Last month, the federal government released its new Cybersecurity Strategy. Within it, the government admits “many of its systems do not yet meet the ASD’s Essential Eight strategies for mitigating cyber security incidents.” In response, the government says it will provide support for uplifting maturity against the Essential Eight across government departments and agencies and conduct regular reviews, as well as roll out an Essential Eight Assessment Course to TAFE Cyber.
There is an assumption that because the Essential Eight has been around for a few years, all government agencies would have the knowledge and resources to meet and then maintain compliance, but in reality, people are still confused, and many still don’t have the basics right. So, it’s reassuring to see the importance of the Essential Eight recognised in the government’s new Cybersecurity Strategy. However, the government’s renewed focus has little chance of success if organisations don’t have the right tools to ensure they’re compliant. It’s also going to have a limited impact until it’s mandated across the private sector too.
More rigour around compliance
More rigour is required around assessments. The current system relies on self-auditing, and we can’t simply believe what IT teams report back without having any checks and balances in place. This isn’t just because it’s in their own self-interest to present themselves in a good light, but also because the tools most government agencies are using don’t accurately reflect compliance levels.
Manual auditing against the Essential Eight is still the default method. Firstly, by the time you’ve collated snapshots from disparate sources across potentially thousands of endpoints, it’s more than likely that the data is out of date by the time it’s acted on. Secondly, because of how time-consuming manual auditing can be, organisations will take samples from only a fraction of their endpoints, providing no real understanding or visibility of threats.
This is where real-time, continuous auditing comes in. By creating real-time visibility across all endpoints, organisations can establish always-on compliance monitoring with no blind spots. The government should strongly encourage continuous auditing so that any gaps in the implementation of the Essential Eight can be discovered and remediated immediately.
Going beyond the government
From here, we would like to see the Essential Eight mandated outside of government departments and agencies. We don’t need frameworks upon frameworks that are inconsistent across the public and private sectors. This will only further delay improvements to our cybersecurity maturity.
Organisations should see the Essential Eight as a tool to prove they are taking cyber security seriously. For example, if a board can prove they are compliant against the Essential Eight, then it proves a level of due diligence. In the event an incident does occur, it’s less likely the board and leadership can be accused of being ill-prepared for an attack.
In the end, while it’s good to see the government taking the Essential Eight more seriously, it’s not going to matter if we don’t have the right tools to properly audit against it. Having real-time visibility into all endpoints as a standard across the public and private sectors is the only way we can ensure compliance with the Essential Eight and therefore step up our cyber defences as a nation.
James Sillence
James Sillence, fueled by a curiosity about how things work, has been a lifelong technologist. During his early years, he actively dismantled items to gain insights into their inner workings. With a technician apprenticeship in electronics and an honours degree in computer science, he delved into academia, focusing on internet messaging systems. Transitioning to technical presales, he honed his skills in application and network performance, later leading technology teams in big data, analytics, and cyber security.
