Readers will recall from an article Holman Webb published back in 2018 that the Australian Cybersecurity Centre recommended eight best-practice mitigation strategies that organisations should implement as a baseline defence against targeted cyber intrusions, ransomware and malicious insiders.
These strategies are known as the Essential Eight.
The Essential Eight involve the introduction of application white-listing, patch application processes, configuration of Microsoft macro settings, application hardening, restriction of administrator privileges, operating system patch systems, multifactor authentication and daily backups.
These strategies may seem relatively straightforward to those working within the IT industry, but the failure of organisations to implement the strategies (including government instrumentalities) has moved the Australian government to consider mandating the implementation of the Essential Eight controls, and requiring all public service entities to implement them forthwith.
The concern arises as a result of a Parliamentary Committee Report into cyber resilience, in which it was confirmed that many government agencies had not even implemented the basic four mitigation strategies, let alone the recommended eight.
This move by the government is likely to be of relevance to those in the private sector. Although Holman Webb is not aware of any litigation to this effect (yet), it could give rise to a possibility of the victim of a data breach or cyber incident alleging that the targeted business had a duty to protect the wrongfully released data, with this duty having been breached by the failure to implement the Essential Eight controls.
This could in turn open the organisation to a claim that it was negligent, and therefore liable to compensate the victim for loss suffered as a result of the breach (over and above any fines or penalties imposed by the Privacy Commissioner arising from the wrongful disclosure of personal data).
Given the government's approach has been endorsed by the Government Security Committee, the importance of the Essential Eight should not be underestimated.
The other big picture issues arising from the study was that many agencies had self-assessed themselves as managing their IT security to "maturity" - but only one of those actually had "the appropriate evidence to support the self-assessment". This should provide private organisations with an understanding that a dedicated and specific regime should be implemented, rather than relying on ad-hoc implementation, or being accepting of slowly developing levels of cyber security controls.
From a legal point of view, the controls set out in the Essential Eight also involve the implementation and application of internal policies and procedures regulating staff and user conduct.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.