What is the ASD Essential Eight and how can my organisation benefit

The Australian Signals Directorate (ASD) recommends eight strategies - the Essential Eight - to address cybersecurity concerns. Here’s what you need to know.

Turquoise lock for cyber security

The Australian Signals Directorate (ASD), in conjunction with the Australian Cyber Security Centre (ACSC), has recommended eight mitigation strategies, known as the Essential Eight, to help address cybersecurity concerns, reduce the impact of cyber-attacks, and improve security controls.

As businesses are increasingly becoming targets of cyber-attacks and are at risk of incurring significant losses, the ASD Essential Eight are a strong foundation for building your cybersecurity framework.

While currently, Australian businesses are not required to comply with the Essential Eight, all government departments, agencies and local councils will at some point be audited against the ASD Essential Eight and, it is recommended that these mitigation strategies be implemented in businesses as a baseline to help reduce the risk of cybersecurity incidents from occurring.

What does the ASD Essential Eight cover?

1. Application Control
2. Patch Applications
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privileges
6. Use Multi-factor authentication
7. Patch Operating Systems
8. Daily backups

To further breakdown what the ASD Essential Eight is and what it actually means for the cyber landscape of your business, the first step is to look at how businesses can minimise the impacts of a cyber-attack. By implementing just the first four of the ASD Essential Eight, the vulnerability of business systems and users can be significantly reduced.

1. Application control

This is a method used by cyber teams to monitor and restrict applications from executing malicious codes and is quite an effective step as this can also assist in the prevention of installing unapproved applications. The control checks applications and also authenticates and checks data before giving the green light to execute actions or transmit data/files into the environment. The different types of application controls are:

a. Input Controls
b. Output Controls
c. Access Controls
d. Integrity Controls

2. Patch applications

Patch management is critical to ensure systems and applications stay updated. Patches can often fix known vulnerabilities which could provide hackers with easy entry points into your business environment. Organisations should use the most recently updated version of applications where possible, and patch applications with “extreme risk” vulnerabilities within 48 hours. This will ensure that all software is functioning as it should and also address the key vulnerabilities.

3. Configure Microsoft Office macro settings

Macros are very powerful and are commonly used to automate regular tasks to save time. However, they can pose a security risk. Cyber criminals can embed macros in MS Office documents which have the capability to manipulate and delete files or download malware. A user or third party with malicious intent has the ability to introduce very destructive macros in order to spread a virus onto your computer or into your network.

4. User application hardening

As the cyber-threat landscape constantly shifts along with a rapidly changing IT environment, the Cyber teams have adopted Application Hardening as a part of the overall strategy. This is essentially a regular clean out of old tools or applications, keeping only what is required. It is important to ensure your security posture isn’t being weakened by vulnerabilities in systems as there are many applications that are installed by default (such as unpatched software) or processes (e.g. default, weak, or reused passwords). Other actions that should be considered are web browser configurations and having default settings to disable unneeded features in Office, web browsers, and PDF viewers which can limit the extent of cyber-attacks.

How can your business limit the extent of the damage caused by a cyber-breach? The next three mitigation strategies in the Essential Eight can help answer this question.

5. Restrict admin privileges

Users that carry admin privileges can make significant changes in the IT environment. They are able to reconfigure devices, modify critical controls, access critical systems, applications and sensitive data. Hackers constantly target individuals with this level of access to give them greater avenues to distribute malicious code. Therefore, it is recommended that a limited number of people in your organisation have these levels of access. It is imperative that privileges are given in accordance with the user’s duties and role, and ensure that processes are put in place to log and archive all actions.

6. Use multi-factor authentication

Multi-factor authentication requires the user to provide two or more verification methods to access applications, accounts and VPNs. This additional verification makes it more difficult for a hacker to get into your business network and limits their ability to move around.

7. Patch operating systems

Vulnerabilities in your systems and software are an easy point of entry into your business IT environment. Patching is essential for keeping your IT systems and applications safe from hackers attempting to exploit vulnerabilities. When a high severity vulnerability is found, it is important to patch this within 48 hours to lessen the likelihood of it being exploited.

Organisations that don’t regularly backup their data risk losing it all in the event of a cyber-attack.

8. Daily backups

To protect your business data, it is crucial to ensure it is backed up and stored with the appropriate level of retention. There are a number of different backup strategies you can use to suit your organisation’s risk appetite. Whether your business uses an individual or hybrid strategy will depend on the overall business cost, performance and availability objectives set out by your business.

a. Mirror
b. Full Back Ups
c. Incremental Back ups
d. Differential Backups

The ASD Essential Eight has three levels of maturity for each of the eight points and is designed to allow organisations to incrementally reach Maturity Level Three. This can assist businesses in mapping out their strategy, roadmap and budgeting to gain compliance in a more structured and simplified way.

The ASD Essential Eight Maturity Model

There are three maturity levels that have been defined for each mitigation strategy. These have been created to help organisations determine the maturity of their implementation of the Essential Eight and make an assessment on their cybersecurity posture. The maturity levels are:

  • Maturity Level One: Partly aligned with the intent of the mitigation strategy.
  • Maturity Level Two: Mostly aligned with the intent of the mitigation strategy.
  • Maturity Level Three: Fully aligned with the intent of the mitigation strategy.

The Essential Eight is broadly aimed at providing organisations with a baseline of maturity on some of its key cyber security measures. It aims to reduce the threat landscape, implement key tools to better control access and assist organisations in recovering their data in the event of a cyber-attack.

Implementing the ASD Essential Eight and aiming to reach Maturity Level Three is important for building a robust cyber program for your organisation.

How can Marsh help?

Marsh’s Cyber Risk Consulting team can conduct a maturity assessment of your current cyber posture against the ASD Essential Eight (or the entire ISO 27001 cyber-security standards) to identify gaps. Marsh can help build a roadmap and strategy to guide your business to achieve level three compliance with these standards. Marsh can additionally assist in control and rule review, tool selection, running of proof of concepts and can work with your business management to help implement the changes effectively.

If you have any questions in relation to this article or would like to discuss your cyber posture, please contact your Marsh representative or contact us here.


This document and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, tax, accounting, or legal advice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. Marsh makes no representation or warranty concerning the application of policy wording or the financial condition or solvency of insurers or reinsurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Although Marsh may provide advice and recommendations, all decisions regarding the amount, type or terms of coverage are the ultimate responsibility of the insurance purchaser, who must decide on the specific coverage that is appropriate to its particular circumstances and financial position.


LCPA 21/065

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”