Eddie Mahdi

What you need to know about the ACSC’s update to the Cybersecurity Essential Eight

You may recall our previous article where we introduced you to the Australian’s Government’s Cybersecurity Essential 8 standards.

In this post, we discussed what the Essential Eight are, why they exist, and how you can use them to best protect your business against cyber-attacks online.

As of July 2021, the Australian Cyber Security Centre (ACSC) has made some important updates to the Essential Eight and provided further recommendations to help improve your business’ online protection protocols.

Here’s what you need to know about the new recommendations.


First, a quick recap of the Essential Eight

As the digital world expands, so too does the importance of good cybersecurity.

With the prevalence of digital and malicious attacks, it’s imperative to ensure that your business is fully protected across all of its online operations.

As a first line of defence, the ACSC puts forward what they call “The Essential Eight”, a list of strategies they recommend a business implements to bolster their digital security.

You can find a detailed explanation of the Essential Eight strategies in our previous post from February, but here’s a quick overview to get you up to speed:

  1. Application Control
  2. Patch Applications
  3. Configure Microsoft Office Macro Settings
  4. User Application Hardening
  5. Restrict Administrative Privileges
  6. Patch Operating Systems
  7. Multi-Factor Authentication (MFA)
  8. Daily Backups

By implementing these strategies and tailoring them in line with your business’ risk profile and requirements, you will be better prepared to deal with cyber threats both now and into the future.


So, what updates have the ACSC made to the Essential 8?

1.  Level zero maturity rating

In essence, nothing has changed in regard to the 8 strategies outlined above.

Rather, the update from the ACSC refers more to the maturity scale that they have published to help you measure your business’ alignment with each strategy.

Previously, there were three maturity levels within each strategy:

    • Level 1 – Partly aligned with the mitigation strategy (low compliance)
    • Level 2 – Mostly aligned with the mitigation strategy (medium compliance)
    • Level 3 – Fully aligned (highly protected)

As part of the update, the ACSC has now introduced a level zero maturity rating.

    • Level 0 – No alignment with the mitigation strategy (zero compliance)

While level one signifies that a business is partly aligned with the mitigation strategy, a level zero shows that the business has no alignment with the strategy. In fact, a level zero rating signifies significant weaknesses for the business within that strategy.

2.  Changes to the process between Essential Eight levels

The ACSC also withdrew their previous recommendation that a business should try to reach level three maturity level within each strategy. This has been replaced with the proposal that a business should aim to reach the same maturity level within each strategy before looking to move to a higher maturity level.

This is due to the fact that the recommendations made at each maturity level are designed to complement each other and work in unison, so applying different strategies at many different levels can still leave your cybersecurity management plan vulnerable to threats.

3.  Other minor updates

Other smaller updates include new recommendations to cease using IE11 at maturity level one and to ensure that patches are installed within two weeks of release, or 48 hours in the case of a breach.

The ACSC has also reiterated that the Essential Eight are recommended for use with Windows-based online networks, meaning that while the strategies can be applied to other environments, it is possible that alternative solutions may be better for your business if you find yourself in that situation.


What do these updates mean for your business?

These new recommendations have been made in anticipation of the ACSC making the Essential 8 mandatory for almost all federal government departments and agencies.

However, that does not mean that you shouldn’t take this opportunity to re-evaluate your cybersecurity strategies as well.

Understanding where your business sits on the maturity scale and aligning your strategies to work effectively together is paramount to ensuring your cybersecurity is maintained.


It’s time for an IT Health Check

At Centrix, we can perform a complimentary IT Health Check that allows you to assess your business’ cybersecurity service against these Essential 8 requirements. We scan your entire organisation’s systems to evaluate how secure it all is and provide recommendations on how to ensure you are fully protected.


Let Centrix take care of your cybersecurity needs

Centrix helps small businesses all the way up to corporate organisations succeed by managing, supporting, and protecting your critical IT infrastructure. With our extensive knowledge and expertise, our mission is to empower your whole team with comprehensive IT Service Packages, cybersecurity protection and Managed Services to see you thrive in today’s digital landscape.

We specialise in combining technology and staff training to safeguard your business against security threats.

To start, book an IT Health Check or contact us today.



Schedule a free consultation with a Centrix expert to ensure your data is safe and secure. No obligation – just peace of mind.

    Leave a Reply

    Your email address will not be published. Required fields are marked *