Australia will finally mandate Essential Eight security compliance

After years of inaction, a surging cybercriminal threat has finally pushed the Australian government to follow states’ lead by progressing plans to force its 98 noncorporate Commonwealth entities (NCCEs) to comply with the Australian Signals Directorate (ASD) Essential Eight strategies for mitigating cybersecurity risk.

Introduced in February 2017 to expand on the well-regarded Top Four mitigation strategies with which all NCCEs must comply, the Essential Eight have been positioned as a paragon for organisations seeking to strengthen internal cybersecurity controls—yet review after review has shown that adoption of either strategy by companies and government agencies remains low.

Noting that it was “most concerned” about poor compliance, a 2018 parliamentary committee review recommended that the Essential Eight be mandated for all government entities by June 2018 “as a matter of best practice and critical to enhancing the Commonwealth’s cyber posture as a whole”.

That committee noted “the importance of entities being able to recover from a cyberattack and that backing-up data, which is one of the Essential Eight, is key to being able to quickly recover.”

The Essential Eight, it added, “reflects good practice, which should anticipate a successful attack and/or a system failure that in turn requires a focus on high system availability, system recovery and data recovery as essential elements of a back-up strategy.”

After a surge in data breaches comes the Essential Eight mandate

Despite widespread high regard for the Essential Eight’s guidelines, the Morrison government has consistently declined to mandate its use—arguing in late 2017 that agencies didn’t have the cybersecurity maturity to do so, but paradoxically promising that it “will consider” such a move when maturity has improved.

Fast-forward to 2021, amidst an epidemic of data breaches, the government has finally signalled its readiness to push NCCEs harder.

In handing down its June response to a recent Joint Committee of Public Accounts and Audit (JPCAA) review of recent Australian National Audit Office (ANAO) reports, the Attorney-General’s Department (AGD) revived the debate about mandating the Essential Eight and indicated that it “will recommend an amendment to the Protective Security Policy Framework (PSPF) to mandate the Essential Eight”.

The change “reflects the ACSC’s advice that entities should progress maturity across all eight strategies that form part of the Essential Eight, rather than focusing efforts on a smaller subset like the Top Four, as this provides a greater level of protection.”

Recognising that the change “would have an impact on the entities required to implement it,” AGD has been consulting with NCCEs to better understand that impact, and the appropriate timeframe for implementation.

Nowhere left to hide: Putting the Essential Eight into practice

The years-long debate over mandating the Essential Eight reflects the ponderous process of moving the needle around government security—whose previous deference to agency autonomy has proven to be anything but effective.

Yet with the frequency and intensity of cybersecurity attacks continuing to increase—the newly released McAfee Labs threat report for June 2021, for one, noted a massive surge in attacks on public-sector targets during the fourth quarter of 2020 and a shift towards fewer, more-targeted ransomware-as-a-service attacks during the first quarter of 2021—the government seems to have accepted it can prevaricate no longer.

The backup strategies noted in the 2018 review have become critical to recovering from ransomware attacks, while the overall increase in attacks has reinforced the importance of the other key Essential Eight elements—including restricting administrative privileges based on user duties, using multifactor authentication for all privileged action or access to high-value data repositories, and patching operating systems within 48 hours when critical vulnerabilities are discovered.

Compliance with the Essential Eight is already mandatory in some state governments: Victoria, for one, recommends they be “implemented as a baseline where possible” while Queensland government departments must comply with the Essential Eight as part of that state’s Information Security Policy.

New South Wales agencies, for their part, are required to report annual maturity assessments against the Essential Eight by 31 August each year—along with a rundown of “cybersecurity risks with a residual rating of high or extreme” and a list of the agencies’ ‘crown jewels’.

This last requirement is proving complicated for many organisations—which, a recent Thales global data threat report found, often have little or no detailed understanding of where they are storing the data they need to protect. For example, just 23% of ANZ organisations know where all their data is stored, Thales found—doubly “concerning”, ANZ director for cloud protection and licensing activities Brian Grant said, because 47% of respondents said they were breached during the last year alone and half had failed compliance audits.

“We all know that the regulatory compliance requirements around data security and privacy, both globally and locally, will continue to tighten,” he said. “Seeing that a large number of organisations today don’t know where all their data is stored or have recently failed a compliance audit is concerning, as those are just the first steps to achieving effective cyber protection.”

Despite broad support for the Essential Eight, KnowBe4 security awareness advocate Jacqueline Jayne argued that the mandate was only an incomplete solution to today’s cybersecurity issues. “The Essential Eight includes only technological aspects of mitigation,” she said. “What is missing is the human aspect of mitigation. … There is strong evidence to support an update from the Essential Eight to the Essential Nine, with the ninth element being the human element.”

Cybersecurity frameworks from organisations like the US’s NIST “have acknowledged the importance of bringing education and awareness in relation to cybersecurity to all people within all organisations,” Jayne said. “Otherwise, it’s like locking all the windows, securing the back door with an alarm, installing a CCTV system, and leaving your front door wide open.”