Speakers
Synopsis
The ACSC’s Essential 8 (E8) was first published in 2017, and has been updated several times since. It is based on real world observations about the attack vectors and techniques that malicious actors employ. Now merged into the Australian Information Security Manual (ISM), the E8 controls provide a solid roadmap for organisations to substantially improve their security posture.
The eight topics are: patching applications, patching operating systems, multi-factor authentication, restricting administrative privileges, application control, restricting MS Office macros, user application hardening, and regular backups. When fully implemented, an environment will be able to withstand about 90% of the most common types of attacks.
Since security is a journey and must generally be taken in steps for operational as well as budgetary reasons, the E8 has defined Maturity Levels: ML0 to ML3. The November 2023 update of the E8 raised the bar substantially with some strategic shuffling of controls within maturity levels, how they are assessed, and additionally the E8 assessor training program was rolled out.
It is no longer good enough to continue business as usual, or pick and choose from the controls. To put it straight: the baddies don’t care about what our priorities are! We must urgently mount up and get on with it, in every organisation.
Federal government aside, most states now also have an active E8 uplift program covering every agency, increasingly government tenders ask for E8, and it is expected that a blanket requirement for E8 (probably ML2) for companies contracting to government is not far off. Note that E8 is assessed on a company-wide basis, not per product or service.
After this firm attention grabber, you will want to be in this session and learn more: how is the E8 structured, how do the Maturity Levels work, and how can you literally level up? Achieving ML3 or even ML2 is not easy at all, but steady progress is good and the sooner we start, the sooner we’ll get there.
