The government is looking to mandate that non-corporate Commonwealth entities implement the Essential Eight cyber security mitigation strategies.

The Attorney General’s Department quietly announced its intention to mandate the Essential Eight in a response to the Joint Committee of Public Accounts and Audit’s inquiry into an Auditor-General’s report on cyber resilience.

At question is a change to the Protective Security Policy Framework (PSPF) which non-corporate Commonwealth entities are required to enact and currently only mandates they implement the ‘Top Four’ mitigation strategies.

Responding to the committee, the Attorney Generals’ department – which oversees the PSPF – said it held “detailed discussions” with the Australian Cyber Security Centre (ACSC) and is keen on updating the policy framework.

“The department will recommend an amendment to the PSPF to mandate the Essential Eight,” the Attorney General’s department said.

“This reflects the ACSC’s advice that entities should progress maturity across all eight strategies that form part of the Essential Eight, rather than focusing efforts on a smaller subset like the Top Four, as this provides a greater level of protection.”

Although a mandate for the Essential Eight would, in theory, help improve the cyber security of government agencies, the troubling thing is how few already implement ‘Top Four’ mandated in the existing policy.

A recent report from the Australian National Audit Office found year-on-year improvements to cyber security but most agencies still have maturity levels “significantly below” requirements.

Of the 18 agencies audited, fewer than half reported maturity in three of the top four mitigation strategies.

The audit office found particularly low levels of compliance when it came to patching applications, enacting multi-factor authentication and user application hardening.

It also noted how previous audits of government agencies “have not found an improvement in the level of compliance with the controls over time” and the latest review “indicates that this pattern continues, with limited improvements”.

Jacqueline Jayne, Security Awareness Advocate at KnowBe4, said the government should consider expanding the Essential Eight to include greater awareness of the human element in cyber security.

"Other cybersecurity frameworks such as [the one designed by US National Institute of Standards and Technology (NIST)] have acknowledged the importance of bringing education and awareness in relation to cybersecurity to all people within all organisations,” she said.

“They have uplifted the requirement and importance of the human aspect of mitigation to provide ongoing security awareness training to all of their employees.

“To ensure all the necessary bases are covered, we need to add the extra human layer to the current eight layers.

“Otherwise, it's like locking all the windows, securing the back door with an alarm, installing a CCTV system and leaving your front door wide open.”

The ACSC Essential Eight are:

  • Application control
  • Patching applications
  • Restricting administration privileges
  • Patching operating systems
  • Restricting Microsoft Office macros
  • User application hardening
  • Multi-factor authentications
  • Daily backups