ACSC Essential Eight

What is the ACSC Essential Eight?

The Australian Cyber Security Centre (ACSC) recommends eight essential strategies to prevent malware delivery, limit the impact of cybersecurity attacks and improve recovery. Released in 2017, the Essential Eight is an evolution of the Australian Signals Directory’s (ASD) Top Four recommendations.

The Essential Eight strategies cover:

  1. Application Control 
  2. Application Patching
  3. Restrict Administrative Privileges
  4. Patch Operating Systems
  5. Configure Microsoft Office Macro Settings
  6. Using Application Hardening
  7. Multi-Factor Authentication
  8. Regular Backups

The ACSC Essential Eight can mitigate up to 85% of data breaches1.

What is the ACSC maturity model?

The new ACSC Essential Eight maturity model became available in July 2021, giving Australian organisations guidance as to how to implement the ACSC Essential Eight strategies. The maturity model uses a scoring system from 0-3 to help you identify what your organisation’s security posture is and the logical next steps to enhance your defenses.

Previously, organisations were left to cherry-pick strategies from the Essential Eight, but the current model prioritises implementing all eight as a package because of their complementary attributes and broader focus on the evolving threat landscape.

We’ve put together the following blog series to walk you through adopting the maturity model for each of the Essential Eight strategies:

  1. Application Control
  2. Application Patching
  3. Configure Microsoft Office Macro Settings
  4. User Application Hardening
  5. Restrict Administrative Privileges
  6. Patch Operating Systems
  7. Multi-Factor Authentication
  8. Regular Backups

eBook | The Essential Eight Explained

Authored by an Information Assurance Specialist at Data#3, this collection of works deep dives into the practical actions organisations can take to stay secure in an era of ever-changing threats.


Essential Eight Assessment

Using the ACSC recommendations as a framework, Data#3 has built an Essential Eight Assessment to help organisations understand and improve their security posture.

Learn how to leverage your existing Microsoft and Cisco investments to execute an Essential Eight security strategy.

What is an Essential Eight Assessment?

The Essential Eight Assessment is a 5-day engagement, conducted by a Data#3 Information Assurance Specialist, including up to 2 days spent onsite with the customer. The audit will help you understand your current security maturity and defensive posture, in alignment with the ACSC Essential Eight.

The engagement will begin with a discovery session to understand your business, technology environment and key objectives. Technical workshops will follow, focusing on application whitelisting, patching applications, patching operating systems, multi-factor authentication, managing administrator rights, daily backups, managing Microsoft Office macros and application hardening.

The Data#3 Information Assurance Specialist will gather data and analyse your adoption of each of the above controls. Detailed findings will be compiled into a report providing evidence of your current security state, as well as expert recommendations for optimisation. A high-level roadmap will be shared outlining the projects recommended to be undertaken, indicative costs, timelines and the recommended software, hardware and services required. The report will be shared with you for review, followed by a presentation lead by the assessor to discuss your results in-depth.

What will you achieve?

  • Gain clear insight into your defensive posture and best practice advice for an integrated, Microsoft-based security platform.
  • Understand which tools, technical controls, business systems and people processes to implement in order to mature your cybersecurity practices.
  • Be confident that your organisation is protected using widely accepted mitigation strategies.
  • Improve your cybersecurity policies and procedures, including the governance of information systems throughout the enterprise.
  • Standardise on one integrated platform, understand its full functionality, simplify your security stack and get better use of your currently investments.
  • Eliminate the unnecessary costs of point products that often overlap in functionality.
  • Simplify your team’s training and product knowledge requirements.
  • Increase efficiency and save valuable IT time and resources, with less systems to manage, fewer risks, faster detection of threats and enhanced ability to action remediation for a faster recovery.
  • Discover and identify your gaps and overlaps, and learn how to secure them with administrative and technical controls.
  • Ensure compliance with business and industry information security requirements leveraging the wealth of proactive controls in the Microsoft platform.
  • Assist in achieving compliance with industry standards such as ISO27001, NIST and PCI.

Secure the Modern Workplace with Microsoft

The Essential Eight Adoption Roadmap will provide insightful and actionable information regardless of your security strategy or vendor mix. However, many controls needed to make an immediate difference and improve your cybersecurity posture may be available via your existing Microsoft investments. By leveraging the Microsoft security portfolio across identity and access management, threat protection, cloud and network defense, information protection, endpoint security and compliance, you can achieve the desired results and reduce complexity in your environment.

Cisco Security Solutions Addressing the Essential Eight

“It’s a challenge for industry because you can get frustrated with MFA—we’re human, we like things easy.” – Doug Witschi, Deputy Director of Interpol, speaking on the Essential Eight during the Data#3 and Cisco Interpol Cybercrimes Webinar.

Cisco Duo, a leading multi-Factor authentication (MFA) solution, directly addresses four of the Essential Eight security basics. What differentiates Duo from other MFAs, is that it addresses these security pitfalls painlessly. With easy integration to other security solutions and limited disruption to modern work environments, Duo can be described as “easy.”

What Duo addresses:

  • Multi-Factor Authentication
  • User Application Hardening
  • Patch Operating Systems
  • Patch Applications

Layer Duo with other Cisco security solutions, such as Cisco Umbrella and Cisco SecureX, for a comprehensive security architecture that addresses all eight of the security foundations, in any corporate environment.

Overcoming common security challenges

Implementing systems that minimise the impact of cyber incidents is crucial, but how do you know where your vulnerabilities lie, and which gaps to address first?

Do you know your weakest links?

How many security tools are you managing?

What is the status quo costing you?

It can be hard to find direction and know what best practice looks like when building a security strategy.

As an insider, it can be difficult to assess your environment objectively in order to identify risks. With limited time and resources, knowing where to begin and what to prioritise when building and implementing a security strategy can be challenging.

Threats are also constantly changing; it’s hard to keep up. In fact, 70% of today’s malware is customised to the targeted organisation2.

Many businesses have adopted ‘productised’ security solutions that often overlap with each other or leave gaps in your security stack. These point solutions lack the integration with your broader IT environment to make sure your organisation is secure.

Managing security across many tools creates a complex environment, which only creates more room for error.

With so many systems to monitor, it’s hard to notice the red flags amongst the many notifications in order to promptly remediate issues.

Customers without a standardised approach to security have a higher risk of attack, increased impact of attack and slower recovery. On average, it takes 281 days for an Australian organisation to identify and contain a breach3.

Breaches can incur financial and legal penalties for non-compliance. The average cost of an Australian data breach is $2.13 million3.

Compromised credentials account for 74% of data breaches, according to the Notifiable Data Breaches Scheme4.

Pro Tip: Have an external expert assess your environment to understand your security posture.

Pro Tip: Don’t over-engineer your security strategy – simplicity is the ultimate sophistication.

Pro Tip: Standardise your approach to security, to better manage your defensive strategy.

Data#3 for your best defence

Combining the experience of a dedicated strategic consulting team, as well as hands-on cybersecurity specialists, Data#3 has one of the most mature and highly accredited security teams in Australia. Leveraging a breadth of security solutions and a strong vendor portfolio Data#3 can help you design, implement and maintain superior security measures, tailormade to protect your business. Having conducted countless security assessments, we have developed a proven model to strengthen resilience, incident response and recovery.

As Microsoft’s largest Australian partner, and a Microsoft Gold Security Partner Data#3’s expert team are globally recognised as leaders in securing your environment with the Microsoft security portfolio. Additionally, as Cisco Security Architecture Specialists with Cisco Master Security Specialisation, Data#3 implements best-in-class Cisco security solutions.

Next Steps

Download The ACSC Essential Eight Explained eBook to learn more about the strategic controls.
Download a Solution Overview of the Essential Eight Adoption Roadmap Service.
Submit the form below to request a sample report of an Essential Eight Adoption Roadmap.
Contact us below to book an Essential Eight Adoption Roadmap.

Contact us here


Delivering the Digital Future, Securely

Cyber security challenges continue to evolve, compliance obligations increase and skills shortages stress your teams – what if we could…

ACSC Essential Eight Maturity Model: Regular Backups
Essential Eight Maturity Model: Regular Backups

In 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to Mitigate Cyber Security Incidents Maturity…

ACSC Essential Eight Maturity Model: Multi-Factor Authentication
Essential Eight Maturity Model: Multi-Factor Authentication

In 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to Mitigate Cyber Security Incidents Maturity…

ACSC Essential Eight Maturity Model: Patch Operating Systems
Essential Eight Maturity Model: Patch Operating Systems

In 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to Mitigate Cyber Security Incidents Maturity…

ACSC Essential Eight Maturity Model: Restrict Admin Privileges
Essential Eight Maturity Model: Restrict Administrative Privileges

In 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to Mitigate Cyber Security…

Essential Eight Maturity Model: User Application Hardening

On July 12, 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to Mitigate Cybersecurity Incidents…

Essential Eight Maturity Model: Configure Microsoft Office Macro Settings

On July 12, 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to Mitigate Cybersecurity Incidents Maturity…

Essential Eight Maturity Model: Patch Applications

By Information Assurance Specialist at Data#3 Limited On July 12, 2021, the Australian Cyber Security Centre (ACSC)…

1. The Essential Eight expand upon the ‘Top 4’ mitigation strategies, part of the Australian government’s Protective Security Policy Framework. The Australian Signals Directorate have stated that implementing the Top 4 mitigation strategies can prevent up to 85% of unauthorised intrusions.
2. Rainey, Larry B. (September 3, 2018) Engineering Emergence: A Modeling and Simulation Approach. [Online] Available at: https://books.google.com.au/books?d=DQlpDwAAQBAJ&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false
3. IBM Security. (2019) Cost of a Data Breach Report. [Online] Available at: https://databreachcalculator.mybluemix.net/executive-summary/4
4. Office of the Australian Information Commissioner. (February 28, 2020) Notifiable Data Breaches Report July – December 2019. [Online] Available at: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2019/