The Essential Eight, turning crisis into opportunity

First published in February 2017 by the Australian Signals Directorate (ASD), the Essential Eight are a prioritised set of mitigation strategies to help organisations protect their systems.

While no single mitigation is guaranteed to prevent cyber security incidents, the measures are highly recommended because they're likely to mitigate up to 85% or targeted cyber security attacks, according to the Australian Cyber Security Centre (ACSC).

That alone seems like a pretty good reason to take cyber security seriously.

However just last month it was reported that cyber resilience is still far too low across government. In fact, 73% of departments surveyed reported ‘ad hoc’ or ‘developing’ levels of maturity. The report doesn’t break down how ‘ad hoc’ or ‘developing’ translate to the three ACSC cyber maturity levels, but clearly there's work to be done.

The Essential 8 are only the tip of the security iceberg

The Essential 8 strategies are an absolute baseline for departments.

They’re a starting point and are referred to as the basics. They’re intended to provide guidance for departments wondering where to start. These basics are only a subset of the 37 current mitigation strategies to help organisations stay safe.

Yet security still appears to be an afterthought; even with the frequency of attacks and media attention reminding organisations of the risk. You may recall, some of the recent high-profile incidents against the Australian National University, the Department of Parliamentary Services, Victorian Hospitals and Toll Group (as of writing, Toll Group has been hacked again) caused widespread damage, leading to significant financial, operational and reputational impacts. So the question is, why haven't we learned our lesson?

This is difficult to answer.

According to the report, departments do have a better awareness of cyber security and the potential impacts that successful cyber attacks can have on their organisation.

However, government departments continue to be resource stretched. Whilst cyber security risks are now well recognised (compared to a few years ago), the majority of departments are still allocating skeleton staffing to cyber security. Moreover, a large proportion of those teams do not have the skills, capacity, experience or playbooks to address cyber security incidents. But there’s also something even more worrying...

...most departments still don’t understand their own cyber security posture.    

Against the operational challenges, the general lack of security ‘situational awareness’, and competing priorities, there is still a tendency to treat cyber security as a ‘checkbox’ exercise i.e. to go through the motions to become ‘administratively’ compliant. This doesn’t equate to cyber resilience and neither does it scream the hallmarks of a truly secure entity.

So, perhaps the conclusion that can be drawn is that departments still see cyber security as a cost, a burden, rather than an investment - and this needs to change.

Existing security problems exacerbated by COVID-19

I understand the challenges.

Our Chief Information Officers and Chief Information Security Officers are constantly fighting battles for budgets, resources, and attention. Then COVID-19 occurred, placing more stress on our leaders, our departments, sending them into panic mode.

But COVID-19 shouldn't have caught our leaders off guard. Pandemics, financial crises and wars have occurred in the past, and they’ll occur again in the future. Some departments will come out unscathed and others will have suffered major interruptions. Yet this should serve as a stark reminder to prepare for the worst, and have plans in dealing with uncertainty.

COVID-19 has also highlighted that security needs to be entwined into the fabric of an entire organisation to create ‘defence in depth’. Security can’t be achieved by pressing a few buttons or wishing it so. There typically aren’t any quick fixes. Security programs require planning, attention to detail, continuous improvement, and aren’t ‘set and forget’ exercise.

Security requires commitment at the C-Suite, and support from all branches to drive holistic security and compliance across the organisation. This requires threading security into the business operating model – the people, processes, technology, metrics, governance and culture – to make any security programs worth their time and money.

The impact of doing nothing

Security does come with a cost. This comes in the form of resourcing, funding, leadership backing and a strategy to bring it all together. But security doesn’t need to be expensive, and the cost of doing nothing will end up being more costly when things go wrong.

If not enough is done around the Essential Eight, or progress isn’t meaningful, our national security will suffer, and the real victims will ultimately be Australian citizens.

That’s the reality.

I therefore lay down the challenge for government departments. Take accountability. Take action. Take honest, frank advice. Do something. Just don’t take a gamble.

There are no shortcuts to security and the Essential Eight are only the tip of the iceberg. The mitigation strategies are a ‘first line of defence’ for a rapidly changing security environment, and a commitment to cyber resilience is of critical importance to our national security.

For departments coming out of COVID-19 unscathed, consider this a lifeline.

You may not be so lucky next time.

Adam Misiewicz is an experienced cyber security consultant and the General Manager of Cyber Security at Vectiq - a Canberra-based services company.

For other recent and relevant articles on security, check out:

• Avoiding the temptation to compromise security for business continuity during COVID-19
• A Titanic Lesson – Changing the Fate of Government Through The Essential 8