All You Need To Know About The Essential Eight Maturity Model

Hammam Bakr
April 27, 2022


With Australian organisations encouraged to urgently adopt an enhanced cyber security posture, organisations should ensure regulatory compliance and put in place mitigation strategies against cyber-attacks, as well as be prepared to identify and respond to cybersecurity incidents. Whilst no mitigation strategy can offer full security against all cyber threats, it is recommended to implement eight essential mitigation strategies from the Australian Cyber Security Centre (ACSC).

The Essential Eight (E8) is an Australian cyber security framework by the Australian Signals Directorate (ASD) aimed at protecting Australian businesses. The E8 is a prioritised subset of the ACSC’s Strategies to Mitigate Cyber Security Incidents and outlines the eight most necessary mitigation strategies. As a benchmark and widely used guideline, the Essential Eight helps businesses to mitigate cybersecurity incidents and make it more difficult for cybercriminals to compromise systems.


Compliance with the Essential Eight mitigation strategies helps reduce the risk of malware delivery and execution, limit the extent of cybersecurity incidents, and recover data and system availability. The following outlines briefly each of the eight mitigation strategies along with their rationale:

  1. Application Control

The first, and arguably most important, of the eight defined strategies aims to prevent the execution of unapproved/malicious programs. Following initial access through methods such as phishing, the execution of programs including .exe, DLL, scripts, and installers is associated with a considerable number of threats. Appropriately configured application control helps to stop the execution of such software, regardless of how it got there.

  1. Application Patching

Another common method of initial compromise leverages weaknesses in applications that are accessible to the external internet. That being said, most software vendors provide updates and patches for publicly identified vulnerabilities. Businesses should use the latest versions of applications and patch all applications that are public-facing, including server applications and web server software that store important data. ACSC guidance is available for a risk management approach to applying patches based on the severity of security vulnerabilities. Unpatched security vulnerabilities in software which are considered ‘extreme risk’, can be exploited by cybercriminals through execution of malicious code resulting in significant consequences for any business.

  1. Configure Microsoft Office Macro Settings

Adversaries often use Microsoft Office macros in an attempt to run malicious code while avoiding standard email content filtering and application control. To avoid this, businesses should configure Microsoft Office macro settings to block macros from the internet. This way, only vetted macros in trusted locations, with limited write access or with trusted certificates will be allowed. It is strongly recommended to implement the macro security configuration settings through Microsoft Group Policy to prohibit end users from altering them to run a malicious or unapproved macro.

  1. User Application Hardening

The ACSC advises hardening end-point systems by locking down, uninstalling, and disabling unrequired features. Web browsers should be configured to block Flash, internet advertisements, and untrusted Java code. Meanwhile, unnecessary features in Microsoft Office, web browser, and PDF viewers should be disabled. As well as reducing the attack surface, application hardening helps to prevent adversaries from using malicious content to evade application control and patching.

  1. Restrict Administrative Privileges

Adversaries and cybercriminals use accounts with administrative privileges to gain access to information and systems, so the consequences of a compromise are greatly reduced if users have low privileges. Administrator privileges should be restricted based on user duties, with regular audits to revalidate them. In addition, privileged accounts shouldn’t be used for activities outside their intended purpose, such as reading emails or web browsing.

  1. Patch Operating Systems

Security vulnerabilities in operating systems can enable adversaries to elevate their privileges and further compromise systems. The ACSC advises that all computers, including network devices, with ‘extreme risk’ vulnerabilities, should be patched or mitigated within 48 hours. The latest operating system version should be used at all times as they typically incorporate additional security technologies i.e., using a 64-bit version of Microsoft Windows instead of a 32-bit version. You can refer to the implementation guidance used for “Application Patching”

  1. Multi-Factor Authentication

Multi-factor authentication (MFA) can make it significantly harder for cybercriminals to gain access by adding more steps to the authorisation process. MFA is essential for VPNs, RDP, SSH and other remote access capabilities as well as for all users when they perform privileged access or access an important data repository. Different types of MFA tools include a physically separate token, smart card, and/or a software-based certificate. It is recommended that you evaluate the most secure option for your organisation depending on its use and implementation.

  1. Regular Backups

Regular backups and a proven data restoration process are vital to ensure data can be accessed and recovered after a cybersecurity incident. The ACSC recommends regular backups of important data, software, and configuration settings, with offsite or disconnected storage and retention for at least three months. Having backups stored offline ensures cyber threats such as ransomware can’t encrypt, corrupt, or delete backups as it is not easily accessible. The backup process should also be tested annually and whenever there are significant IT infrastructure changes.

For more in-depth information and mitigation guidance on these strategies, click here.


To support the implementation of The Essential Eight, The Essential Eight Maturity Model helps organisations to identify a target maturity level that is suitable for their environment. Businesses should then progressively implement each level across all eight mitigation strategies until that target is achieved. To assist in implementation, four maturity levels have been defined:

Maturity Level Zero - this level signifies that there are weaknesses in an organisations’ overall cybersecurity posture that could facilitate the compromise of the confidentiality of their data or the integrity or availability of their systems and data.

Maturity Level One - the main focal point of this level are cybercriminals who opportunistically seek common weakness in multiple targets rather than focusing on one specific target. They employ common techniques to trick users into weakening the security of a system and then launch malicious applications.

Maturity Level Two - this level focuses on cybercriminals with increased capabilities from level one. Attacks will be more targeted and will use advanced tools to bypass security controls. Tools and techniques in their arsenal include compromising credentials using phishing, implementing technical and social engineering to bypass weak MFA.

Maturity Level Three - this level are cybercriminals who are more sophisticated and do not rely on conventional tools and techniques. They exploit weaknesses in their victim’s security posture to amplify their access, avoid detection, and gain a strong foothold on the system. Generally, cybercriminals will concentrate on particular targets and are willing to invest time and effort into bypassing particular policies and controls.

It’s worth noting that, while the aim should be to reach Maturity Level Three, it does not guarantee that this will not prevent those willing and able to invest enough time, money, and effort to compromise your business. Organisations should still consider the remainder of the mitigation strategies to further bolster their security.

If you like to find out more detail on the requirements for each Maturity Level, click here.


The Essential Eight is an excellent resource and framework that all businesses should reference. Whilst it doesn’t guarantee to protect against all threats, it does outline a minimum set of preventative measures, which organisations should build upon to protect their environment. We strongly advise that organisations review the Essential Eight and prioritise closing any lingering gaps in their Essential Eight maturity. Cyber security awareness is an essential part of maturity level development. If your staff need training in cyber security awareness, our passionate experts can help.

If you would like to conduct a maturity assessment against the Essential Eight, contact the Infotrust team today.