Traversing the Essential 8 Maturity Model and Telstra’s mapped Cyber Security Controls

Man monitoring cyber security on a laptop in a data centre

At Rubicon 8, we often express the importance of investing in robust cyber security. This is just as vital within our own business, and we are always taking steps to help ensure our organisation is secure. 

The Australian Cyber Security Centre’s (ACSC) Essential 8 framework offers a guide to mitigating cyber security incidents and helping businesses better protect themselves against cyber threats. CyberGRX is a powerful solution built upon the Essential 8 framework. It offers a comprehensive platform designed to simplify and automate the validation of essential security controls, enabling organisations to assess their security posture efficiently and effectively.

Rubicon 8 has completed the CyberGRX validation process and has now been validated by Telstra against the mapped Essential 8 controls.

Read on to discover the full scope of what this means for us, and how it could apply to your businesses. 

What is the Essential 8 Framework? 

The Essential 8 framework serves as a vital guide for organisations seeking to enhance their cybersecurity defences. It outlines eight critical mitigation strategies that, when implemented correctly, significantly reduce the risk of cyber threats. These strategies cover the following key areas: 

1. Application control  

Help prevent the impacts of malware by making sure that only trusted applications are running on your systems. 

2. Patch applications  

Address known vulnerabilities by downloading the latest patches and updates to your applications. 

3. Configure Microsoft Office macro settings

Help prevent the execution of malicious codes by implementing macros within your Microsoft Office applications. 

4. User application hardening 

Effectively configure your web browsers and other applications to avoid common attack methods. E.g., Using adblockers. 

5. Restrict administrative privileges

Introduce privileged access levels and limit admin access to avoid compromised accounts gaining hold. 

6. Patch operating systems

Keep your operating systems updated with the latest patches that account for vulnerabilities. 

7. Multi-factor authentication

Introduce multiple forms of authentication for user logins as an extra layer of security. 

8. Regular backups

Ensure your data is regularly backed up and kept separate from the network to provide faster recovery after an incident. 

Explaining the Essential 8 Maturity Model  

In order to assist businesses as they implement Essential 8 strategies, the ACSC has defined four maturity levels: Level Zero, Level One, Level Two and Level Three. These are based on the need to mitigate increasing levels of cyber threats and tradecraft (methods used in modern espionage) depending on an organisation’s circumstances. 

The ideal maturity level depends on several factors: the level of tradecraft they expect to be targeted with, how desirable they would be to potential attackers, the confidentiality requirements of their data, and the availability and integrity needed for their systems and data. Once a business has considered these elements and comes to a conclusion, the aim is to progressively implement each level until the final goal is reached. 

Let’s define each maturity level. 

Maturity Level Zero 

This maturity level is a baseline indicator of poor defences. It indicates weaknesses in a business’ cyber security defences and no systematic approach to implementing any Essential 8 strategies. Probing these weaknesses would likely result in the complete compromise of their data and systems.

Maturity Level One 

Reaching Maturity Level One means an organisation has started employing Essential 8 strategies and methods, but likely hasn’t created a comprehensive approach. This means their controls could be inconsistent or only partially effective. 

This level is aimed towards businesses that expect to be targeted by more common attack methods to gain access and control of their systems. This could involve an opportunistic attack on a security vulnerability from an unpatched system, or even stolen credentials. Generally, attackers of this level are looking for any business to target, rather than someone specific, so their focus is on common weaknesses that they can exploit many times over.  

Maturity Level Two

To be considered Level Two, organisations will have established consistent use of Essential 8 strategies, with regular maintenance of the controls in place. However, these controls may not be completely optimised. 

If your business expects to be targeted by slightly more advanced attack methods than those outlined in Level One, then this may be the level you should strive for. Level Two attackers will generally invest more time into their target and improving the effectiveness of their tools, but will still use more commonly-known methods, e.g. gaining access to your credentials through phishing attempts, or working around weak multi-factor authentication. You can expect them to be more selective about who they attempt to attack, but won’t invest huge amounts of effort or resources. 

Maturity Level Three

To reach Level Three, businesses will need a robust and effective implementation of the strategies within the Essential 8 Framework. These are well-defined, used consistently, and regularly reviewed. The business may also add additional layers of protection and actively monitor for threats. 

Businesses in need of Level Three can expect to be targeted by more experienced and adaptive cyber criminals. Attackers are less reliant on public tools and may be developing their own for specific purposes. They will look for weaknesses in security posture, and once they have access will evade detection in order to solidify their presence. Their focus is on specific targets and they will usually spend a lot of time and effort analysing a business’s systems and weaknesses before executing an attack. 

What this means for Rubicon 8 

At Rubicon 8, we understand the threats we are likely to face. The risk of data compromise can have significant impacts that are felt throughout our network, so we have done our due diligence to ensure we are defended. That’s why we leveraged the power of CyberGRX to easily navigate each of the mapped Essential 8 controls.

If you are seeking guidance on traversing the Essential 8 Maturity Model or harnessing CyberGRX in your business, we can help. Talk to our team today and we can get started on securing your data, systems, and infrastructure. 

Ready to get started?

Recent insights

Start a conversation

Our team of enterprise technology specialists are ready to help you transform with technology. Let’s talk.