90% of Australian organisations plan to align their security programs to the Essential Eight, becoming a standard cybersecurity strategy nationwide.
That's according to a survey conducted at last month's AusCERT security conference by BeyondTrust, an expert in intelligent identity and access security.
The Essential Eight provides organisations with a clear framework that can improve their levels of IT security and better position them to withstand attacks.
However, when asked to select the top three challenges organisations face in aligning to the Essential Eight, 63% of respondents highlighted application control, while just over half (51%) cited user application hardening.
Just under half (49%) also said that patching applications was a challenge, while Restricting Admin Privileges was also highlighted by more than one in four (44%) of respondents as a struggle.
The survey, highlighting the increasing workload of security teams, also found that more than one in eight (85%) organisations are also pursuing a Zero Trust security model, with 85% either having their processes in place or progressing.
Yet, 46% of organisations allow third parties to access their internal system via VPN remotely. This will likely breach the principle of least privilege, as VPNs commonly offer all-or-nothing access to systems. At the same time, users are connected unless considerable effort is placed into maintaining routing rules.
For this reason, bringing users from a remote network via the Internet and onto a trusted or secure private network so they can access an application or data opens risk.
Indeed, 69% of respondents from organisations adopting zero trust say that users in their organisation have excessive privileges beyond what is required to do their job.
A Zero Trust security model ultimately advocates creating zones and segmentation to control sensitive IT resources. This also entails deploying technology to monitor and manage data, users, applications, assets, and other resources between zones and, more importantly, authentication within zones.
Scott Hesford, Director of Solutions Engineering, Asia Pacific and Japan, BeyondTrust, says: "The findings of this survey suggest that while many Australian organisations are embarking on a Zero Trust strategy, they are potentially missing one of the foundations of the strategy: the principle of least privilege."
"Excessive privileges and common VPN configurations go against the principle of least privilege, the concept of providing just the right amount of access for the specific amount of time for a user to complete a task, and are commonly exploited by cyber attackers."
"The survey findings also reflect the challenges around the Essential Eight expressed by cybersecurity professionals that we speak to every day."
"Many teams struggle to find the balance between productivity and security for aspects of the Eight, such as application control and restricting admin privileges."
"Ongoing budget and resourcing constraints mean that organisations are looking to consolidate strategies of application control, user application hardening and restricting admin privileges into a single solution set," says Hesford.
Just under half (48%) of respondents had seen their workload increase over the past two years due to a variety of reasons, including growing attack sophistication and frequency, lack of security skills across the business, an inability to hire and retain staff, the higher repercussion from a breach, and the need to manage too many deployed security solutions.
In addition, 48% of the respondents felt that organisations had not yet learned lessons from major recent publicised cybersecurity attacks and updated their security strategies.
Hesford says: "despite the ongoing cybersecurity threats, the ongoing challenge appears to be providing secure enablement for the business without creating a false expectation of fool-proof prevention."
"This will require a change in culture, resourcing and skills, and this can only come with a fundamental rethinking of the ways we manage IT and security."
"It's more important than ever to realise that an organisation, from its leadership to its IT team, must understand and commit to a cybersecurity strategy."
"Whether starting with the Essential Eight or moving towards Zero Trust, and in turn provide the necessary planning, resourcing, and operations needed to ensure it delivers the expected business benefits," says Hesford.