Home Insights Managed IT Services
Managed IT Services

Essential 8 maturity levels: how to measure your cyber security

Adam Dodds
Adam Dodds
4 July 2022 · 5 min read
Essential 8 maturity levels: how to measure your cyber security

Cyber-attacks are a constant and even rising threat to Australian organisations of all sizes and industries; a cyber crime was reported every eight minutes to the Australian Cyber Security Centre in 2021, up from every 10 minutes the previous year.

Implementing the Essential Eight Strategies to Mitigate Cyber Security Incidents will provide a strong baseline for your business’ security – but with four levels of maturity, how do you know where your business’ current security falls, and what you should be aiming for?

What is the Essential Eight?

The Australian Cyber Security Centre (ACSC) developed a series of eight essential cyber mitigation strategies to be implemented by organisations as a baseline for their cyber security posture. While no cyber security mitigation strategy or policy is foolproof, the Essential Eight makes it much more difficult for cybercriminals and malicious actors to invade your network.

These eight strategies are:

  • Application whitelisting
  • Patching applications
  • Configuring Microsoft Office macro settings
  • Application hardening
  • Restricting administrative privileges
  • Patching operating systems
  • Multi-factor authentication
  • Daily backups

How does the Essential Eight measure your cyber security?

These eight different strategies are measured according to the level of malicious cyber activity they each aim to mitigate, and are subsequently ranked across four maturity levels within your business:

Level 0: Indicates that there are weaknesses in your business’ overall cyber security posture, which could potentially lead to a breach of sensitive information.

Level 1: Mitigates adversaries who are content to leverage easily available commodity tradecraft to gain access to and likely take control of systems. These cybercriminals are looking for any victim, rather than targeting specific victims, and will seek any common weaknesses.

Level 2: Adversaries operating at this maturity level have a slight step-up in capability from the previous level, investing more time in their targets and using their tools more effectively. Well-known tradecraft, for example, may be used to bypass security controls and evade detection in an attempt to actively target credentials. They may use phishing, or employ technical and social engineering methods to circumvent weak multi-factor authentication

Level 3: Adversaries at this level are more adaptive and less reliant on publicly available tools and methods. They may take advantage of weaknesses in their target’s cyber security posture, such as old software or inadequate monitoring and logging. To evade detection and establish their presence, these malicious actors rapidly exploit vulnerabilities as soon as they are publicly released, as well as other tradecraft.

What is your business’ current maturity level?

All organisations are encouraged to focus on achieving a maturity level that is reasonably achievable for their risk management level. It takes active, dedicated effort for an organisation to reach that level, but by implementing each strategy, you will greatly enhance the cyber security posture of your business.

Performing a risk audit, or a cyber security audit, will give you great insight into your business’ current cyber security posture. For example, you may have implemented multi-factor authentication across your business for every application used by your employees, but may be lagging in configuring your Microsoft Office macro settings, or do not perform daily data backups. An audit will reveal your business’ weaknesses and show you the areas you need to be focused on.

The ACSC strongly recommends all organisations to ensure they have a consistent maturity level across all eight of the strategies before moving onto a higher level, as the strategies are designed to complement one another.

Reaching Essential Eight maturity level one

If you are uncertain whether your business is compliant with the Essential Eight, the answer is already “no”. The following is a condensed list of requirements for attaining the Essential Eight maturity level one:

Application whitelisting: Standard user profiles and temporary folders used by the operating system, web browsers, and email clients prevent the execution of executables, software libraries, scripts, compiled HTML, HTML applications, and control panel applets.

Patching applications: Patches, updates, and vendor mitigations for security vulnerabilities in web services, productivity suites, and all other software are applied as soon as possible. Vulnerability scanners are used daily. All apps, services, and products are removed when no longer supported by the vendor.

Configure Microsoft Office macro settings: Macros are disabled for users with no business requirements; macros in files from the internet are blocked; macro antivirus scanning is enabled; security settings cannot be changed by users.

User application hardening: Web browsers are banned from Java processing; browsers do not process internet ads; browser security settings cannot be changed by users.

Restrict admin privileges: Requests for privileged access are validated first; privileged accounts are prevented from accessing the internet; privileged users must use separate privileged and unprivileged operating environments; unprivileged accounts cannot login to privileged environments, and vice versa.

Patch operating systems: Patches, updates, and vendor security vulnerability mitigations for all apps, services, and products are applied as soon as possible; vulnerability scanners are used daily; operating systems no longer supported by vendors are replaced.

Multi-factor authentication: Implemented to all users to authenticate web services and third-party web services with any sensitive or non-sensitive information; implemented by default for non-organisational users (who have the choice to opt out) if they authenticate to the business’ internet-facing services.

Daily backups: Backups of all data and settings are performed in accordance with business continuity requirements; system and data restoration is tested regularly; unprivileged accounts can only access their own backups and are prevented from modifying or deleting backups.

Align your business with the Essential Eight

While the Essential Eight maturity models are a strong baseline for your business’ cyber security posture, you should still be doing more to protect your data and ensure business continuity, or disaster recovery in the event of a cyber-attack or natural disaster.

The cyber security experts at Itopia are specialists when it comes to helping businesses bring their cyber security posture in line with the Essential Eight. Talk to them today about conducting a risk assessment and start strengthening your security for assured business success.

Adam Dodds
Adam Dodds

Adam leads the Itopia team in Brisbane, helping professional-services firms get secure, productive and confident with their technology, in plain English.

Keep reading

Related insights

Managed IT Services
6 min read

EOFY IT checklist for accounting & finance firms

Read more →
Managed IT Services
4 min read

Brisbane’s Top 10 IT Support Services Provider in 2026

Read more →
Managed IT Services
4 min read

Brisbane’s Top 10 Managed IT Service Providers

Read more →

Want IT advice tailored to your business?

Talk to a local Brisbane technician, no jargon, no obligation.

Get a Quote Call 07 3063 2211