What are the pillars in the ACSC Essential 8 and how does your NFP stack up?

What are the pillars in the ACSC Essential 8 and how does your NFP stack up?

For any NFP keen to shore up their cybersecurity, the ACSC Essential 8 provides a valuable and cost-effective framework. The benefits of the framework were highlighted in our recent blog, Mitigation strategies for cyber-attacks: Essential 8 for NFPs. But what are the pillars that make up the framework and how can they help you assess your cybersecurity maturity?

According to Techware CEO, and cybersecurity specialist, David Sia, the ACSC Essential 8 provides clarity to NFPs on what exact cybersecurity measures they have in place.

If someone asks you a yes or no question such as ‘do you have backup?’ it doesn’t actually tell you anything. What the Essential 8 does is force you to think about the detail. The rating system effectively shines a light on a job well done, or on an area requiring more attention,” says David.

Understanding the ACSC Essential 8 pillars

To fully grasp the appeal of the Essential 8 for NFPs, it helps to understand the pillars and what they mean in everyday terms. At its core, the ACSC Essential 8 is a framework to assess and measure the security maturity of your business IT. The framework consists of eight pillars each offering cyber security mitigation strategies. These are:

• Applications whitelisting
• Patching application
• Microsoft Office macro setting configuration
• Application hardening
• Restriction of admin privileges
• Operating system patching
• Multi Factor Authentication (MFA)
• Daily backups

Within each pillar there are steps to take that help improve your NFP’s security posture. Some of the ACSC Essential 8 steps are small and fundamental measures. However, when combined with all the other measures, they create a powerful line of defence for your organisation.

Across all pillars there are levels of maturity that impact your benchmark score.

Each level has defined criteria that need to be met (per pillar) to achieve the maturity. When we start working with an NFP to roll out the ACSC Essential 8, we do a lot of information gathering first. Then we go through the information provided, validate it, and assess it against the criteria,” says David.

According to David, it is not uncommon for NFPs to have ticked the required box at level two, but still have gaps at level one.

You get a score at each level so there is no way for anything to fall through the cracks. Once collected, this data then creates the base of our recommendations and forms a roadmap to work through and increase security,” adds David.

Remaining compliant as scrutiny and standards intensify

Not-for-profit compliance expectations are increasing within the industry. By adopting the ACSC Essential 8, NFPs can easily report to partners and regulators.

Because it was created by the government, and effectively tested and proven by the government, the ACSC Essential 8 has essentially become the “go to” standard of security. It’s a logical framework for NFPs to embrace and one we have seen many organisations have great success with,” explains David.

A multi-layered defence

Like any other organisation, NFPs are not immune to cyber-attacks. In fact, historically they have been specifically targeted, particularly around email impersonations. Not-for-profit compliance is an important area to consider when thinking about cybercrime.

"In the past a lot of focus was on protecting the perimeter and blocking bad traffic into the corporate network. The difference now is that where attackers used to target infrastructure, they now have many layers of attack, including social engineering, vulnerability in application and mobile devices. So, an NFP needs many layers of defence and that is what the ACSC Essential 8 provides,” says David.

If you want to better understand the security posture of your NFP and establish a standard to work towards, Techware can help. Contact the team today to find out how you can use the ACSC Essential 8 to strengthen the protection and sustainability of your organisation.