Australian Enterprise Aligns Security to Essential Eight

Ninety per cent of Australian organisations are planning to align their security programs to the Essential Eight, highlighting its momentum as fast becoming a de facto standard inclusion for cybersecurity strategies across the country. That’s according to a survey conducted at last month’s AusCERT security conference by BeyondTrust.

The Essential Eight provides organisations with a clear framework that can improve their levels of IT security and better position them to withstand attacks. 

However, when asked to select the top three challenges organisations face in aligning to the Essential Eight, 63 per cent of respondents highlighted application control (63%), while just over half (51%) cited user application hardening (51%). 

Just under half (49%) also said that patching applications was a challenge while Restricting Admin Privileges was also highlighted by more than one in four (44%) of respondents as a struggle.

The survey, highlighting the increasing workload of security teams, also found that more than one in eight (85%) organisations are also pursuing a Zero Trust security model, with 85 per cent either having their processes in place or in progress.

However, reflecting that zero trust is a journey, 46 per cent of organisations allow third parties to remotely access their internal system via VPN. This is likely to breach the principle of least privilege as VPNs commonly offer an all or nothing access to systems while users are connected unless considerable effort is placed in maintaining routing rules.

For this reason, bringing users from a remote network via the Internet and onto a trusted or secure private network so they can access an application or data is inefficient at best, and risky at worst.

Indeed, 69 per cent of respondents from organisations adopting zero trust say that users in their organisation have excessive privileges beyond what is required to do their job. 

Ultimately, a Zero Trust security model advocates for the creation of zones and segmentation to control sensitive IT resources. This also entails the deployment of technology to monitor and manage data, users, applications, assets, and other resources between zones, and, more importantly, authentication within zones.

“The findings of this survey suggest that while many Australian organisations are embarking on a Zero Trust strategy they are potentially missing one of the foundations of the strategy: the principle of least privilege,” says Scott Hesford, Director of Solutions Engineering, Asia Pacific and Japan, BeyondTrust.

“Excessive privileges and common VPN configurations go against the principle of least privilege – the concept of providing just the right amount of access for the specific amount of time for a user to complete a task – and are commonly exploited by cyber attackers.”

"The survey findings also reflect the challenges around the Essential Eight expressed by cybersecurity professionals that we speak to every day,” says Hesford. “Many teams struggle to find the balance between productivity and security for aspects of the Eight, such as application control and restricting admin privileges.”

“Ongoing budget and resourcing constraints mean that organisations are looking to consolidate strategies of application control, user application hardening and restricting admin privileges into a single solution set.”

Indeed, just under half (48%) of respondents had seen their workload increase over the past two years due to a variety of reasons, including growing attack sophistication and frequency, lack of security skills across the business, an inability to hire and retain staff, the higher repercussion from a breach, and the need to manage too many deployed security solutions.

In addition, the survey found that 48 per cent of respondents felt that organisations had not yet learned lessons resulting from major recent publicised cybersecurity attacks and updated their security strategies.

Hesford says that “despite the ongoing cybersecurity threats, the ongoing challenge appears to be providing secure enablement for the business without creating a false expectation of fool-proof prevention.  This will require a change in culture, resourcing and skills and this can only come with a fundamental rethinking of the ways we manage IT and security.”

“It’s more important than ever to realise that an organisation, from its leadership to its IT team, must understand and commit to a cybersecurity strategy, whether starting with the Essential Eight or moving towards Zero Trust, and in turn provide the necessary planning, resourcing, and operations needed to ensure it delivers the expected business benefits.”