Today’s rapidly evolving digital world requires organizations to build a robust cybersecurity plan to safeguard internal infrastructures and oversee third-party vendors' cyber health. The Essential 8 is a cybersecurity framework developed by the Australian Signals Directorate designed to help organizations protect themselves against different cyber risks.
While the Essential Eight is not directly related to third-party risk, the mitigation strategies outlined within the framework can be applied to third-party interactions, enhancing an organization’s cybersecurity posture across their internal and external attack surfaces. Read on to better understand the Essential Eight and how your organization can implement mitigation strategies for third-party relationships.
What is the Essential Eight?
“Strategies to Mitigate Cybersecurity Incidents,” also known as the Essential Eight, is a set of cybersecurity strategies recommended by the Australian Cyber Security Centre (ACSC), first published in 2017.
The ACSC designed the Essential Eight to protect Microsoft Windows-based internet-connected networks, but users may also apply its protocols to protect cloud services and other operating systems. However, it’s important to remember that more effective mitigation strategies may be available for specific operating systems with unique cyber threats.
Mitigation strategies are cybersecurity practices, tools, and policies designed to reduce the risk of a cyber attack and protect an organization’s information security from data breaches or unauthorized access. These strategies aim to limit and manage damage caused by cyber incidents while safeguarding digital assets, networks, and data.
Since the ACSC Essential Eight is a framework and not a regulation, there are no requirements to implement the mitigation strategies and no penalties for non-compliance. However, the framework is highly recommended by the ACSC and also applicable to organizations outside of Australia, given its practical and foundational cybersecurity approaches.
Essential Eight Mitigation Strategies
The core of the Essential Eight are eight main mitigation strategies, broken up into three broad objectives.
Objective 1: Preventing Cyber Attacks:
- Application Control: Organizations should allow only specified applications to run on networks, which prevents malware and non-approved applications from executing. This application should include network endpoints (e.g., workstations) and servers.
- Patch Applications: Organizations should update and install patches in all applications to protect against known vulnerabilities that attackers could exploit.
- Configuring Microsoft Office Macro Settings: Organizations should limit the execution of macros to only those trusted, preventing macro-based hardware from the internet. Microsoft Defender is commonly used to perform Microsoft Office macro antivirus scanning.
- User Application Hardening: Organizations should configure web browsers and Microsoft Office to block unnecessary and potentially malicious content, which minimizes vulnerable points in applications (i.e., Flash, Java, ads, etc.).
Objective 2: Limiting the Impact of Cyber Attacks
- Patch Operating Systems: Organizations should regularly update operating systems to protect against known vulnerabilities and enhance security.
- Restricting Administrative Privileges: Organizations should implement principles that ensure users have the minimum level of access or permissions to accomplish their work, limiting privileged accounts and administrator accounts unless necessary.
- Multi-Factor Authentication: Organizations should require at least two forms of user authentication before granting access, safeguarding against unauthorized access to sensitive data and across the entire attack surface.
Objective 3: Data Recovery and System Availability
- Regular Backups: Organizations should regularly back up important data to expedite restoration after a cybersecurity incident.
The Essential Eight Maturity Model
To help organizations implement the Essential Eight framework, the ASD also produced The Essential Eight Maturity Model. The model includes four different maturity levels based on mitigating increasing levels of targeting from malicious actors. This model helps organizations consider what level of targeting, rather than which malicious actors they aim to mitigate.
- Maturity Level Zero: This baseline level signifies weaknesses in an organization’s cybersecurity posture. If exploited, confidential data and system integrity could be compromised.
- Maturity Level One: In this level, malicious actors are content to utilize average tools to gain access to and control systems. These include publicly available exploits, stolen credentials, brute force, etc.
- Maturity Level Two: Malicious actors in this level are a step up in capability and are willing to invest more time and tools in a target. These include targeting specific credentials through phishing, circumventing weak MFA, etc.
- Maturity Level Three: In this level, malicious actors are more adaptive and less reliant on public tools and techniques. They can exploit weaknesses in cybersecurity posture, like older software or insufficient logging/monitoring—not only initially accessing systems but evading detection and solidifying their presence.
Who Should Implement the Essential Eight?
The Essential Eight framework applies to organizations of all sizes and sectors. Any organization aiming to fortify its cyber defenses can utilize the Essential Eight, including government agencies, private sector companies, non-profit organizations, and any entity that manages and utilizes digital information and infrastructure.
Cyber threats are becoming increasingly rampant, and no organization is immune to their dangers. From ransomware attacks to phishing scams and other malicious cyber activities, businesses of all sizes, public sector entities, and large corporations are vulnerable to cyber adversaries. Additionally, just because the Essential Eight originated from the ACSC doesn’t mean it's only applicable to Australian organizations.
The Essential Eight is a dependable and strategic method of reducing cybersecurity risks, safeguarding critical data, and ensuring the availability of digital services. As digital operations and data management have become integral to modern organizations, following a proficient cybersecurity framework like the Essential Eight has become essential for organizations of all sizes and scopes across various global sectors.
Third-Party Risk Requirements and the Essential Eight
Third-party risk is any risk an organization faces when it works with external parties in its ecosystem or supply chain. These include vendors, supplies, partners, contractors, or service providers who might have access to sensitive company data, systems, processes, etc.
Even if an organization has strong cybersecurity measures, like those outlined in the Essential Eight, third-party vendors may not have the same standards—creating vulnerabilities that malicious actors can exploit. The security controls outlined in the Essential Eight can be applied to third-party risk mitigation, as outlined below.
Organizations using this mitigation strategy evaluate and only allow specified applications to run on their network. This method greatly reduces the chance for malware and non-approved applications to execute, which could lead to cyber attacks and data theft. To apply this to third-party risk, ensure that only vetted and necessary third-party applications can execute within your network. This strategy also prevents unauthorized applications from executing malicious code that may harm your organization. Application whitelisting is a common approach that only permits applications reviewed and approved by an IT administrator.
Regularly patching applications within your organization is one of the key frontline defenses against cyber attacks, as each patch can fix vulnerabilities and reduce risk. But does your organization also ensure that all software obtained from third parties is updated and patched? Regularly run scans and update any apps to keep vulnerabilities fixed and reduce openings for malicious actors to take advantage of.
Configuring Microsoft Office Macro Settings
This mitigation strategy requires organizations to limit the execution of macros to only trusted ones. Macro-based malware from the internet can infiltrate an organization’s systems and cause serious damage. Organizations often exchange documents and collaborate via Microsoft Office when working with third parties. Ensure that any macros from office documents from the internet are blocked to prevent potential malware delivery.
User Application Hardening
Users should configure their web browsers and Microsoft Office within an organization to block unnecessary and potentially malicious content. This minimizes vulnerable points in different applications, like Flash and advertisements. This should extend to any third-party user accessing the organization’s network throughout their lifecycle. Additionally, their user permissions should have necessary but limited access and should not include vulnerable functionalities.
Restricting Administrative Privileges
A strong cybersecurity posture includes principles that ensure users have the minimum access or permissions to accomplish their work. Restricting privileged users can also be applied to third-party vendors. Grant only the minimal necessary access to these third parties to perform their role, limiting privileged access, which prevents misuse of elevated permissions.
Patch Operating Systems
Regularly updating operating systems with new patches protects them against known and new vulnerabilities while enhancing an organization's overall security. Additionally, an organization that utilizes third-party hardware should also ensure operating systems are up-to-date, especially if third-party hardware has network access. This continues to protect the original organization from vulnerability exploitation.
MFA is an easy and strong way to enhance an organization’s access management and overall cybersecurity posture. Ensuring at least two forms of authentication (something known, something owned, or something inherent) before granting access adds another level of safety against unauthorized access. Extend MFA requirements beyond employees at an organization to any third-party vendors to reduce third-party risk. This practice fortifies access controls and reduces the risk of unauthorized access.
If a cyber incident occurs, an uncompromised, recent data backup helps an organization’s systems return online quickly and efficiently. When creating data backups, remember to include any data shared or managed by third parties—even if it is not hosted on your organization’s networks. This continues to help your organization safeguard against data loss from cyber incidents like ransomware attacks or data breaches.
How UpGuard Helps Your Organization Manage Third-Party Risk
Vendor Risk is our all-in-one TPRM platform that allows you to control your organization’s Vendor Risk Management processes. Vendor Risk allows you to automate your third-party risk assessment workflows and get real-time notifications about your vendors’ security in one centralized dashboard. Additional Vendor Risk features include:
- Security Questionnaires: Automate security questionnaires with workflows to get deeper insights into your vendors’ security
- Security Ratings: Instantly understand your vendors' security posture with our data-driven, objective, and dynamic security ratings
- Risk Assessments: Let us guide you each step of the way, from gathering evidence, assessing risks, and requesting remediation
- Monitoring Vendor Risk: Monitor your vendors daily and view the details to understand what risks are impacting a vendor’s security posture
- Reporting and Insights: UpGuard’s Reports Library makes it easier and faster for you to access tailor-made reports for different stakeholders
- Managed Third-Party Risks: Let our expert analysts manage your third-party risk management program and allocate your security resources