than not having it.

Threat Profile

You want to know What the key aspects are for your organisation, so you can focus your attention and resources there first. TentaCom can help you define your Threat Profile. No organisation has infinite resources, you need to make choices and we help you lay out a well reasoned foundation. Plus, it is good to get an outside perspective.

E8 Maturity Levels

In addition to the eight topics, there are three Maturity Levels (one=lowest, three=highest maturity). Each topic can have a different maturity level. For assessment convenience, there is also a Maturity Level Zero, indicating that no mitigation strategies have been applied yet for that topic.

Maturity Assessment

TentaCom can review the Maturity Level of each of the topics within your organisation. This, combined with your particular Threat Profile, provides you with valuable insight in your current Security Posture and your likely priorities.

Employee Awareness Training

One more thing: aside from the technical risks and related mitigations in the E8, the human factor is key. Your people are your most important asset, and providing them with ongoing Cyber Security Awareness Training makes your organisation less susceptible to incidents. This is not a one-off, but rather a process over time - so the sooner started, the better.

Additionally, Cyber Security Awareness Training can generally be, even more so than Multi-Factor Authentication, the quickest to deploy in an organisation. This makes it an excellent first action step.

Assessment Report

At this point, there is no mandatory requirement for organisations to work with the E8. However, government contracts at any level, as well as insurance providers, now often ask for either an Assessment Report aligned with a recognised framework, or ask questions that are directly aligned with one of the frameworks. Therefore, getting on this early wil put you in good stead, and actually save a lot of time and effort. The E8 is a good starting point, and using our methodology helps identify and pick out your top priorities (providing some quick and effective uplifts).

Showing a solid third party report carries extra weight. We can work with the frameworks of E8, Australian Information Security Manual (ISM), ISO 27001, Queensland IS18:2018, NIST, as suits your need. But we’ll mention it again: E8 is an excellent one to start with; while looking more achievable, it can be very meaningful.

More on Insurance

We have noticed that insurance providers now often either won’t insure if you haven’t started working on your Security Posture yet, or rate your unknown risk as much higher, with accompanying premiums. In addition, we have seen insurers actually reporting back to clients with results from proactive vulnerability scans of the public-facing infrastructure of their organisation! So that’s really interesting, seeing insurers now taking such an active interest in their clients’ Cyber Security Posture. The bar is being raised, and that’s appropriate for the rapidly evolving threat environment!

TentaCom E8 Services

In addition to the Threat Profile and Maturity Assessment, of course we include recommendations and suggested priorities in our report. You can run with that internally, or, if you like, have us assist you with the effective implementation of these recommendations, enhancing your Security Posture.

Eager to start your guided Essential Eight journey, or have more questions? Contact Us today!