Australia will finally mandate Essential Eight security compliance

After a spate of cyberattacks and more than three years after a parliamentary review called a mandate “critical”, the federal government is preparing to act.

gavel justice judicial system law lawyer judge bureaucracy governance compliance
Getty Images

After years of inaction, a surging cybercriminal threat has finally pushed the Australian government to follow states’ lead by progressing plans to force its 98 noncorporate Commonwealth entities (NCCEs) to comply with the Australian Signals Directorate (ASD) Essential Eight strategies for mitigating cybersecurity risk.

Introduced in February 2017 to expand on the well-regarded Top Four mitigation strategies with which all NCCEs must comply, the Essential Eight have been positioned as a paragon for organisations seeking to strengthen internal cybersecurity controls—yet review after review has shown that adoption of either strategy by companies and government agencies remains low.

Noting that it was “most concerned” about poor compliance, a 2018 parliamentary committee review recommended that the Essential Eight be mandated for all government entities by June 2018 “as a matter of best practice and critical to enhancing the Commonwealth’s cyber posture as a whole”.

That committee noted “the importance of entities being able to recover from a cyberattack and that backing-up data, which is one of the Essential Eight, is key to being able to quickly recover.”

The Essential Eight, it added, “reflects good practice, which should anticipate a successful attack and/or a system failure that in turn requires a focus on high system availability, system recovery and data recovery as essential elements of a back-up strategy.”

To continue reading this article register now

8 pitfalls that undermine security program success