Eight years on, half of Australian companies still haven’t implemented ASD’s Top 4 mitigations

Application whitelisting has been one of four key recommended protection methods for more than five years, but half of Australian businesses in one recent survey said they still aren’t using the security technique at all.

Whitelisting was part of the Australian Signals Directorate’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions – which also included application patching, operating system patching, and tightening control over administrative privileges – when they were introduced in 2010 and, in 2013, mandated for all government departments.

It has been regularly cited as a baseline target for information-security policy – with claims that the four mitigations can address 85 percent of security vulnerabilities – and were last year expanded to the ‘Essential Eight’ that has since supplanted the Top 4.

Despite the purported authority of the guidelines, however, a poll of executives at Avanti’s recent ANZ user conference found that 49.2 percent still had not implemented application whitelisting – and that even more had implemented only basic operating-system patching mechanisms.

Fully 13.1 percent of respondents were taking longer than a month to patch extreme-risk operating-system vulnerabilities, while 36.1 percent were equally laggard in patching extreme-risk application vulnerabilities.