Most cyber incidents known to Australia’s lead cyber security centre in the past year have targeted government systems, critical infrastructure, and essential services. More than a third of attacks – which are committed by state actors and criminals – targeted government agencies at federal, state and local levels. A quarter also aimed to interfere with critical infrastructure, including health care, food distribution and energy sectors.

Threats like these are rapidly growing in number and can have major security implications.

No longer a check-box exercise for compliance, cyber security – including understanding your risks, mitigations, and controls, is an essential practice in any organisation.

Where to start? 

The Australian Cyber Security Centre (ACSC) created a set of prioritised mitigation strategies known as the Essential Eight. The Essential Eight are a subset of the original Top 37 and provide a prioritised list of security controls that organisations can use to protect and improve their cybersecurity. According to ASD, these eight mitigation strategies alone have the potential to prevent up to 85 percent of cyberattacks. They are an absolute baseline for government organisations and intended to provide guidance for departments wondering where to start.

The Essential Eight strategies fall into three broad categories: 

• Mitigation Strategies to Prevent Malware Delivery and Execution
• Mitigation Strategies to Limit the Extent of Cyber Security Incidents
• Mitigation Strategies to Recover Data and System Availability

Adopting the Essential Eight is a strategic process that requires a whole-of-business view. It is suggested that organisations take a risk-based approach to implementing the right safeguards for their organisation.

As a first step, you need to identify your organisation’s current cyber security maturity level. The ACSC has defined four maturity levels:

Maturity level zero 
This maturity level signifies that there are weaknesses in an organisation’s overall cyber security posture and that no controls are implemented. If exploited, these weaknesses would facilitate the compromise of the confidentiality, integrity and availability of data and cause a significant impact to the organisation.

Maturity level one 
The focus of this maturity level is adversaries who are content to simply leverage commodity tradecraft that is widely available to gain access to, and likely control of, systems. This maturity level signifies that basic controls and processes are implemented to establish the organisation’s overall cyber security posture.

Maturity level two 
The focus of this maturity level is adversaries operating with a modest step-up in capability from the previous maturity level. These adversaries are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools. This maturity level signifies a step up in controls and processes to enhance the organisation’s overall cyber security posture vs an adversary.

Maturity level three 
The focus of this maturity level is adversaries who are more adaptive and much less reliant on public tools and techniques. ML3 signifies an established set of cyber security capabilities and an advanced cyber security posture.

Validating your maturity level and taking the right next steps…

Following the 2019-20 Australian Government Budget review and a commitment to support a whole-of-government cyber uplift, including a Critical Infrastructure Uplift Program offered to critical infrastructure owners, there has been a notable increase in the number of organisations looking to improve their cyber security defences.

Unfortunately, there are no short-cuts to security and the Essential Eight are only the tip of the iceberg. Meeting your compliance obligations and ensuring you have the necessary defences in place to both prevent and mitigate cyber security threats should be worked on hand in hand.

Before investing in technology, tools or resources, you should first assess your cyber security posture to determine your current state and seek to fully understand the risks based on your organisations profile.

NRI’s Essential Eight services are designed to help organisations obtain a holistic view of their business and look beyond the ‘check-box’ compliance requirements to highlight any additional risks and areas for enhancement.

Our services help identify what level of maturity an organisation is at; determine a target maturity level based on the risk profile, and if required, can help to develop a strategy and roadmap for achieving the desired security posture.

How NRI can help

When you know you’ve got the right security capabilities and processes in place, you’re free to innovate confidently.

For many years now, we’ve worked with Government agencies, commercial organisations and infrastructure providers alike to uphold that gold standard of security.

Our experience protecting the most complex, and critical environments, and our partnerships with leading security vendors, means we’re able to protect data, availability, integrity and confidentiality – while adhering to the strictest of security and compliance protocols.

More on our Security capabilities