February 16, 2019

February 15, 2019

Subscribe to Latest Legal News and Analysis

February 14, 2019

Subscribe to Latest Legal News and Analysis

February 13, 2019

Subscribe to Latest Legal News and Analysis

The Essential Eight: Strategies for Security For Commonwealth Government Agencies

The Federal Parliament’s Joint Committee of Public Accounts and Audit, tasked with inquiring into the cyber resilience of certain Commonwealth entities has recommended that all such entities adopt a cyber security mitigation strategy called the Essential Eight.  The Committee made this recommendation in its Report 467: Cybersecurity Compliance Inquiry based on Auditor-General’s report 42 (2016-17) (Report). Tarantino’s Hateful Eight is perhaps a little more convoluted than these simple touchstones of good practice. The Essential Eight are good reading for all enterprises, not just government agencies.

The Essential Eight originally appeared in Strategies to Mitigate Cyber Securitya cyber security baseline document published by the Australian Signals Directorate (ASD) (the Department of Defence’s ICT security arm).

The Report also identified the hallmarks of a cyber resilient entity, notably that such entities demonstrate leadership culture and behaviours that prioritise cybersecurity. This means seeing cybersecurity as more than a box to be checked – organisations need to be proactive and go beyond compliance. This includes embedding security awareness as part of the enterprise culture. As we often encourage our clients, organisations need to see their staff as their first line of defence and ensure they are trained to prevent and respond to cyber security risks.

Summary of the Essential Eight:

  • Application whitelisting – to allow only selected software to run on computers;

  • Patch applications – to fix security vulnerabilities in software;

  • Disable untrusted Microsoft Office macros – to stop macros being used to download malware;

  • User application hardening – to block Flash, Java and web ads from delivering malware;

  • Restrict administration privileges – to stop adversaries from using accounts and accessing information and systems;

  • Patching operating systems – to fix security vulnerabilities in operating systems;

  • Multi-factor authentication – to make it harder for adversaries to access information; and

  • Daily backup of important data – to access data if a cyber security incident has occurred.

Items 1-4 help prevent malware running, while items 5-8 limit the extent of incidents and recover data.

Olivia Coburn contributed to this post.

Copyright 2019 K & L Gates


About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

Keely O'Dowd, K&L Gates, attorney, Melbourne

Ms. O'Dowd is an experienced lawyer with a focus on technology and sourcing projects. She advises on a broad range of technology transactions, including procurement, outsourcing and software licensing. This work includes drafting and advising on a range of IT procurement and supply agreements. Ms. O'Dowd advises a range of corporations on privacy and cybersecurity.