Ben Love [00:00:01]:
Hello and welcome to this executive briefing on the essential eight cybersecurity maturity model my name is Ben Love. I am the founder and managing director of Grassroots IT. We are a technology consulting and managed services firm working with clients across Australia and New Zealand. Our mission is to help our clients to leverage technology to solve problems and to deliver meaningful results. And we work across three practice areas, IT, cybersecurity and digital today’s agenda we’re going to be talking about the essential eight cybersecurity maturity model. We’re going to start with touching on what the essential eight actually is, and then we will talk about why the essential eight matters, why you should even be here. We will get into a bit of detail following that on what the eight strategies are, and then move on to the maturity model piece of the discussion around the three maturity levels, and finally, we will wrap up with some discussion around implementation within your own organization. So what is the essential eight? The essential eight was developed by the Australian Cybersecurity center, or the ACSC, in 2017 and has been updated frequently since. The ACSC is part of the australian government sitting underneath the Australian Signals Directorate, and leads the australian government’s efforts to improve cybersecurity, both within government but also more broadly across Australia. In the course of their work protecting the australian government, the ASCS has developed 37 prioritized strategies to mitigate cyber incidents. Now, these strategies, they’ve subsequently published for broader use. The strategies are practical, proven and recommended for organizations of all types. And of course, very important for today’s discussion, eight of these 37 strategies are prioritized as being essential. Before we do go much further, though, I do just want to briefly touch on another cybersecurity framework, which you may hear about, and that’s the NIST, or the NIST cybersecurity framework. So, starting with looking at some key points around the essential eight maturity model, the essential eight has been developed here in Australia by the australian federal government. It is very prescriptive in its actions. In fact, it forms something of a technical checklist that you can implement to improve your cybersecurity posture. The essential eight really should be thought of too, as a minimum baseline for your cybersecurity efforts. The NIST, on the other hand, has been developed by the american federal government, the US federal government, that is, it is very non prescriptive in its approach. It maps across various regulatory frameworks and really does form more of a full cybersecurity strategy framework. So the question, of course, may be asked, which one should you use? Well, my first point there is that these two frameworks, these two models, are not, in fact, mutually exclusive. They do work side by side together quite happily. If you are an organization which is quite mature and advanced in your cybersecurity efforts, if you have more resources at your disposal, or if you do identify that you need to have a far more complete cybersecurity strategy across the organization, then the NIST cybersecurity framework may be a good thing to move towards. For everybody else, the essential eight maturity model is a fantastic place to focus your efforts to improve your cybersecurity stance and maybe get you started from a lower baseline or lift your baseline up to even a level, or level two or level three maturity, which we’ll touch on shortly. I will make the point now, though, that the essential eight should be thought of as a minimum baseline. As I mentioned before, there are 37 strategies all up that the ASCs has developed, and there’s a lot of other work outside of even those 37 strategies that is important to a full and complete cybersecurity strategy. It so why does the essential eight matter to you as a leader, and, of course, to your organization? The first point I’ll make is that cybersecurity is a board level responsibility. So directors and business leaders have many responsibilities to the organization, including a general responsibility to manage risk. And that risk does indeed extend out to providing a safe work environment for staff, and providing a safe cybersafe environment for staff is part of that obligation. Leaders also have an obligation to protect.

Ben Love [00:05:47]:
Shareholder value, and I would argue that.

Ben Love [00:05:51]:
One of possibly the biggest threat to shareholder value that we face at the moment really is the risk of a cyberattack.

Ben Love [00:06:00]:
In response to all of this, the.

Ben Love [00:06:03]:
Essential eight can be considered as solid evidence of taking reasonable steps towards addressing those risks. The second point to consider is that the cost of a security incident can be significant. There is, of course, the risk of direct financial loss. If that is the type of activity that the malicious actors are focused on. There is almost always loss due to disruption of business operations. Very good example of that. A very high profile example of that was Australia’s toll group, who suffered multiple extremely disruptive cybersecurity breaches in 2022 that really disrupted their operations in a very, very significant and fundamental way for an extended period of time. Toll Group posted a $1.1 billion financial loss in 2022. That probably can’t all be put down to the cyber incidents because there was also a pandemic happening at the time. But it’s fair to say that a significant portion of that was in fact due to those very severe and prolonged cyber incidents that they suffered. Reputational risk is a very real thing to consider in these situations as well. Two very high profile examples. Again, both Optus and Medibank here in Australia have suffered very high profile breaches in the last couple of years, and there has been a significant negative impact on the reputation of both of those organizations because of that. And finally, the cost of remediation. Simply recovering from a security incident can be a very expensive and prolonged exercise. I read something actually just this morning on the medibank breaches there, that they are taking a $45 million charge to their books for it changes to recover and improve their systems from their recent security breaches. I will also make just a side note here around cyber insurance. Now, I won’t talk about cyber insurance today, but it is certainly something that I would encourage you as business leaders to make sure that you are looking to understand. My next point here is that government and corporates are really starting to actively push cyber compliance down through their supply chains. Now, over the last few years, we have seen a number of supply chain attacks where organizations have been breached not directly, but via one of their supply chain partners. So this is obviously a pretty terrifying prospect for all of us, I think. And in a response to that, we are certainly seeing organizations pushing that responsibility for compliance further down their supply chains. So I would suggest that if you haven’t started seeing that in your commercial dealings, it is only a matter of time before you start to start to see that happen. And really, these supply chain partners are looking for some indication, some confidence that your own cybersecurity measures are really up to scratch. And the essential eight can be a very good way of demonstrating that. My final point, really, is that the essential eight provides a well tested, broadly recognized framework for improving your cybersecurity posture, but also for being able to communicate and demonstrate that to a broader audience, to your clients, to your suppliers and your supply chain partners. As a business leader, you don’t need to be a security expert to have confidence in the direction that your cybersecurity efforts are taking. If you do choose to use the essential aid model, you will be able to have that confidence that you are putting your resources where they will have a positive impact, and they will be recognized as such. All right, let’s get a little bit down into some details, and let’s touch on what the eight mitigation strategies within the essential eight actually are. Now, of course, just a reminder, the ASCS has developed 37 of these and we’re only talking about eight of them today. The first of the strategies is application control. So this is really controlling what applications can and can’t run on your environment. Application patching, keeping your applications on the latest versions, and keeping all of those updates and patches that are released installed across your fleet. Microsoft Office macros so macros are really a way of automating various actions within the Microsoft Office app, such as Word and Excel. They are also an extremely effective attack vector for malicious actors to use. So controlling that particular potential weakness in your organization, it’s part of the essential aid here. User application hardening is the process of locking down the applications that you do use to only those functions that are necessary. Restricting admin privileges. This is very important. Most security breaches really either come in via administrative credentials that the malicious actors have somehow secured, or once they are in there, they then very directly seek to obtain those administrative credentials. So if we can restrict what admin privileges are available, who has them, how and when they’re used, and of course how they’re logged and controlled, then we can keep a much tighter rein on the keys to the kingdom, so to speak. Operating system patching is very important. I would add to that keeping our operating systems on whatever the newest versions are. So obviously in the world of Windows, Windows eleven is there now. Windows ten is still current, but also making sure that they are fully patched and updated. Multifactor authentication this is something that we have been banging on about for years here at grassroots it, and I can’t see us quietening down on this point anytime soon. Multi factor authentication, in my opinion, should be mandatory on every business application that we use. It is simply an extremely effective way of securing your systems. And finally, regular backups. Now, regular backups, we all should have those. The environment of backup has changed a little bit in the cloud world, the world of software as a service. But having those regular backups is still very important. It really does form the backstop, I guess if everything else truly goes pear shaped, you need to be able to rely on your backups to recover your business. So what we’re seeing on the screen.

Ben Love [00:13:37]:
There, these are the essential eight cyber.

Ben Love [00:13:42]:
Incident risk mitigation strategies that we really should all be implementing within our organization. Of the 37, these are the eight that have been prioritized as essential.

Ben Love [00:13:58]:
Um, let’s now move our discussion just.

Ben Love [00:14:01]:
A little step further to talk about the maturity of implementing those eight strategies in our organizations. Now, there are three maturity levels that I’m going to talk about today in the literature. There is actually a fourth maturity level, which is maturity level zero. That essentially means that you do not have any maturity. So I’m not going to dwell in on that one. For today’s discussion, we’re just going to look at maturity levels one, two, and three. Now, the first thing that really needs to be understood about these maturity levels is that they are based on mitigating increasing levels of adversary tradecraft. In plain English, what that means is that these increasing levels of maturity will help block more and more sophisticated hackers. So if we are dealing with relatively unsophisticated hackers, and that is the level at which you would like to protect your organization, level 1 may be sufficient. If you identify the need to protect your organization against more sophisticated attackers. You may need to look at levels two or three. So let’s dig into this just a little bit. Level one is what I call opportunistic. Our adversaries at level one are really looking for any victim. They’re seeking weaknesses in many mega knee targets. They cast a wide net, or they spray and prey. They use very common tradecraft, so they use very common software, very common tools, techniques, and strategies to gain access to your network. Their general mode of operation is to try and trick your users into granting access to the systems. And then once they have got access, they are not very sophisticated actors, but they will have access to your systems. So they will get in there and they will potentially wreak havoc. But not with the most sophisticated of techniques. We move on to maturity level two. Our adversaries at this level are starting to get more selective. And by that, I mean they start to seek a certain profile of target. They have identified a particular profile of target which is more attractive to them for whatever reason that may be. That target may be based on a particular technology that you use. So, for example, a floor may be found in a particular Internet firewall. And our level two adversaries may then go and target all of the potential targets they can find using that firewall technology. Because they now know something a little bit more about that adversary, which is more attractive for their efforts. Or they may attempt to target certain industries. I mean, two industries that come immediately to mind are financial services and healthcare. Two industries that are particularly attractive to malicious actors. So at this level here, they are seeking a certain profile of target. They do tend to craft their attacks more carefully. They’re still using more commonly available trade craft. They are getting incrementally more sophisticated in the way they’re approaching this. But a key difference with our level two adversaries is that they are attempting to bypass security controls that you have in place. So they will actively seek to bypass your firewall, or to bypass your multifactor authentication, or to bypass any of these other security controls that you might have in place. That’s different to our level one actors who simply would come across a security control that you may have in place and not even bother trying to bypass it. They’re simply going to move on to the next victim. They find, because they cast such a wide net, they really are looking for the low hanging fruit at level one. Level two, starting to commit a little bit more resource, a little bit time, more time and energy to their attacks. If we move on to our level three adversaries, these are what I call focused. They really are focusing on specific targets. And by specific targets, I mean individual organizations. Here, for whatever reason, they will have identified a specific organization, and they have decided that it is worth their time, it is worth their money, and it.

Ben Love [00:18:43]:
Is worth their effort to try and.

Ben Love [00:18:47]:
Breach that particular organization. Once they are in there, they do tend to dig in deeper to the network. So there is always one chink in the armor somewhere that lets them in. But then, because we are dealing with far more sophisticated actors at this level, they are using less common trade craft, more zero day exploits, more advanced security knowledge of their own. Once they are through that little chink in the armor, they will then actively seek to move laterally and move across your network into other areas. They will seek to secure themselves more and more administrative privileges across multiple systems, and they will also start to cover their tracks. So by cover their tracks, I mean, they might be deleting log files here, they might be just tidying up behind themselves, which can make it a lot harder to identify that they’re in your system in the first place. But then, of course, once you are aware that they’re in there, it can be harder to work out where they are in your systems and what access they may have secured for themselves and what they’re actually doing there. Are they simply resting? Are they busy exfiltrating your data, copying your data off somewhere else, where they’re going to use it for other purposes? It can be harder to know with these level three adversaries because they are more sophisticated actors and willing to commit more time and money to really attacking the idiosyncrasies of a very particular target. So let’s move on a little bit now to implementation. So let’s say that you do wish to implement some level of essential eight maturity within your organization. The first step here is to identify the desired maturity level that you wish to aim for. So there’s a few things to factor in when you’re having this discussion. The likelihood of an attack increases with your desirability to the adversary. Now that may sound fairly self evident, but it is a very core and important consideration. I said before, financial services and healthcare are particularly attractive for various reasons. That would mean that the likelihood of attack against you if you are in financial services or healthcare is probably going to be a little bit higher than some other industries. You need to consider the consequences of an incident. So the potential consequences of an incident will depend on your unique requirements for.

Ben Love [00:21:31]:
The confidentiality of your data and for.

Ben Love [00:21:35]:
The availability and integrity of your systems. So let’s take those one at a time. Confidentiality of your data if you do collect client data. If you collect exceedingly private client data, such as financial or healthcare information, great examples here. You can imagine how Medibank felt when they were breached with a lot of very private client and patient data in their systems. If your requirement for the confidentiality of that data is higher, then the potential consequences of a security breach are also much higher. And the second point there regarding the integrity and availability of your systems. If you are a business that operates entirely online, and your computer systems are.

Ben Love [00:22:31]:
Compromised and disrupted and cannot function, then.

Ben Love [00:22:35]:
Logically your business will stop operating. So there is obviously a very high requirement that you have for the availability of your systems. If, on the other hand, your business can function quite happily for a couple of weeks without a computer turned on, then there would be less potential consequences from a system breach from that availability perspective. And finally, for each strategy that you look to implement, and there are eight of them obviously, that we’re discussing today, consider these things here. Consider the potential user resistance. By definition, a lot of what we’re doing when we are increasing cybersecurity for an organization is actually placing more restrictions on the systems and on the users and what they can and can’t do. There will inevitably be areas there that directly impact your users and change how they are able to work within your system. In some situations, you might get some resistance from users. We do still occasionally talk to companies who are nervous about implementing multifactor authentication across the board because they are worried about the pushback from their users, the pushback from their users having to type in that code to access their Internet banking or financial systems, or crms, or whatever the platform may be, that is potential user resistance. The other considerations are simply costs. Financial costs is what I mean. Here. So some of the strategies may have an upfront cost to implement and some of them may have an ongoing cost to maintain input and put those things in place. And a simple example of that is that for some of the strategies to implement them effectively, you will need certain software to be installed and configured on your network in order to enforce those various security strategies. Now that software will have an implementation cost because there is time and labor and consulting and whatever to actually put that in. And then there is usually an ongoing licensing cost to have that software in your network.

Ben Love [00:24:51]:
You the next item of guidance for.

Ben Love [00:24:53]:
Implementing some level of essential aid maturity within your organization is to implement each maturity level in turn. So by that I mean assuming we are starting at a level zero and let’s say we wish to lift our organization to a level two maturity, the approach to that should be that you lift your organization to a level one.

Ben Love [00:25:16]:
Maturity across all eight strategies first, and.

Ben Love [00:25:21]:
Then you lift your organization from a level one to a level two maturity across all eight strategies. The reason really is that these eight strategies do work together. They do work in tandem to provide a superior security perimeter for your organization. So simply lifting one or two of those to a higher level and leaving the other ones behind you really are missing out on a lot of the value that considering all eight strategies together can offer. The final point that I am going to share with you today speaks about evidence quality. Now, the essential eight is a self assessed maturity model. So when you are assessing your maturity, or of course maybe working with a consultant to assess your maturity, it’s important that you do consider the quality of the evidence that you are bringing to that discussion.

Ben Love [00:26:16]:
We can consider four levels of evidence for this process.

Ben Love [00:26:22]:
Starting on the left, we have poor quality evidence. This might be a policy or some verbal statement of intent. Fair quality evidence is reviewing a copy of a system configuration, such as a screenshot, for example, of some settings within your environment which demonstrates how the system is configured. Good quality evidence would be a direct review of that system configuration, and excellent.

Ben Love [00:26:51]:
Evidence quality is where we can test.

Ben Love [00:26:55]:
With a simulated activity of some sort to truly prove and demonstrate that those security strategies are in place and are having the impact that we expect them to be having. Now, the point I will make across all of these is that the higher the quality of evidence that you would like, the more it will cost to gather that evidence.