Government To Mandate Essential Eight Mitigation Strategies


The Australian Government is set to change course and mandate a prioritised list of cyber mitigation strategies known as the Essential Eight for all 98 non-corporate Commonwealth entities (NCCE). This follows several years of the Government declining to do so, citing a lack of cyber maturity across the entities.

The mitigation strategies, developed by Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), are a prioritised list designed to defend organisations against cyberattacks.

According to the ACSC, the Essential Eight equips organisations with a baseline to counter attacks. The strategies range from configuring Microsoft Office macro settings to block macros from the internet, to restricting administrative privileges to operating systems.

Currently, NCCEs are required by the Protective Security Policy Framework (PSPF) to implement just four cyber mitigation strategies. A recent Australian National Audit Office report found NCCEs have implemented these top four strategies with varying degrees of effectiveness.

Despite this, the Australian Government revealed it is now willing to update the PSPF to incorporate the Essential Eight mitigation strategies. In a response to the Joint Committee of Public Accounts and Audit’s inquiry into an Auditor-General’s report on cyber resilience, the Attorney General’s Department advised it is receptive to mandating the Essential Eight cyber mitigation strategies.

Examples of NCCES include the Department of Finance, the Department of Parliamentary Services, the Australian Bureau of Statistics, and the National Blood Authority.

The proposed mandating of Essential Eight strategies across NCCEs received a mixed response from cybersecurity experts. Matthew Lowe, Area VP at software company Ivanti, said mandating was an important step forward.

“The decision to mandate the Essential Eight across all non-corporate Commonwealth entities demonstrates a commitment to protecting our cyber assets in the same way we defend our physical borders.”

While the Essential Eight mitigation strategies may become compulsory for NCCEs, other organisations and businesses are also receptive. A recent Ivanti survey of Australian CISOs revealed that 100% of respondents intend to align their cybersecurity efforts with the Essential Eight within the next 12 months.

But Simon Morse, Technical Director of Security at Versent said a national approach to cybersecurity was needed, rather than just focusing on NCCEs.

“It is only one step towards good cybersecurity defence for the nation as a whole. With reliance on privatised critical infrastructure, state and local government bodies, and federal corporate entities, it is also crucial to get the required breadth of coverage.”

Jacqueline Jayne, Security Awareness Advocate at KnowBe4 says the Essential Eight fails to cover human factors. Jayne argues the Essential Eight should be the Essential Nine.

“What is missing is the human aspect of mitigation. In a recent Stanford and Tessian study it was reported that 88% of data breaches are caused by human error. There is strong evidence to support an update from the Essential Eight to the Essential Nine with the nineth element being the human element.

While expressing a willingness to implement the Essential Eight in their Inquiry response, the Attorney Generals’ Department declined to provide a timeline or any framework for doing so.