Which Essential 8 Maturity Level Is Right For My Business?

Do business safely with our FREE ESSENTIAL 8 Audit Tool

w

This information is general in nature and should be used in conjunction with a cyber-security expert and a risk assessment based on your business, resources and the data you hold.

The Australian Cyber Security Centre (ACSC) Essential 8 is a set of strategies designed to help organizations improve their cybersecurity posture and reduce the risk of cyber threats. Our Free Essential 8 Audit Tool is divided into three maturity levels, each with increasing levels of security controls and complexity. These levels are tailored for different types of businesses based on their specific needs, risk profile, and resources.

What is the Free Essential 8 Auditor?

The Free Essential 8 Auditor by Extreme Networks is a user-friendly, web-based platform specifically tailored for small businesses. The auditor assesses your existing cybersecurity measures based on the Essential 8 mitigation strategies recommended by the Australian Cyber Security Centre (ACSC). These proven strategies significantly lower the risk of cyber threats and strengthen the overall security of your IT infrastructure.

ACSC Essential 8 Maturity Levels Explained

Maturity Level 1
This level is focused on basic cybersecurity practices and is most suitable for small businesses or organizations with limited resources and low-risk profiles. The primary goal at this level is to establish foundational security controls, such as patching applications and operating systems, restricting administrative privileges, and implementing multi-factor authentication.

Maturity Level 2
This level is intended for medium-sized businesses or organizations with a moderate risk profile. At this level, organizations should have already implemented the basic controls from Maturity Level 1 and are now looking to further enhance their security posture. This may include more advanced controls like daily backups, application control to prevent unauthorized software execution, and regular reviews of administrative privileges.

Maturity Level 3
This level is focused on basic cybersecurity practices and is most suitable for small businesses or organizations with limited resources and low-risk profiles. The primary goal at this level is to establish foundational security controls, such as patching applications and operating systems, restricting administrative privileges, and implementing multi-factor authentication.

In summary, the appropriate level of the Essential 8 framework for a business depends on its size, risk profile, and resources. Small businesses with low-risk profiles should aim for Maturity Level 1, medium-sized businesses with moderate risk profiles should target Maturity Level 2, and larger organizations or those with high-risk profiles should strive for Maturity Level 3. However, it’s important to note that the specific needs and circumstances of each organization may vary, and a tailored approach to implementing the Essential 8 is recommended.

Some organisation’s risks may warrant a higher Maturity Level in some areas, especially where they are easy to implement.  Other organisations may look at other risk mitigations or be forced to tolerate the risk if they do not have the resources to implement the suggested level.

How to Choose the Right ACSC Essential 8 Maturity Level for Your Business

Maturity Level 1
Example 1: A local coffee shop with a basic website and Wi-Fi network for customers. The coffee shop has limited customer data and a relatively low risk profile.

Example 2: A small graphic design agency with a team of freelancers working remotely. The agency handles limited client data and has a basic IT infrastructure, requiring foundational cybersecurity measures.

Maturity Level 2
Example 1: A mid-sized manufacturing company with a factory and office facilities. The company has a moderate risk profile, with proprietary designs and some sensitive customer information.

Example 2: A regional healthcare clinic that manages electronic health records and personal information for patients. The clinic needs to ensure data protection and privacy legislation compliance, but the risk profile is not as high as a large hospital.

Maturity Level 3
Example 1: A large financial institution like a bank or an insurance company, which handles sensitive financial data and is subject to strict regulatory requirements. The risk profile is high, and a robust cybersecurity strategy is essential.

Example 2: A multinational corporation that operates in multiple industries, such as technology, logistics, and manufacturing. The company faces complex cybersecurity challenges due to its scale and diverse operations, requiring advanced security controls and continuous improvement.

The Benefits of Implementing a FREE Essential 8 Audit Tool

Our Free Essential 8 Audit Tool aim to address different types of threat actors depending on the security controls implemented. Maturity Level 1 focuses on basic, opportunistic attackers; Maturity Level 2 targets more advanced cybercriminals and low-level nation-state actors; and Maturity Level 3 aims to mitigate against highly skilled, well-funded adversaries like APT groups and nation-state actors.

Maturity Level 1
This level aims to protect against low-level threat actors such as script kiddies, opportunistic attackers, and basic cybercriminals. These actors typically use widely available tools, automated scans, and common exploits to target vulnerable systems. By implementing basic security controls, organizations can deter these threat actors and reduce the likelihood of successful attacks.
Maturity Level 2
At this level, organizations aim to defend against more sophisticated threat actors, including organized cybercriminal groups and some low-level nation-state actors. These attackers often employ more advanced techniques, custom malware, and social engineering to gain unauthorized access to systems and data. The enhanced security controls in Maturity Level 2 help organizations to detect and respond to these more advanced threats.
Maturity Level 3

At this level, organizations aim to defend against more sophisticated threat actors, including organized cybercriminal groups and some low-level nation-state actors. These attackers often employ more advanced techniques, custom malware, and social engineering to gain unauthorized access to systems and data. The enhanced security controls in Maturity Level 2 help organizations to detect and respond to these more advanced threats.

 Smaller businesses are less likely to attract the interest of well-resources and skilled attackers, however it is no guarantee.  High profile hackings of high-profile targets, such as by the Shadow Brokers should remind everyone that no organisation can ever be completely safe from cyber-attack.

As a general principle, the larger the company, the more data or money that it controls, the increased likelihood of attracting the attention of increasingly skilled attackers.  Smaller organisations with connections to larger organisations may be seen as a route into a high value target organisation.

Get started on keeping your business safe and compliant today!