The Essential Eight: Strategies for Security for Commonwealth Government Agencies

By Cameron Abbott, Keely O’Dowd and Olivia Coburn

The Federal Parliament’s Joint Committee of Public Accounts and Audit, tasked with inquiring into the cyber resilience of certain Commonwealth entities has recommended that all such entities adopt a cyber security mitigation strategy called the Essential Eight.  The Committee made this recommendation in its Report 467: Cybersecurity Compliance Inquiry based on Auditor-General’s report 42 (2016-17) (Report). Tarantino’s Hateful Eight is perhaps a little more convoluted than these simple touchstones of good practice. The Essential Eight are good reading for all enterprises, not just government agencies.

The Essential Eight originally appeared in Strategies to Mitigate Cyber Security, a cyber security baseline document published by the Australian Signals Directorate (ASD) (the Department of Defence’s ICT security arm).

The Report also identified the hallmarks of a cyber resilient entity, notably that such entities demonstrate leadership culture and behaviours that prioritise cybersecurity. This means seeing cybersecurity as more than a box to be checked – organisations need to be proactive and go beyond compliance. This includes embedding security awareness as part of the enterprise culture. As we often encourage our clients, organisations need to see their staff as their first line of defence and ensure they are trained to prevent and respond to cyber security risks.

Summary of the Essential Eight:

  • Application whitelisting – to allow only selected software to run on computers;
  • Patch applications – to fix security vulnerabilities in software;
  • Disable untrusted Microsoft Office macros – to stop macros being used to download malware;
  • User application hardening – to block Flash, Java and web ads from delivering malware;
  • Restrict administration privileges – to stop adversaries from using accounts and accessing information and systems;
  • Patching operating systems – to fix security vulnerabilities in operating systems;
  • Multi-factor authentication – to make it harder for adversaries to access information; and
  • Daily backup of important data – to access data if a cyber security incident has occurred.

Items 1-4 help prevent malware running, while items 5-8 limit the extent of incidents and recover data.

Read more about the Essential Eight here.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.