How manual auditing is letting down the Essential Eight

While the Essential Eight has been welcomed by the public and private sector as a strong, world-leading initiative to build Australia’s cyber resilience, its implementation has been anything but easy. Now mandated for federal government agencies under Policy 10, in 2022–23 the ANAO found maturity levels for most entities were still significantly below the policy’s requirements.

In both the public and private sectors, CIOs and CISOs face significant challenges in achieving and maintaining Essential 8 compliance levels. It’s important to note that an accurate, comprehensive auditing process is still not a regulatory requirement, meaning gaps are being left. And while it’s one thing to implement policies and procedures, without an effective auditing process, the mandate becomes nothing but lip service.

Much of the challenge with implementing the Essential Eight is due to a lack of confidence in identifying true compliance levels in real time across all endpoints, which is hard when up to 20% of endpoints are unknown in 94% of organisations, according to Tanium research.

To identify gaps, most organisations manually sample only a small amount of endpoints to gather a point-in-time view. The audit may spit out a compliance score, but that doesn’t necessarily provide an accurate indication of success against the Essential Eight. Given the manual process, it’s also highly open to individual interpretation.

Without precise, up-to-date insights, auditing becomes a box-ticking exercise with no way to remediate issues in a timely manner. This leaves organisations open to non-compliance and lowers their defence levels. So, what are the limitations of manual auditing and how can organisations overcome them?

Flying blind on compliance

The first limitation of manual auditing is that it often involves taking manually collated snapshots from disparate sources of information collected from across an organisation’s thousands of endpoints. Stitching together that many data sets is an arduous task, meaning by the time it's collected, analysed and acted on, it’s already out of date, hindering the security team's ability to effectively manage and secure its IT infrastructure.

The second issue with manual auditing is that it only takes a sample of devices from across an organisation. Results are then extrapolated to create a score that is not representative of the entire environment and provides no real understanding of where the actual risk lies. Let’s consider a large bank with 50,000 employees and over 80,000 endpoints. Manually testing each endpoint is near impossible, so they might choose to test a 10% sample. However, this means there is no way of guaranteeing compliance across 72,000 endpoints. Naturally, implementations of policies and procedures will likely differ from one part of the organisation to the other. Therefore, sampling one device in one part of the business should not provide peace of mind that the same level of security has been applied across every function and/or device.

Leaving security to chance based on statistical maths rules and the balance of probability is completely inadequate in today’s modern threat landscape.

Taking the guesswork out of audits

The way around the challenges posed by traditional auditing systems is through real-time continuous auditing. By creating visibility across all endpoints, organisations can establish always-on compliance monitoring with no blind spots. Comprehensive views of device inventories and compliance levels mean any gaps in the implementation of the Essential Eight can be picked up and remediated immediately rather than staying undetected for weeks or months.

This approach completely removes the need to undertake manual periodic audits that rely on outdated qualitative data. Instead, it provides a unified view that gives certainty and peace of mind around compliance instantaneously, empowering organisations to make more informed security decisions. Taking a proactive approach to compliance will also reduce liability for leadership teams and board members as well as significantly reduce the costs associated with auditing consulting and labour.

National benchmark or not, if auditing against the Essential Eight is not comprehensive or accurate, then the risk is still present. Having real-time visibility into all endpoints is the only way organisations can ensure they’re maintaining the Essential Eight strategies. With continuous auditing capabilities, organisations can save significant internal resources while streamlining risk mitigation and remediation. When it comes to cybersecurity, there’s too much on the line to leave compliance to chance.

Image credit: iStock.com/everythingpossible