The Australian Signals Directorate (ASD) has released a new version of the Essential Eight (E8) mitigation strategies to protect against cyber threats.

The eight strategies have been updated to include:

• additional focus has been placed on higher priority patching scenarios for critical risks. In such circumstances, organisations should patch, update or otherwise mitigate vulnerabilities within 48 hours;
• in responding to ongoing attacks against citizens that continue to rely on just passwords for online customer services, the requirement for organisations to enforce the use of multi-factor authentication (MFA) for protecting web portals that store sensitive customer data (e.g. personal, health or identity-related data) has been adopted. In doing so, this change amends the existing requirement that allowed customers to easily opt-out of using MFA and instead use very weak password-based authentication. A new minimum MFA standard that requires ‘something users have’, in addition to ‘something users know’, has been adopted;
• requirements have been added to ensure consistency with governance processes for granting, controlling and rescinding privileged access to systems and applications;
• organisations are now encouraged to consider the business criticality of their data when prioritising backups rather than focusing exclusively on backing up important data.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.