Every organisation, regardless of size, is now a target for cybercrime. And the onus is on executive management to make sure the organisation is up to speed.
In Australia, the Essential Eight offers a technical checklist approach that streamlines cybersecurity compliance. However, it’s highly prescriptive, technical, and does not provide a framework for more integrated approaches to oganisational cybersecurity.
Internationally, the US National Institute of Standards and Technology (NIST) offers the Cyber Security Framework (CSF). While still technical in nature, the NIST CSF is less prescriptive. Instead, the framework prioritises risk mitigation using five flexible and cost-effective functions. These five functions align to stages inherent in a cyberattack, allowing IT managers to defend the organisation. This broad, investigative approach helps encourage conversations by allowing technical and executive personnel to communicate effectively about cybersecurity’s impact on the organisation as a whole.
The Essenital Eight In Focus
The Essential Eight is a series of eight technical recommendations designed to work in tandem to mitigate the risks of potential data breaches. Developed and maintained by the Australian Cyber Security Centre (ACSC) the Essential Eight is the minimum baseline of cyber threat protection recommended by the Australian Signals Directorate. It forms the basis of a mandated cybersecurity framework for all 98 non-corporate Commonwealth entities.
All government entities that must comply with this cybersecurity framework undergo a comprehensive audit every five years. As supply chain attacks have also become an increasingly popular way to effect data breaches, organisations that work directly alongside or peripherally to government agencies may find themselves needing to comply with the Essential Eight to maintain ongoing business arrangements.
How the Essential Eight works
The Essential Eight strategies help mitigate cybersecurity incidents by hardening systems against cyber-attacks, limiting the damage caused by potential attacks, and making it easier to recover from an attack should it otherwise impact an organisation.
The Essential Eight strategies themselves cover vital areas of concern for many organisations. These include:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
The strategies are ranked according to maturity level – meaning the risks an organisation faces related to increasing levels of cybercriminal tradecraft.
Level 0 – shows there are weaknesses in an organisation’s overall cybersecurity posture.
Level 1 –an organisation can likely hold its own against a noncommittal attack using basic tradecraft and tools.
Level 2 – the organisation is ready to handle attacks from a more committed attack.
Level 3 – this indicates the organisation can mitigate attacks from a dedicated threat actor using advanced tradecraft and techniques.
Essential Eight: pros and cons
Pros
Clear actions – it gives clear goals for organisations looking to mitigate the risk of data breaches.
Weighted response to risk – the range of maturity levels allows organisations to mitigate a level of tradecraft they are likely to face, aligning the Essential Eight to their risk management goals.
Quickly check compliance – with such clear outcomes, it’s easier for an organisation to show how well they comply with a certain level of maturity.
Mitigates technical entry points – the strategies in the Essential Eight focus on technical factors for mitigation.
Cons
Requires advanced technical knowledge – the content of the strategies can be challenging for non-technical staff to understand, implement, or appreciate.
Narrow focus – does not account for business activities and behavioural elements that might contribute towards these risks.
Can be intrusive – while some elements of the Essential Eight are relatively simple to accomplish, others can take significant resources and interrupt daily operations.
Who is the Essential Eight for?
Given that the Australian government has developed the Essential Eight, it’s little wonder that it is mandatory for other government agencies.
It’s also no surprise that businesses and organisations that work alongside these agencies – either directly or as part of the supply chain – will be interested in reaching a level of compliance that makes them attractive to these agencies.
However, it’s not just the government ecosystem that benefits from the Essential Eight. Organisations that want a simple checklist approach to cybersecurity – and have the in-house capacity to make it happen – can use the Essential Eight to identify gaps in their cybersecurity posture and make changes that suit their level of risk.
The NIST CSF in focus
The National Institute of Standards and Technology (NIST) is a US government organisation responsible for solutions that ensure measurement traceability, quality assurance and documentation standards. NIST is also in charge of developing guidelines, criteria, and best practices in the cybersecurity space in the form of the Cyber Security Framework (CSF).
The NIST CSF v1.1 provides a blueprint for security that is world-class, action-focused, and helps to cover gaps that organisations may find in other frameworks.
How the NIST CSF works
The framework covers five critical areas called “cores” that relate to cybersecurity:
- Identify
- Protect
- Detect
- Respond
- Recover
These cores are risk-based and guided by stakeholder perspectives. The cores can be adapted to suit many technologies and industry sectors without relying on prescriptive actions.
The cores measure implementation via tiers across four areas – partial, risk-informed, repeatable, and adaptive.
The tiers include:
Risk Management Process – relates to functionality and repeatability of cybersecurity risk management.
Integrated Risk Management Program – measure the extent to which cybersecurity is considered in risk management decisions.
External Participations – tracks the degree to which the organisation monitors/ manages supply chain risk and engages with sharing information with outside parties.
The idea is to develop desired outcomes based on core factors that define the entire breadth of cybersecurity. The cores span prevention and recovery actions, translating these elements into actionable language that an organisation’s stakeholders understand.
NIST CSF encourages organisations to consider business requirements and material risks, then use these measures to make reasonable and informed cybersecurity decisions. The framework then helps identify and address feasible and cost-effective improvements.
NIST CSF: pros and cons
Pros
Flexible, adaptable framework – The CSF’s outcomes-driven approach makes it highly flexible across a range of industries and organisation sizes, with future-facing actions that let organisations update their strategies in response to changing demands.
Maps to other frameworks – The behavioural elements of the NIST CSF means it can easily map to other cybersecurity controls, which means that organisations can meet their compliance requirements while strengthening their overall cybersecurity stance.
Widely recognised – NIST CSF represents the collective experience of thousands of information security professionals. It forms the basis of industry best practice by being the most comprehensive, in-depth set of controls of any framework.
Enable long-term view of cybersecurity – The CSF helps remove the ”one-off” audit compliance mindset, replacing it with a more adaptive and responsive posture.
Bridge the gap between technical and business side stakeholders – The CSF risk-based approach makes it compatible with the priorities of organisational executives. This approach helps align the integrated risk management approach necessary for cybersecurity management to broader business goals, enabling better communication and decision-making through a shared security vocabulary.
Cons
Relies on understanding existing standards – The NIST CSF is non-prescriptive, meaning it does not deliver a detailed checklist to follow. Instead, organisations are encouraged to follow standards that meet their risk management needs. If an organisation is unfamiliar with the standards referenced in the framework, it may struggle to implement the required actions.
Technical communication is a must – The NIST CSF requires a thorough understanding of an organisation’s current cybersecurity risk profile to drive the organisation’s adoption and execution of a remediation plan. While this can encourage buy-in from key stakeholders, it also requires a level of technical communication that may be outside the capacity of some organisations.
Can the Essential Eight and NIST CSF work together?
The short answer is yes. The NIST CSF is a cybersecurity compliance framework that maps to a range of regulatory standards. Whereas the Essential Eight is – essentially – a prescribed list of technical strategies that aim to mitigate threats.
"The requirements laid out by the Essential Eight maturity levels map very well to the core components that make up the NIST CSF"
For some organisations, the Essential Eight can be the starting point for shoring up their cybersecurity stance. Higher levels or broader considerations are then possible by applying these actions to the NIST framework, then identifying critical areas of activity.
In this way, the NIST CSF forms a structured way to communicate the issues uncovered by the Essential Eight, while the Essential Eight covers critical areas listed by the CSF.
Which one is right for my organisation?
When it comes to mitigating the risk of data breaches, an organisation’s cybersecurity can benefit from professional attention.
The ultimate decision of which cybersecurity strategy to follow comes down to two key issues – risk management and resources. Organisations need to determine which approach best lets them manage and mitigate their risks and balance out the potential costs with likely outcomes.
In-house IT staff can get the job done – there’s no doubt. But even these seasoned professionals may benefit from an external review.
When an organisation doesn’t have in-house IT, managed cybersecurity solutions can provide critical backup, which means the difference between a smooth-running IT environment and continual cybersecurity issues.
To find out which option works best for you, get in touch with First Focus today!
