
Implementing the ACSC Essential 8 Maturity Model. Mitigation Strategy 8: Regular Backups

Duong Dang
30 June 2025
Table of Contents
The Essential 8 Maturity Model is a set of baseline cyber security measures for Australian organisations developed by the Australian Cyber Security Centre (ACSC). This article forms part of our Essential 8 series and goes into detail on Mitigation Strategy 8: Regular Backups. Read on to learn about how you can implement Mitigation Strategy 8: Regular Backups for all Essential 8 Maturity Levels within your organisation.
What are Regular Backups?
We’ve now come to the last of Essential 8 Mitigation Strategies, regular backups.Backups are all about recovery. If you were unable to prevent malware delivery and execution, your environment with
Application Control,
Patch Applications,
Configure Microsoft Office Macros,
and User Application Hardening,
Hopefully, you have at least limited the extent of cybersecurity incidents by
Restricting Administrative Privileges,
Patch Operating Systems,
and Multifactor Authentication.
Either way, if cyber criminals have breached your environment, they can start to do damage. Some common techniques are exfiltrating your data and leaving ransomware notes or infecting your critical servers with malware crippling your systems.
In any of these cases, you could be left with no data; therefore, backups are essential, not only creating and protecting them but also testing out your business continuity plan to recover them. Unfortunately, we have seen too often organisations putting in the effort to collect and protect backups for years without ever testing them, only to find out, when they needed most, that the backups were useless when they needed it most—tough times.
This last Essential 8 Mitigation Strategy, regular backups, helps your organisation recover from a cyber incident by protecting your backups and applying least privileges and separation of duties principles to your backups.
Why are Regular Backups important?
While this is the last time we speak about users in Essential 8, it is important to continuously understand your users to best adapt backup strategies to your organisation.
👩💼Business users
I backup important files on my shared drive
I have some files I do not backup
✅Risk managers
We should backup regularly to minimise business risk in the event of an incident
The more we backup, the less risk
👩💻IT users
We take backups of IT systems all the time
We don’t test all our backups
We secure our backups with X encryption techniques
They take a lot of storage space, so we don’t store them for too long
😈Threat actors
If I can steal data, I want as much leverage as possible to make them pay my ransomware demands.
Maturity Level 1: Regular Backups
Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements.
Essential 8 talks about backing up your data, software, and configuration settings. If you are on-prem, it would be easy to do all three; however, if you are using services like Microsoft 365, then most backup solutions will only let you backup your data, not your configuration, so you may have to look for alternatives. Review your business continuity plan to check your backup frequency and retention timeframes to implement this. Then, look for a backup solution for your data, software, and configuration settings if you still need to start using one. Assessors will review your business continuity documentation for backup frequency requirements and retention periods.
Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time.
If your configuration, data, and software backup times are mismatched, the restoration will likely be unsuccessful. Therefore, the backup solutions must be synchronised. Otherwise, your backups may be useless.
Backups of important data, software and configuration settings are retained in a secure and resilient manner.
Backups should be encrypted, and processes and procedures to your backup must be resilient in case your backup equipment or provider fails.
If you back up yourself, then you need to secure your backups. If you are using third parties, you must check that your backups are protected and secure.
Restoration of important data, software and configuration settings from backups to a common point in time is tested as part of disaster recovery exercises.
If you’ve done your backup correctly and backed up your data, software, and configuration settings to a synchronised point, finding another environment and testing your disaster recovery process should be successful.
As we mentioned, it is essential to test your backups as you would want to avoid ending up in a situation where an incident has occurred. Your data has unfortunately been exfiltrated that you find out your backups do not work and have never worked.
Record your disaster recovery exercises, reports and lessons learnt. This requirement is for disaster recovery, meaning a significant recovery, not a business-as-usual recovery.
Unprivileged accounts cannot access backups belonging to other accounts.
Applying least privileges to backups. Admins should manage backups; unprivileged accounts shouldn’t need to touch backups, especially those belonging to other accounts.
Assessors will check backup permissions to ensure compliance.
Unprivileged accounts are prevented from modifying and deleting backups.
Since unprivileged accounts can only access their logs, this requirement intends to restrict the modification and deletion of their own backups.
Maturity Level 2: Regular Backups
Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts.
At Maturity Level 2, Essential 8 extends least privilege principles on backups so privileged accounts (excluding backup admins) can now only access their own backups.
Restricting access limits, the impact of a cyber incident in the event privileged accounts are compromised to only their own backups.
Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups.
As at Maturity Level 2, now privileged accounts, not just unprivileged accounts, can no longer modify nor delete their own backups.
Here we can see Essential 8 apply separation of duties to backups by splitting your privileged accounts and backup administrator accounts to limit the damage further should your environment be breached. In doing so, adversaries could not encrypt and delete your backups unless they managed to obtain access to backup admin accounts, a subset of privileged accounts.
Maturity Level 3: Regular Backups
Unprivileged accounts cannot access backups belonging to other accounts, nor their own accounts.
At Maturity Level 3, Essential 8 takes least privileges even further. Access to backups is restricted to backup admins only. Here, unprivileged accounts can no longer access their own backups.
Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts, nor their own accounts.
Extending least privileges again, non-backup admin accounts can no longer access any backups, including their own.
Privileged accounts (including backup administrator accounts) are prevented from modifying and deleting backups during their retention period.
Finally, backups should not be tampered with by anyone, including backup administrators. Therefore, making backups immutable to all users, including backup admins, is the ultimate way to protect backups from compromise. Even if backup admin credentials are stolen, your data will remain intact.
Of course, you only keep your backups immutable in accordance with your organisation’s business continuity plan and its defined retention period; otherwise, the file size could be huge, not to mention the costs!
Concluding Regular Backups
Regular Backups are a short but important Mitigation Strategy.
Regular backups can be used to recover from cyber incidents. Processes, procedures, and responsibilities should be defined in our business continuity policy. Backups must be protected with encryption and access limited by applying least privilege principles and separation of duties. Finally, backups must be tested regularly, and any learnings documented.
At the end of the day, backups can save you, and while it may be an afterthought, make sure you take your backups seriously.
If you have followed all of our Essential 8 series, pat yourself on the back! It’s a great effort, and together we have made the world safer. We would love to hear from you, so please contact us to chat about Essential 8.
Where to Next?
Keep your organisation’s backups safe and make sure they are tested!
Continue with our Essential 8 series
Overview:
8 Essential Mitigation Strategies:
Adoption:
Looking to accelerate your Essential Eight implementation?
Simply book a discovery call below to find how we can help you.
Resources
Australian Cyber Security Centre (ACSC), by Australian Cyber Security Centre (ACSC).
"Strategies to Mitigate Cyber Security Incidents", by the Australian Cyber Security Centre (ACSC).
"The Essential 8", by the Australian Cyber Security Centre (ACSC).
"The Essential 8 FAQ", by the Australian Cyber Security Centre (ACSC).
"Essential 8 Maturity Models", by The Australian Cyber Security Centre (ASCS).