Essential Eight: What are the four maturity levels?

Each maturity level is based on mitigating increasing levels of adversary tradecraft (tools, tactics, techniques, and procedures) except for Maturity Level Zero, which suggests an organisation does not have a viable defence against any adversary.

The ACSC states that “organisations need to consider that the likelihood of being targeted is influenced by their desirability to adversaries, and the consequences of a cyber security incident will depend on their requirement for the confidentiality of their data, as well as their requirement for the availability and integrity of their systems and data. This, in combination with the descriptions for each maturity level, can be used to help determine a target maturity level to implement.”

Maturity Level 0

Maturity Level Zero indicates that there are significant weaknesses in an organisation’s security posture, which would be easy to exploit by an adversary.

Organisations operating at this maturity level are at risk of the confidentiality of their data or the integrity or availability of their systems and data being compromised.

Maturity Level 1

Organisations targeting Maturity Level One are looking to protect themselves from adversaries that are seeking any victim, rather than a specific victim. These adversaries opportunistically seek common weaknesses in many targets, rather than investing heavily to gain access to a specific target.

Controls at Maturity Level One focus on defending against “adversaries who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, systems” (ACSC, 2021).

Maturity Level 2

Organisations that have reached Maturity Level Two have a reasonable defence against more advanced adversaries that might be specifically targeting their organisation.

These adversaries are willing to invest more time and effort, whilst continuing to be conservative, to improve the effectiveness of their tools by targeting a specific organisation. They are likely to ensure their phishing is effective and utilise common social engineering techniques to trick users into weakening the security of a system and launching malicious applications.

Controls at this maturity level tighten Maturity Level One controls, introducing shorter timelines for action, ensuring high risk activities are logged, and considering a broader scope of potential threats.

Maturity Level 3

Organisations operating under Maturity Level Three controls focus on mitigating threats from adversaries that are more adaptive and much less reliant on public tools and techniques. These adversaries are typically very focused on specific targets and are willing and able to invest effort into understanding the organisation and their implemented policy and technical security controls.

The adversaries targeting these organisations can exploit opportunities provided by weaknesses in cyber security postures to gain initial access, evade detection and solidify their presence.

Additional controls at this level centre around very short timeframes for action, enabling centralised monitoring of activity on the network, and considering a very broad scope of potential threats.

IMPLEMENTING THE ESSENTIAL EIGHT

The first step in implementing the Essential Eight is to identify and plan for a target maturity level suitable for your organisation.

Organisations then need to implement the controls required for the target maturity level across all the Essential Eight strategies. Once this level has been achieved, if organisations require a higher maturity level, they need to repeat the process for each mitigation strategy at each maturity level until the target maturity level is achieved. It is important to note that an organisation’s overall maturity score is based on the lowest score across any eight strategies and will not change until you uplift all eight mitigation strategies to a specific maturity level.

Compliance can be expensive – achieving any maturity level of the Essential Eight will require a significant investment in time and material, especially if your organisation currently operates with very few security controls. Unless your organisation is facing advanced threats, or has a specific requirement, it’s usually a good idea to target a basic level of maturity across all eight strategies, rather than over-investing in one particular strategy. Identifying an appropriate budget from the outset helps reduce the risks of cost overrun and helps prevent cut corners that can have a financial penalty later, especially if your organisation becomes a victim of a cyber-attack.

Organisations looking to start on this journey should invest first in quality people. While some security tooling is invaluable, and is required to meet the controls, it is all functionally useless without an operator. The right people will be able to advise on and implement quality tools in the way that works best for your organisation. Organisations looking to operate as efficiently as possible should seek to minimise vendors to reduce administrative overheads, and leverage experts for advice to get the right security solution for your unique needs.

An organisation’s overall maturity score is based on the lowest score across any eight strategies and will not change until you uplift all eight mitigation strategies to a specific maturity level.