TLDR: What is the cybersecurity framework and why you need to know about it?
We are living in the fourth Industrial Revolution; cyber-physical systems are just the start as the biggest changes are yet to come, as part of these changes, organisations need to be more security aware of their system.
DEFINITION | The word cybersecurity according to Gartner’s Information Technology terms glossary refers to (as one word) “cybersecurity” as the systems, technologies, processes, governing policies, and human activity that an organization uses to safeguard its digital assets. We can sometimes see it as two words, but it is a little like tomato, tomato.
WHAT IS A CYBERSECURITY FRAMEWORK? It is an understanding of how to best secure on-premises, cloud, and hybrid technology environments, and, it has become more crucial than ever. Whilst government regulations can apply penalties, they rarely offer solid strategies for securing your systems. Cybersecurity frameworks provide a set of “best practices” for determining risk tolerance and setting controls, knowing which one is best for your organisation can be difficult. Furthermore, regulations can refer to more than one standard or framework, as can cyber insurance policies.
ESSENTIAL EIGHT FRAMEWORK HISTORY | The Australian Cyber Security Centre (ACSC) first published the Essential 8 Framework in June 2017, based on original the Australian Signals Directorate (ASD) Top Four recommendations. The ASD first published their guidance in 2010 and quickly noted the controls mitigate over 85 percent of techniques used in targeted cyber intrusions. Along the years, the framework has been updated and now includes four maturity levels (just to potentially confuse you even further!).
WHAT IS THE ESSENTIAL EIGHT FRAMEWORK? The “eight” refers to categories intended to limit the impact of cybersecurity attacks, prevent malware, and, improve an organisations ability to recovery in the event of an attack.
The categories included in the Essential 8 are:
- Application Control
- Application Patching
- Restrict Administrative Privileges
- Patch Operating Systems
- Configure Microsoft Office Macro Settings
- Using Application Hardening
- Multi-Factor Authentication
- Regular Backups
WHY DO WE NEED IT? The Essential 8 is intended to be a consistent reminder to maintain the security within an organisation, much like a marathon, you need to keep going. However, it is also important to keep in mind that it has been designed with a Microsoft operating environment in mind and therefore, doesn’t always apply every organisation, especially not those running an MacOS (Apple Operating System). In addition, the Essential 8 is formed with the intent that your devices are internet-connected, thus stand-alone networks do not get given consideration.
WHAT CAN THE ESSENTIAL EIGHT DO FOR ME? By firstly understanding your organisations maturity level, organisations are able to either look to mitigate the associated risks, or, accept them. Within the Essential Eight, each maturity level aligns with having specific measures in place within those eight categories mentioned above. Maturity Level One refers to an organisation being “partly aligned.” Maturity Level Two refers to an organisation implementing additional measured in place to be “mostly aligned.” Maturity Level Three means an organisation has implemented all required controls and is “fully aligned.” It is important to note here, the costs associated to achieving Maturity Level Three can be extensive to an organisation and therefore a business decision could be accepting Maturity Level One is acceptable.
WHAT LEVEL OF MATURITY IN THE ESSENTIAL 8 IS MY ORGANISATION AT? ASE has built an Essential Eight Assessment to help organisations understand and improve their security posture. This assessment helps organisations identify your potential risks and provide valuable insights on recommendations to help an organisation understand their current security maturity and defensive posture, in alignment with the ACSC Essential Eight. Our engagement includes an initial workshop to understand your organisation, its technology landscape and key business objectives. This could also include what frameworks or regulations you need to comply with, as sometimes this is as required by your cyber insurer.
If you’re interested in getting a high-level roadmap outlining the recommendations including indicative costs, timelines and the recommended software, hardware and services, reach out to our team for your independent assessment today.