Navigating Cyber Security Compliance and Regulations: Essential 8 vs. Privacy Act

Share on

The ASD Cyber Threat Report 2022-2023 released mid-November 2023 highlights alarming results. It reveals that:

  • The number of cybercrime reports has increased by 23%
  • The average cybercrime cost per report is up 14%

Cybercriminals were described as adversaries who show “persistence and tenacity” and “constantly test vulnerabilities in Australia’s cyber ecosystem and employ a range of techniques to evade Australia’s cyber defences.”

As an authorised Australian Government framework, the Essential Eight were of course among the measures suggested in the report to be implemented. We’ll start off by reviewing the Essential Eight and then delve into a framework that is less talked about but is actually mandatory for most Australian organisations – the Privacy Act.


The Essential 8 is a Good Foundation (But Not the Finish Line)

The Essential Eight is a set of controls prescribed by the Australian Cyber Security Centre (ACSC) to protect organisations from cyber threats and attempts to compromise the personal information of their customers and stakeholders.

The eight strategies are:

  • Application control – restricting the use of unapproved software
  • Patching applications – updating software to fix vulnerabilities
  • Configuring Microsoft Office macro settings – disabling/limiting macros from running malicious code
  • User application hardening – disabling exploitable features (e.g., web browser plug-ins)
  • Restricting administrative privileges – limiting the number of users who can perform high-risk actions
  • Patching operating systems – updating the system software to fix security vulnerabilities
  • Multi-factor authentication – requiring an additional security layer to verify a user’s identity
  • Daily backups – creating copies of important data and storing them securely

The ACSC has developed a security model from 0 to 3 for each of these strategies. An organisation with a maturity level 0 has not achieved any of the requirements. A level 3 means the organisation has achieved a high level of maturity. A common misconception is that organisations must achieve level 3 to be compliant. On the contrary, organisations can adopt the maturity level they need, depending on their vulnerabilities to cyber threats.

The Essential Eight cyber security risk mitigation are baseline strategies, and implementing them is the minimum expected from organisations. They are foundational and highly recommended, but your cyber security efforts should not stop there.


The Privacy Act: Mandatory for Data Protection

In its latest report, the Australian Signals Directorate (ASD) urges businesses to ensure resistance to cyber threats and go beyond the Essential Eight.

Say hello to the Privacy Act 1988.

Whilst the Essential Eight is one of the most well-known frameworks in Australia, its strategies are actually not mandatory. In contrary, the Privacy Act is less mentioned but most Australian organisations handling personal information must comply with it.

The organisations covered by the Privacy Act have an annual turnover greater than $3 million* OR are:

  • An Australian Government agency;
  • Private sector health service providers including private hospitals, therapists, gyms and child care centres;
  • Not-for-profit organisations;
  • Businesses that sell or purchase personal information;
  • A credit reporting body;
  • A contracted service provider for an Australian Government contract;
  • A business that holds accreditation under the Consumer Data Right System; and
  • A business that is related to a business that is covered by the Privacy Act.

*Note: Following the Privacy Act review in September 2023, one of the ‘Agreed in Principle’ proposals was the abolishment of the small business ($3m) exemption. Learn more.


The Privacy Principles

The Privacy Act includes 13 Australian Privacy Principles (APPs) that organisations must comply with, so you should be careful of the financial risks if you were to be assessed by the government. Meanwhile, whilst the Essential Eight are not mandatory, being non-compliant with some of those steps could lead to legal actions under the Privacy Act.

In short, the Essential Eight and the Privacy Act are both vital to IT security and data protection – but let’s look at the Privacy Act in more detail. The law regulates how personal information is handled by organisations and agencies. Below is an overview of the APPs which set the standards, rights, and obligations for collecting, using, disclosing, storing, securing, and accessing personal information.

APP 1Open & Transparent Management of Personal InformationAPP entities must have a privacy policy and handle personal information lawfully and fairly.
APP 2Anonymity & PseudonymityIndividuals must have the option to not identify themselves or use a pseudonym when dealing with APP entities, unless impracticable or unlawful.
APP 3Collection of Solicited Personal InformationAPP entities must only collect personal information that is reasonably necessary or directly related to their functions or activities and do so by lawful and fair means.
APP 4Dealing With Unsolicited Personal InformationAPP entities must determine whether they could have collected the personal information under APP 3 and, if not, destroy or de-identify it as soon as practicable.
APP 5Notification of the Collection of Personal InformationAn APP entity that collects personal information must tell an individual about certain matters under certain circumstances.
APP 6Use or Disclosure of Personal InformationAPP entities must only use or disclose personal information for the purpose for which it was collected unless the individual consents or an exception applies.
APP 7Direct MarketingAn organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8Cross-Border Disclosure of Personal InformationOutlines what an APP entity must do to protect personal information before it is disclosed overseas.
APP 9Adoption, Use or Disclosure of Government Related IdentifiersAPP entities must not adopt, use or disclose a government-related identifier of an individual, unless the identifier is prescribed by law, or an exception applies.
APP 10Quality of Personal InformationAn APP entity must take reasonable steps to ensure that the personal information they collect, use, or disclose is accurate, up-to-date, complete, and relevant.
APP 11Security of Personal InformationAPP entities must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure, and to destroy or de-identify personal information when it is no longer needed.
APP 12Access to Personal InformationAn APP entity must give individuals access to their personal information on request, unless an exception applies, such as when giving access would pose a serious threat to someone’s life or health.
APP 13Correction of Personal InformationOutlines the reasonable steps an APP entity must follow to correct personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, either on their own initiative or at the request of the individual.

Over the last few years, we’ve seen an influx of cybercrime which prompted a lengthy review of the Privacy Act. In September 2023, a report was released over 100 new principles and while some were agreed in full, there were many only “agreed in principle”. One in particular was the proposal to remove the exemption for small businesses.


Discover How This Impacts Your Organisation

How the Privacy Act Review Affects Non-Profits

How the Privacy Act Review Affects the Medical Industry

How the Privacy Act Review Affects the Education Sector

See Privacy Act Report


The Essential 8 and The Privacy Act: Parallel Paths to Protection

The frameworks of the Essential Eight and The Privacy Act both aim to enhance the cyber resilience and privacy protection of Australian entities. Here’s how they compare:

The Essential 8The Privacy Act
What is it?A recommended set of eight strategies to mitigate cyber security threats and incidents.A comprehensive law that regulates the handling of personal information.
What’s the purpose?To help organisations prevent or minimise the damage caused by cyberattacks.To help organisations comply with their legal obligations and ethical responsibilities when handling personal information.
How do organisations benefit from it?Reduction of cyber-attack risk and protection of sensitive data.Prevention of data breaches and improvement in customer trust.
What are the consequences of non-compliance?No penalties but can increase the risk of threats and compromise sensitive data.Companies:

1. AU$50 million, or;

2. Three times the value of benefits obtained or attributable to the breach (if quantifiable) or;

3. 30% of the corporation’s ‘adjusted turnover’ during the ‘breach turnover period’ (if the court cannot determine the value of the benefit obtained)


Was $440,000 but was increased to $2.5 million on December 13th 2022.

What’s involved?Assessing an organisation’s current level of compliance, based on a four-tier maturity model, then implementing the strategies and moving toward optimal protection at maturity level 3.Understanding an organisation’s obligations under the APPs, then implementing privacy policies and practices, guided by resources and tools from the OAIC.
Who’s covered? Recommended for all organisations, but not mandatory for Australian businesses.Mandatory for organisations with an annual turnover of more than $3 million*. Some small businesses are also covered if they store person identifiable information and meet other criteria.

*This is expected to change following the Privacy Act Review.

Is it mandatory?Not mandatory for Australian businesses, but highly recommended.


Mandatory for Australian businesses that meet the criteria of APP entities.



What Your Cyber Security Strategy Should Look Like

In the end, your organisation should aim for the level of cyber protection that is best suited and ensure full compliance with laws and regulations. You can approach it with a combination of the 8 mitigation strategies and the 13 principles.

ADITS CyberShield solution takes cyber protection to a whole new level where security is at the core of everything we do. Our offering includes managed services and compliance & governance measures as well as security measures and monitoring to ensure your business is industry compliant.


Your Cyber Security Journey

Compliance does not automatically translate to strong cyber security. Likewise, cyber security is not “set and forget”. It is a continuing process that needs your attention and effort if you want to ensure that your systems and data are always protected.

Understanding the Essential Eight and the Privacy Act is important. Since cyber security is complex and ever-evolving, it’s also vital to keep up-to-date with cyber security solutions, trends, and best practices. Though cyber security may seem mostly technical, it is in fact a business matter.

Executives and board members are personally liable in the event of a breach so instilling a cyber security culture throughout the organisation should be a priority.

With this in mind, ADITS is launching a half-day certified C-Suite training workshop where we’ll go through:

  • Data security and privacy compliance
  • Potential risks to your business and how to address them
  • Personal liabilities
  • Reporting
  • Crisis management recommendations
  • Best practices for policies and procedures

Register Your Interest For Our C-Suite & Board Training

Share on