Insight

Updates to Australia's Essential Eight Maturity Model: What Organisations Need to Know

By:
Kevin Xia
insight featured image
As we look at the cybersecurity landscape in 2024, Australian organisations remain in a precarious limbo. Despite heightened attention following significant breaches at Optus and Medibank in 2022, substantial security incidents continue to be reported each month.
Contents

Notably, organisations such as Football Australia, Nissan Australia and Dan Murphy’s have all recently fallen victim to major breaches, underscoring the ongoing challenges faced by organisations in safeguarding sensitive data and fortifying their defences against cyber threats. 

While the issues persist, how are these threats being managed? And how can Australian entities prevent a security breach of their own?  

The Australian Cyber Security Centre (ACSC) released a set of recommended mitigation strategies known as the Essential Eight (E8) in 2017 to provide organisations with baseline controls necessary to protect against and mitigate cyber security threats, and to support the overall uplift of cybersecurity controls in Australia. Drawing upon observations from the six years since the original release of the E8, the ACSC has recently updated the Essential Eight Maturity Model (E8MM), to provide guidance on more robust cybersecurity measures for Australian organisations. 

Essential Eight Maturity Model

The ACSC released an update to the E8MM in November 2023 with several changes to the framework of controls previously recommended. These changes will require organisations who benchmark themselves against the E8 to reassess their existing cybersecurity strategies and control practices to determine if they remain in alignment with the new requirements. 

Whilst several of the changes are relatively simple for organisations to action, the below areas have had more significant revisions that may require further consideration: 

  1. Patching applications and operating systems: Patching has seen changes at each of the three maturity levels, including new requirements for regular vulnerability scanning and stricter timelines for addressing known vulnerabilities in vendor provided systems. At a minimum, organisations will need to review their current vulnerability scanning and patching frameworks in place and assess whether there is a need to revise vulnerability scanning schedules and remediation timeline guidance. Organisations should also consider what vulnerability management controls for vendor system management practices need to be addressed to satisfy the organisation’s risk tolerance for unpatched vulnerabilities.
  2. Multi-Factor Authentication (MFA): MFA requirements have been rewritten to define minimum standards more strictly for MFA methods used at each maturity level as well as the scope of systems to which MFA is expected to be applied. Organisations will need to look more closely at whether their current MFA implementation still meets the minimum criteria or whether a change in approach is required.
  3. Restricting Administrative Privileges: Requirements have been updated to include new considerations on controlling privileged access to data repositories, administrative infrastructure and internet facing services. Given these changes, organisations may need to revise their approach for restricting and managing privileged accounts.
  4. Application Control: The application of Microsoft’s recommended application blocklist and an annual review of rulesets are now both required at a lower maturity level.
  5. User Application Hardening: An increased focus has been placed on logging of command line processes including requirements for protection and monitoring of logs at lower maturity levels.

In addition to the above items, there are several smaller changes that may impact organisations based on their specific technologies, processes, or reporting. For instance, we often see businesses struggling with the increased focus on vulnerability management, especially where substantial legacy applications are still in place. 

How we can help

Navigating the evolving landscape of cybersecurity maturity can be a daunting task for organisations. At Grant Thornton, we recognise the challenges faced by businesses striving to achieve their targeted level of the E8MM, therefore provide support which includes:  

  • Baseline Establishment: Our team of experts will assess your current cybersecurity posture, providing a solid foundation and roadmap for improvement.
  • Gap Analysis: By comparing against the updated E8MM standard or other best practice frameworks, we will pinpoint areas for enhancement.
  • Implementation Roadmaps: Collaborating closely with you, we will craft a strategic, customised plan to elevate your cyber maturity.
  • Testing of Controls: Our team will assess the design and operating effectiveness of your security measures.

Whether your organisation is just starting the implementation journey or need to adapt to the recent changes in requirements, our Risk Consulting team is here to assist.

Learn more about how our Risk services can help you
Learn more about how our Risk services can help you
Visit our Risk page