The Essential Eight Maturity Model sets mitigation strategies for organisations to follow to protect themselves against cybersecurity threats. The Australian Signals Directorate (ASD) has announced updates to the model following its assessment of the average time taken by malicious actors to exploit vulnerabilities.
The Essential Eight is categorised based on three levels of maturity. The organisation must assess the likelihood of being affected by a cybersecurity risk to determine which maturity level applies. Each maturity level increases in security with greater consequences for cybersecurity breaches.
The updates to the Essential Eight effect:
- Patch applications and operating systems
- Multi-factor authentication
- Restrict administrative privileges
- Application control
- Restrict Microsoft Office macros
- User application hardening, and
- Regular backups.
Changes include increased focus on higher priority patching scenarios, particularly applications interacting with untrusted content from the internet. Patching timeframes have also been tightened from within one month to within two weeks. Conversely, patching operating systems has been rebalanced from within two weeks to within one month. Additionally, changes stress the adoption of weaker forms of multi-factor authentication that use biometrics, security questions, or trusted signals, none of which are recognised as valid authentication factors within standards, now specifying the types of authentication factors to be used for multi-factor authentication.
Organisations should be aware the updates have different effects when viewed from different maturity levels.