The Australian Government will change course to require all 98 non-corporate federal entities (NCCEs) to have a priority list of cyber mitigation strategies known as Essential Eights. This is due to the lack of cyber maturity across the entity after the government refused to do so for several years.
The mitigation strategy developed by the Australian Cyber Security Center (ACSC) of the Australian Signal Authority is a priority list designed to protect organizations from cyber attacks.
According to ACSC, Essential Eight provides organizations with a baseline to combat attacks. Strategies range from configuring Microsoft Office macro settings to block macros from the Internet to limiting administrator privileges to the operating system.
NCCE is currently required by the Protective Security Policy Framework (PSPF) to implement four cyber mitigation strategies. According to a recent report by the Australian National Audit Office, NCCE is implementing these top four strategies with varying degrees of effectiveness.
Nevertheless, the Australian Government has made it clear that it is ready to update the PSPF to incorporate the Essential Eight Mitigation Strategy. In response to an inquiry into the Audit President’s report on cyber resilience by a joint public accounting and audit committee, the Directorate General of Attorneys advised that it would accept requiring an Essential Eight cyber mitigation strategy.
Examples of NCCES include the Treasury, the Parliamentary Services Department, the Australian Bureau of Statistics, and the National Blood Department.
The proposed mandate of the Essential Eight Strategy across NCCE has received various reactions from cybersecurity experts. Matthew Lowe, Area VP of Software Company Ivanti, said mandate is an important step forward.
“The decision to require Essential Eights for all federal agencies except businesses demonstrates our commitment to protect cyber assets in the same way we protect physical borders.”
Essential Eight mitigation strategies may be mandatory for NCCE, but are also accepted by other organizations and businesses. A recent Ivanti survey of Australian CISOs revealed that 100% of respondents intend to align their cybersecurity efforts with Essential Eight within the next 12 months.
However, Versent’s director of security technology, Simon Morse, said a nationwide approach to cybersecurity is needed, rather than focusing solely on NCCE.
“This is just one step towards good cybersecurity defenses across the country. It relies on critical privatized infrastructure, state and local governments, and federal agencies to cover what is needed. That is also important. “
KnowBe4’s security awareness advocate, Jacqueline Jayne, states that Essential Eight cannot cover human factors. Jane argues that Essential Eight should be Essential Nine.
“What’s missing is the human side of mitigation. A recent study from Stanford University and Tesian University reported that 88% of data breaches were caused by human error. There is strong evidence to support the update to Essential Nine, and the ninth element is the human element.
The Attorney General’s department expressed its intention to implement Essential Eight in response to inquiries, but refused to provide a timeline or framework for it.
Government mandates eight essential mitigation strategies
Source link Government mandates eight essential mitigation strategies