Australia’s Essential 8 framework, developed by the Australian Cyber Security Centre (ACSC), provides organisations with a set of foundational cybersecurity measures. However, as cyber threats become more sophisticated, we believe that there are strategic expansions in line with global best practice that would enhance national cyber resilience.
Find out more below:
- Overview of the Essential 8 framework
- International comparisons of cybersecurity frameworks
- Proposed additions to the essential 8 framework
- International coverage of proposed new essential 8 areas
- The case for expanding the Essential 8
Protecht’s Cyber Risk Management eBook is a comprehensive guide that addresses the complex and ever-present challenges of cyber risk. Find out more and download now:
Overview of the Essential 8 framework
Australia's cybersecurity response is encapsulated in the Essential 8—a strategic suite of mitigation strategies devised by the Australian Cyber Security Centre (ACSC)[1]. Originally designed to safeguard government entities, its relevance has expanded across various sectors due to its efficacy.
The Essential 8 is made up of eight fundamental cybersecurity strategies:
- Application control (application security)
- Patch applications (maintenance)
- Configure Microsoft Office macro settings
- User application hardening (baseline config)
- Restrict administrative privileges (IDAM)
- Patch operating systems (Patch)
- Multi-factor authentication (MFA)
- Regular backups (DR)
The ACSC provides a maturity model for the Essential 8, encouraging organisations to progressively enhance their implementation levels based on their risk environment. You can find out more about the history and implementation of the Essential 8 in our earlier detailed overview.
International comparisons of cybersecurity frameworks
To compare Australia's Essential 8 cybersecurity framework with international standards, we’re using the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) as a benchmark[2]. NIST CSF is divided into five primary categories: Identify, Protect, Detect, Respond, and Recover, with subcategories for more specific objectives.
Table: Comparison of cybersecurity frameworks based on NIST CSF
|
NIST CSF Category |
Subcategory |
AU |
NZ[3] |
UK[4] |
EU[5] |
USA[6] |
|
Identify |
Asset Management |
Y |
Y |
Y |
||
|
Business Environment |
||||||
|
Governance |
Y |
Y |
||||
|
Risk Assessment |
||||||
|
Risk Management Strategy |
||||||
|
Supply Chain Risk |
Y |
|||||
|
Protect |
Identity and Access Control |
Y |
Y |
Y |
Y |
Y |
|
Awareness and Training |
Y |
Y |
Y |
|||
|
Data Security |
Y |
Y |
Y |
Y |
Y |
|
|
Information Protection |
Y |
|||||
|
System Maintenance |
Y |
Y |
Y |
Y |
Y |
|
|
Protective Technology |
Y |
Y |
Y |
Y |
Y |
|
|
Detect |
Anomalies and Events |
Y |
||||
|
Security Continuous Monitoring |
Y |
|||||
|
Detection Processes |
||||||
|
Respond |
Response Planning |
|||||
|
Communications |
||||||
|
Analysis |
||||||
|
Mitigation |
||||||
|
Continuous Improvement |
||||||
|
Recover |
Recovery Planning |
Y |
Y |
Y |
||
|
Recovery Testing |
Y |
Y |
Y |
Y |
Y |
|
|
Improvements |
||||||
|
Communications |
Y |
Note: The highlighted subcategories represent the proposed expansion of Essential 8 that we will discuss below.
The table shows where Australia stands in relation to international standards and where there are opportunities to enhance the Essential 8 to better protect against and respond to cyber threats.
- Identify: Asset Management is well covered in NZ, the UK, and the US but not in AU and the EU. Australia could benefit from aligning more closely with international practices.
- Protect: This category shows strong alignment across all regions, indicating a global consensus on the importance of measures such as data security, identity access control and cyber awareness programs.
- Detect and Respond: These categories are notably underrepresented across all regions, pointing to potential areas for global improvement in cybersecurity practices.
- Recover: Recovery planning and testing are variably covered, with the US and UK showing more comprehensive approaches in some areas than Australia, NZ, and the EU.
Proposed additions to the Essential 8 framework
In this section, we propose expansions to the Essential 8 to align with international best practices and addresses evolving threats. We’ve broken these down below:
- Asset management: This involves maintaining an inventory of all assets and understanding the data flows within an organisation. Effective asset management helps identify which assets need to be protected and the extent of protection required.
- Supply chain risk: As cybersecurity threats evolve, the risks associated with third-party vendors and service providers have become increasingly significant. Managing these risks ensures that vulnerabilities in the supply chain do not compromise organisational security.
- Anomalies and events: The ability to detect unusual activities that could indicate a cybersecurity threat would allow Australian organisations to identify potential threats earlier, reducing the likelihood of successful attacks.
- Security continuous monitoring: Continuous monitoring of systems and networks allows for the ongoing assessment of security controls and the rapid detection of security incidents.
- Response Planning: Having a structured and predefined plan for responding to detected cybersecurity incidents is vital. This ensures that organisations can react swiftly and effectively, minimising damage and restoring operations as quickly as possible.
- Communications: Effective communication during and after a cybersecurity incident is crucial for managing the incident itself and maintaining stakeholder trust. Including this area would improve coordination and transparency during crisis situations.
International coverage of proposed new Essential 8 areas
Let’s look at how these frameworks are covered internationally (you can also cross-reference with the table above), to find out where other countries have successfully incorporated these measures into their cybersecurity frameworks, and also identify areas that are consistently underrepresented or inadequately addressed worldwide:
- Asset management: The US strongly emphasises asset management in its NIST Cybersecurity Framework, recognising it as a foundational element for identifying and managing cybersecurity risks. Similarly, the UK includes asset management as part of its National Cybersecurity Strategy, focusing on maintaining a clear understanding of critical assets and their vulnerabilities.
- Supply chain risk: The UK’s framework explicitly addresses supply chain risks, promoting standards and practices that ensure security considerations are integrated into the entire supply chain process. The EU’s cybersecurity strategy also includes directives aimed at enhancing the security of network and information systems, which supports supply chain risk management.
- Anomalies and events: CERT NZ emphasises the detection of anomalies and events as crucial for early threat recognition and response, demonstrating a proactive approach to potential cybersecurity incidents.
- Security continuous monitoring: New Zealand’s cybersecurity guidelines suggest maintaining ongoing vigilance to detect and respond to threats promptly, showcasing a commitment to real-time risk management.
- Response planning: Despite its critical importance in mitigating the impact of cyber incidents, there is a lack of comprehensive strategies that encompass all facets of responding to a cyber incident.
- Communications: Effective communication remains one of the weakest links in global cybersecurity frameworks. Frameworks lack specific guidelines on how to maintain communication with internal and external stakeholders during security breaches.
The case for expanding the Essential 8
Given the insights garnered from international comparisons and the identification of global gaps in cybersecurity frameworks, there is a strong case for Australia to expand its Essential 8 framework. This expansion would align Australia with global best practices and help position it as a leader in addressing areas that are currently underdeveloped.
Enhancing national cybersecurity standards
- Bridging the gap: Incorporating additional focus areas such as Asset Management, Supply Chain Risk, Anomalies and Events, Security Continuous Monitoring, Response Planning, and Communications into the Essential 8 will bridge critical gaps.
- Alignment with global standards: By expanding the Essential 8, Australia would align more closely with the protective and proactive measures seen in frameworks like those of the USA, UK, and New Zealand, enhancing the robustness of its cybersecurity defences.
Leadership in cybersecurity
- Setting a global example: Australia can set an international example by adopting comprehensive measures in areas like Response Planning and Communications, enhancing its own cyber resilience and also boosting global cybersecurity practices.
- Innovative practices: The adoption of expanded measures should encourage innovation and growth within the cybersecurity industry in Australia.
Strategic benefits
- Economic security: Stronger cybersecurity measures protect not just data but also the economic stability of the country.
- Public confidence: Enhanced cybersecurity measures and effective communication during incidents increase public trust in digital services and technologies.
Conclusions and next steps for your organisation
We believe expanding the Essential 8 is a much-needed strategic enhancement of Australia's cybersecurity posture. It represents a commitment to maintaining and enhancing the trust and safety of digital infrastructures that support Australia’s economy, government, and society.
In the meantime, here are our recommendations for stakeholders:
- Government and regulators: Consider revising cybersecurity policies to include these expanded areas.
- Organisations and enterprises: Adopt these broader measures pre-emptively, reinforcing their cybersecurity practices in anticipation of regulatory changes.
- Cybersecurity professionals: Stay ahead of these changes, integrating new strategies and technologies into their practices to stay ahead of threats.
To find out more about cyber risk management, Protecht’s Cyber risk management: The art of prevention, detection and correction is a comprehensive guide that addresses the complex and ever-present challenges of cyber risk in today's digital age. Equip yourself with an understanding of cyber risk management, enabling you to spearhead a proactive approach against ever-evolving digital threats:
References
[1] Australian Cyber Security Centre (ACSC) - Essential 8 Explainer and Maturity Model: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explainer
[2] National Institute of Standards and Technology (NIST) - NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
[3] New Zealand Government - CERT NZ’s Critical Controls for Cyber Security: https://www.cert.govt.nz/it-specialists/critical-controls/
[4] United Kingdom Government - National Cyber Security Centre (NCSC) Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials/overview
[5] European Union Agency for Cybersecurity (ENISA) Cybersecurity Guide: https://www.enisa.europa.eu/
[6] United States - Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials Toolkit: https://www.cisa.gov/cyber-essentials