Skip links

Measuring Cybersecurity Effectiveness: Using ASD Essential 8 Maturity Model as a Benchmark 

Cybercrime poses a growing threat to businesses and the public. Predictions indicate a global cost of $6 trillion by year-end, rising to over $10 trillion by 2025. Small and medium businesses are prime targets, facing an “out of control” surge in attacks. Recent months witnessed numerous high-profile cyber breaches, with a 300% spike in reported attacks since the onset of COVID-19. Shockingly, breaches often go unnoticed for 280 days, with 56% remaining undetected. Urgent action is imperative. 

Bridging the Cybersecurity Gap

Measuring, analysing, and reporting cybersecurity threats and performance is essential for a robust cybersecurity program. However, it can be challenging to strike a balance between the technical complexity of cybersecurity and the needs of non-cyber business leaders. This gap is critical to bridge especially when executives struggle to understand information risk and security practitioners often overwhelm stakeholders with technical jargon. Ideally, cybersecurity professionals should communicate measurements and reports in a way that resonates with senior executives, provides valuable insights, satisfies curiosity, and leads to actionable strategies. 

To fortify your organization’s cybersecurity posture and transition to a proactive stance, the Australian Signals Directorate (ASD) provides a strategic guide to bolstering cyber defences called the Essential 8 Assessment Framework. By adhering to the guidelines of the ASD Essential 8 Assessment Framework – which encompasses measures such as application whitelisting, patching applications, and configuring Microsoft Office macro settings – you can ensure a robust defence against a spectrum of cyber threats. This proactive approach not only safeguards confidential data but also serves as a steadfast guardian of your organisational reputation, instilling trust among stakeholders and mitigating potential risks. 

Defining ASD Essential 8 Maturity Model

The Australian Signals Directorate (ASD) Essential 8 Maturity Model is a comprehensive framework developed to assist Australian businesses in mitigating cyber security risks. It stems from the original Top-37 and offers a prioritised list of baseline security measures. ASD claims that implementing these eight controls can potentially prevent up to 85% of cyberattacks. 

In collaboration with the Australian Cyber Security Centre (ACSC), ASD regularly updates these recommendations based on feedback from the Australian cyber security community. Also known as ACSC Essential 8 Assessment Framework, it is a widely accepted benchmark for cyber security best practices, especially as the threat landscape rapidly evolves. The Essential 8 is endorsed by multiple government and industry organisations, and is relatively easy to implement and maintain, making it an ideal solution for businesses of all sizes.

What the ASD Essential 8 Maturity Model Covers

The ASD Essential 8 is a set of eight mitigation strategies that organizations can implement to protect themselves from a wide range of cyber threats. The strategies are:

Application Control

Application control is a cybersecurity method designed to monitor and limit the execution of malicious code, effectively preventing the installation of unauthorized applications. This control assesses and authenticates applications, scrutinizing data before permitting actions or the transmission of files into the environment. Key categories of application controls include: 

  • Input Controls 
  • Output Controls
  • Access Controls 
  • Integrity Controls 

Patch Applications

Patch management is crucial to maintain system and application security by addressing known vulnerabilities. Patches, particularly for “extreme risk” vulnerabilities, should be applied within 48 hours to mitigate potential entry points for hackers. Using the latest application versions whenever possible ensures optimal functionality and effectively addresses key vulnerabilities.

Configuring Microsoft Office Macros

While macros in Microsoft Office enhance efficiency, they can also be exploited for malicious purposes. Cybercriminals may embed harmful macros in documents, enabling file manipulation, deletion, or malware downloads. Vigilant configuration of Office macro settings is essential to mitigate the risk of users or third parties introducing destructive macros that can compromise computer systems or networks.

User Application Hardening

In response to the dynamic cyber-threat landscape and evolving IT environments, cyber teams integrate Application Hardening as a vital component of their strategy. This entails regular removal of obsolete tools or applications, retaining only essential components. The goal is to safeguard the security posture by addressing vulnerabilities stemming from default installations (e.g., unpatched software) or weak processes (e.g., default or reused passwords). Additional measures include configuring web browsers and disabling unnecessary features in Office, web browsers, and PDF viewers to mitigate the impact of potential cyber-attacks.

Admin Privileges Management

Granting admin privileges provides individuals with the authority to make substantial changes in the IT environment, including device reconfiguration and access to critical systems and sensitive data. As high-access targets, users with admin privileges are often exploited by hackers for malicious code distribution. It’s advisable to restrict this level of access to a minimal number of personnel, aligning privileges with user roles and duties. Additionally, robust processes for logging and archiving all actions should be implemented to ensure accountability and security.

Patch Operating Systems

Vulnerabilities in operating systems can be exploited by attackers to gain unauthorized access to your systems and data. Operating system patching is essential for protecting your IT environment from cyberattacks. Swift action, particularly within 48 hours for high-severity vulnerabilities, significantly reduces the risk of exploitation. 

Furthermore, organizations must recognize the importance of regular data backups. In the event of a cyber-attack, those without routine backup practices are at significant risk of data loss. This underscores the necessity of incorporating comprehensive backup strategies as part of a holistic cybersecurity approach. 

Multi-Factor Authentication

Multi-factor authentication (MFA) requires users to provide two or more different factors to verify their identity when logging in to an application, account, or VPN. This additional layer of security makes it much more difficult for attackers to gain unauthorized access, even if they have stolen a user’s password. MFA can be implemented using a variety of factors, such as passwords, one-time codes, biometric authentication, and hardware tokens. By requiring users to provide multiple factors, MFA significantly reduces the risk of successful cyberattacks.

Daily Backups

Tailoring your backup strategy to your organization’s risk appetite is crucial. Choosing between individual or hybrid strategies depends on aligning with business objectives in terms of cost, performance, and availability. 

Key Backup Strategies:

  • Mirror 
  • Full Backups 
  • Incremental Backups 
  • Differential Backups 


4 Levels of the Essential 8 Maturity Model

The Australian Cyber Security Centre (ACSC) updated the Essential Eight (E8) to include maturity levels (MLs). Each ML outlines requirements for implementing the E8. Organisations should select an ML that balances adequate security, staff capabilities, and budget. ML 0 was reintroduced as the lowest level of maturity, while ML 3 remains the highest and most protected level. ML 1 is recommended for most small to medium businesses (SMBs), ML 2 for larger enterprises, and ML 3 for enterprises or government agencies with more critical infrastructures or higher threat environments.  

Maturity Level Zero: Minimally aligned with the intent of the mitigation strategy. 

At this level, the organization has not taken any meaningful steps to implement the mitigation strategy. For example, the organization may not have a documented policy for patching applications, or they may not have a process in place for restricting administrative privileges. 

Maturity Level One: Partly aligned with the intent of the mitigation strategy. 

At this level, the organization has taken some steps to implement the mitigation strategy, but there are still significant gaps. For example, the organization may have a documented policy for patching applications, but they may not be able to patch all applications in a timely manner. 

Maturity Level Two: Mostly aligned with the intent of the mitigation strategy. 

At this level, the organization has implemented the mitigation strategy effectively, but there may still be some minor gaps. For example, the organization may have a process in place for restricting administrative privileges, but some users may still have administrative privileges that they do not need. 

Maturity Level Three: Fully aligned with the intent of the mitigation strategy. 

At this level, the organization has implemented the mitigation strategy in a comprehensive and effective manner. There are no significant gaps in the organization’s implementation of the mitigation strategy. 

Pattern for Achieving Goals for a Specific Maturity Level

Here are some examples of what organizations can do to achieve each maturity level for the Essential Eight mitigation strategy “Patch Applications”: 

Maturity Level Zero: 

  • Do not have a documented policy for patching applications. 
  • Do not have a process in place for tracking and managing patches. 
  • Do not have a process for testing patches before deploying them. 

Maturity Level One: 

  • Have a documented policy for patching applications, but the policy is not comprehensive or up-to-date. 
  • Have a process in place for tracking and managing patches, but the process is not effective. 
  • Have a process for testing patches before deploying them, but the process is not comprehensive or rigorous. 

Maturity Level Two: 

  • Have a comprehensive and up-to-date documented policy for patching applications. 
  • Have an effective process in place for tracking and managing patches. 
  • Have a comprehensive and rigorous process for testing patches before deploying them. 

Maturity Level Three: 

  • Have a comprehensive and up-to-date documented policy for patching applications. 
  • Have an effective process in place for tracking and managing patches. 
  • Have a comprehensive and rigorous process for testing patches before deploying them. 
  • Have a process in place for monitoring patches after deployment for any unexpected side effects.

Why ASD Essential 8 Maturity Model as a Benchmark

Is Essential 8 effective for improving an organisation’s cybersecurity posture and resilience? While there are various cybersecurity approaches that can secure your networks, the Essential 8 mitigation strategies are distinctively crafted to serve as a foundational framework for Australian government agencies. When implemented cohesively, these strategies create a baseline of security operations capable of safeguarding networks, users, applications, and data against nearly all persistent threats. The subsequent points illustrate the rationale behind the adoption of these mitigation strategies. 

Multi-Layered Defence: The Essential 8 mitigation strategies are designed to collaboratively strengthen network security. While each is effective individually, their combined implementation establishes a multi-layered defence, offering comprehensive protection against persistent threats. 

Accessibility: These strategies, while not cutting-edge, are reliable and time-tested. Implementing them correctly poses minimal risk. The ASD Essential 8 serves as a practical baseline for cybersecurity, providing a measurable benchmark aligned with ASD recommendations. 

Cost-Effectiveness: The Essential Eight strategies offer substantial protection against security breaches and malware with a modest financial investment. While implementation requires staff time and potential hardware/software upgrades, the costs are significantly lower than the aftermath of a compromise. 

Deployment: Adopting a comprehensive framework for these strategies facilitates efficient management from a centralized console. This approach ensures consistent policy enforcement across all users, applications, and devices, regardless of their location (on-premises, remote, cloud, or hybrid cloud). 

Automation: Many mitigation strategies can be automated, reducing management overhead and ensuring compliance. Security solutions with threshold and alert configurations enable swift identification and investigation of anomalous activities, preventing incidents like the Panama Papers leak with proper mitigation measures in place.  

Challenges of Essential Eight Implementation

While the E8 provides a comprehensive set of mitigation strategies to protect against a wide range of cyber threats, there are a number of factors that can make implementation difficult. 


  • Lack of visibility: Identifying security controls related to specific mitigation strategies and maturity levels requires fine-grained visibility. 
  • Manual effort: Without automation, ensuring your network is hardened and protected by following the Essential Eight or other industry standards may require time-consuming manual effort. 
  • Lack of resources: Mapping controls can require significant time, money, and expertise, which can be difficult to secure if an organization does not have the necessary resources. 
  • Constant changes: As the Essential Eight is constantly updated, and new systems are introduced as part of digital transformation, mitigation strategies must also be applied. Without proper measures in place, it can be extremely difficult to maintain control effectiveness and manage cybersecurity risks. 
  • Continuous monitoring and maintenance: It is critical to monitor and maintain Essential Eight controls after implementation to ensure their effectiveness. Lack of resources or processes to monitor and maintain controls can make it difficult to maintain effectiveness over time. 


How Intelliworx Can Help

How can Intelliworx help you reach new heights in cybersecurity effectiveness? We not only identify areas for enhancement but also craft a tailored roadmap and strategy to guide your business to achieve a robust level three compliance with ACSC Essential 8 Assessment Framework. 

Discover the full potential of your cybersecurity posture with Intelliworx Cyber Risk Consulting. Our expert team conducts a comprehensive maturity assessment, aligning your current cyber stance with the ASD Essential Eight or the entire ISO 27001 cybersecurity standards, pinpointing critical gaps. 

But that’s not all. Intelliworx goes beyond assessment and strategy. We offer hands-on assistance in control and rule review, meticulous tool selection, and the execution of proof of concepts. Working closely with your business management, we ensure effective implementation of necessary changes. 

Have questions on how to elevate your cyber posture? Reach out to your Intelliworx representative or contact us here. Your journey to cybersecurity excellence starts with Intelliworx. 

This website uses cookies to improve your web experience.