When the Australian Signals Directorate (ASD) first launched the Essential 8, it was lauded as a beacon of pragmatism and simplicity. Eight mitigation strategies, well-defined and laser-focused on addressing the most frequent cyber-attack vectors. For smaller businesses or organisations that start from zero security baseline, it offers a lifeline out of a position of total exposure.
Yet this is precisely where the praise should end. For more mature organisations, and especially those that touch the global stage, the Essential 8 is not sufficient. Even at its highest level of Maturity Level 3 – the ceiling of achievement – businesses are left exposed to critical risks. The Essential 8 may improve cyber hygiene but does not provide resilience. Resilience is what counts in a business on the world stage, where exposure to advanced threat actors, complex supply chains and regulatory environments can go beyond typical mitigation strategies.
The reality is this: Essential 8 compliance gets you “safe” in Australia, but still critically vulnerable in the world.
To see this clearly, it helps to compare and contrast the Essential 8 against global standards and frameworks that underpin enterprise cybersecurity internationally.
NIST Cybersecurity Framework (CSF): This standard, based in the United States, is holistic in its coverage, going far beyond technical hardening to cover governance, risk management, detection, response and recovery. It is dynamic and adaptable to emerging threats. NIST CSF is also lifecycle and resilience oriented, recognising that security is an evolving discipline – not a one-and-done checklist. It is prescriptive by design (https://www.nist.gov/cyberframework).
ISO/IEC 27001: An international gold standard that requires a full Information Security Management System (ISMS) covering policies, governance, supplier risk, compliance obligations, asset management, and continuous improvement. ISO 27001 is comprehensive, reflecting that cybersecurity impacts all parts of the organisation’s ecosystem. (https://www.iso.org/isoiec-27001-information-security.html)
SOC 2: A standard to which many service providers are held (especially SaaS and cloud companies). SOC 2 audits look at five trust principles – security, availability, processing integrity, confidentiality and privacy. It is a demand for independent, external assurance on third-party risk, data protection and operational resilience. These are topics only tangentially covered by the Essential 8. (https://www.aicpa-cima.com/resources/article/soc-2)
Put alongside these frameworks, the Essential 8 seems narrow. It is heavily focused on hardening endpoints and being prevention-first. This is a useful strategy – but in a modern environment where breaches are inevitable, it is far from sufficient.
The Essential 8 was developed in the on-premises era. It does not consider cloud misconfiguration or shared responsibility models, or address the unique risks of SaaS third-party ecosystems. Yet cloud misconfigurations are a leading cause of data breaches today, with many solutions now provided as-a-service.
By contrast, ISO 27001 and SOC 2 both explicitly require controls and management around cloud use.
The prevalence of supply-chain and 3rd-party attacks in the wild, from SolarWinds to MOVEit and on, shows that adversaries increasingly target vendors and suppliers. The Essential 8 barely mentions supplier/vendor risk. By contrast, SOC 2 and ISO 27001 are built around vendor management.
The Essential 8 is prevention-heavy: patch applications, block macros, control admin access. It is silent on detection, threat hunting, IR and recovery. Prevention is important but attackers will find a way in.NIST CSF is more mature in its expectations in these areas.
Accidental or malicious insiders are a big attack vector but the Essential 8 says nothing on user behaviour monitoring, privileged account misuse, and insider risk cultures. SOC 2 and ISO 27001, by contrast, cover insider threats.
With GDPR, CCPA and coming reforms to Australian privacy laws, data protection is a top risk. Data classification, encryption, retention and lawful processing are crucial and complex. But the Essential 8 treats data as incidental, rather than a core focus.
ISO 27001 and SOC 2 both cover data governance in depth.
In September 2022, Optus was breached. Data for almost 10 million customers was exposed – passports, driver’s licenses and Medicare details – via an unauthenticated API endpoint. Source: https://en.wikipedia.org/wiki/2022_Optus_data_breach
Even if Optus had 100% implemented the Essential 8, at Maturity Level 3, the breach likely still would have happened. Why? Because the Essential 8 does not speak to API security, cloud architecture review, vulnerability discovery in operation, or other weak points exploited here.
In late 2022, another highly sensitive breach: Medibank had 9.7m customers affected. Attackers were in via stolen credentials associated with a contractor account. Investigations found poor implementation of multi-factor authentication (MFA), lack of privileged access controls, and weak user management.Source: https://idm.net.au/article/0014788-medibank-security-failures-revealed-oaic
Australia’s privacy regulator, the OAIC, has since commenced legal action against Medibank for allegedly failing to take “reasonable steps” to safeguard personal information. But even full Essential 8 alignment would not have shielded Medibank from its oversight failings in third parties, governance and identity controls. See coverage: https://www.reuters.com/legal/australia-regulator-files-lawsuit-against-medibank-over-data-breach-2024-06-04
In March 2023, Latitude Financial reported a breach that eventually led to 14m records compromised. 7.9 million were driver’s licence numbers, with 53,000 passports also stolen. It took a while to appreciate the scale of the breach, but a data retention/governance issue was revealed: sensitive information was being held way beyond business needs.
Source: https://www.theguardian.com/australia-news/2023/mar/27/latitude-financial-cyber-data-breach-hack-14m-customer-records-stolen
The Essential 8, which does not meaningfully address data retention and governance, would not have protected Latitude Financial against this risk.
The risk is not purely technical. The greater risk is cultural/complacency. An organisation that achieves Maturity Level 3 under the Essential 8 is “safe” enough. It can declare victory. Boards may rest easy. Customers may be assured their data is protected.
But adversaries do not win by achieving compliance benchmarks. They will attack other angles of exposure. Ones that the Essential 8 does not even contemplate, cloud service gaps, insider threat, 3rd-party mismanagement, data governance problems, and so on.
In this way, the Essential 8 has potential to be a great comfort blanket: it is 100% comfortable, but a dangerous one. A false sense of security that is still vulnerable to exploitation.
The ASD’s Essential 8 is still a very useful framework. For SMBs with no baseline, it is crucial. But it is only a starting point for larger enterprises, especially those with international customers and partners.
To build resilience, businesses must add the following standards on top of the Essential 8:
On the global stage, Essential 8 compliance says one thing to partners and customers: you have met the minimum standard. But in a digital world where adversaries are innovating 24/7, the minimum is never enough.
Enjoyed reading this blog? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
This website uses the following additional cookies:
(List the cookies that you are using on the website here.)
More information about our Cookie Policy
