What Are the 'Essential Eight' Pillars of Cyber Security?

The Australian Cyber Security Centre is the government's lead agency for cybersecurity. It leads the Australian Government’s efforts to improve cyber security. Their role is to help make Australia the most secure place to connect online. In line with this mission, they have developed a series of prioritised mitigation strategies to assist Australian businesses in protecting themselves against various cyber threats. The most effective of these strategies is referred to as the ‘Essential Eight’ pillars of cybersecurity. This article aims to provide an introduction to what it is, what it consists of and how you can implement cybersecurity to protect your business


What is the Essential Eight? 


The Essential Eight was introduced by the Australian Signals Directorate (ASD), and published in 2017. Its purpose is to protect Australian businesses from cyberattacks by protecting Microsoft Windows-based internet-connected networks, through the implementation of eight security controls. These eight security controls are divided into three primary objectives - prevent attacks, limit attack impact, and data availability. 


Objective 1: Prevent Cyberattacks

  • Application Control
  • Patch Applications 
  • Configure MS Office Macros
  • User Application Hardening

Objective 2: Limit Attack Impact

  • Restrict Admin Privileges 
  • Patch OS Systems
  • Multi-Factor Authentication

Objective 3: Data Availability 

  • Data Backups


Lock Down Your Cybersecurity & Compliance

Protect, Certify & Grow Your Business

Build resilient governance practices that can adapt and strengthen with evolving threats.



What are the eight mitigation strategies? 


Below is a breakdown of the eight mitigation strategies that make up the ‘Essential 8 Pillars of Cybersecurity:


  1. Application Control - maintaining control over applications to prevent the execution of unauthorised or unapproved software e.g. exe. and scripts.

  2. Patch Applications - to remediate or fix any identified vulnerabilities in applications, keeping applications up to date with the latest patches and updates installed

  3. Configure Microsoft Office Macro Settings - Ensure that all unwanted macros are blocked from the internet, only allowing vetted macros within ‘trusted locations. 

  4. Application Hardening - to protect systems against an application's vulnerable functionality. E.g. configure web browsers to block flash, ads and javascript. 

  5. Restrict Administrative Privileges - to prevent admin users from having powerful access to systems. Routinely re-evaluate the need for privileges.

  6. Patch Operating Systems - Ensuring that the latest operating system version is in use, prevent the use of unsupported versions. Mitigate any identified vulnerabilities that are of ‘extreme risk’ within 48 hours of its discovery. 

  7. Multi-factor authentication - To protect against risky activities, MFA includes VPNs, RDP, SSH, and other remote access, for all users who have privileged access to sensitive systems and networks.  

  8. Regular Backups - maintaining daily backups to ensure that access to critical data is always available even in the event of a cyber-attack or incident. 

How is the Essential Eight Framework Implemented? 


To assist with implementation, the Essential Eight framework is supplemented by a maturity model, built on the basis of ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and prior experience assisting businesses in the implementation of the Essential Eight. The maturity model consists of four different maturity levels (Maturity Level Zero to Maturity Level Three). 


Essential Eight Maturity Levels: 

Maturity 0

This maturity level signifies that there are weaknesses in an organisation’s overall cyber security posture.

Maturity 1

The focus of this maturity level is adversaries who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, systems.

Maturity 2

The focus of this maturity level is adversaries operating with a modest step-up in capability from the previous maturity level.

Maturity 3

The focus of this maturity level is adversaries who are more adaptive and much less reliant on public tools and techniques.

When implementing the Essential Eight, businesses should identify a target maturity level suitable for their environment, and then progressively work on getting each of the eight security controls up each maturity level until that target is achieved. As the eight security controls or strategies complement each other, businesses should plan to achieve the same maturity level across all eight strategies before moving on to higher levels. 


The Australian Cyber Security Centre recommends that organisations aim to reach Maturity Level 3 for each mitigation strategy. Once achieved it is important for organisations to maintain that status and recognise that Essential 8 is just a baseline for cybersecurity. If the ACSC believes that your organisation requires a higher level of maturity they will provide tailored solutions to meet your specific cybersecurity needs.

What are the key benefits of the Essential 8 Pillars of Cybersecurity? 


  • Concise and clear - It gives clear directives to organisations that are looking to reduce the chance of falling prey to data breaches. 

  • Risk vs Response - the different maturity levels allow organisations to mitigate risk to a level equal to the adversary they are likely to face. Which can be useful when looking to align to risk management goals. 

  • Easy to reach compliance goals - with clear outcomes, it is easy for organizations to prove their compliance to a certain level of maturity. 

  • Focus on technical solutions - the strategies in Essential Eight focus on technical factors for mitigation.

How can StickmanCyber help? 


At StickmanCyber we can help you implement the Essential 8 framework from start to finish using our continuous cybersecurity improvement methodology. Outlined below are the key phases at a high level: 


Phase 1: Assess - The scope of the engagement will be defined, and a cybersecurity assessment conducted to identify the alignment of current ICT systems, policies and processes to ACSC Essential 8.

Phase 2: Plan - From the outcome of Phase 01, the remediation activities identified will be reviewed and prioritised based on the organisation's requirements and recommended maturity.

Phase 3: Execute  - Assisting the client in the Implementation of the controls identified in Phase 02.

Phase 4: Monitor - This phase is usually performed monthly as a progress update, with annual reassessment of the activities conducted and maturity achieved, reported to top-level management.

Phase 5: Maintain - This phase is ongoing after Phase 02 to ensure progress is monitored and improvements are implemented, to maintain the level of maturity required.

With growing cybersecurity attacks, most businesses lack the skills and time to mitigate their risks; we provide a comprehensive fully managed service that protects and certifies your business, resulting in mitigating your risks, building trust, winning and retaining clients. Speak to an expert today, to learn more about how you can protect your business. 



The First Step is Crucial. Start with a Cybersecurity Assessment

Where are you at your cybersecurity maturity journey? Get an assessment of your current security posture and identify the gaps and challenges that you need to act upon.





Similar posts


Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.