Tag: Essential 8

Why the Essential Eight Falls Short for Microsoft 365 Copilot

image

The Essential Eight has done a lot of good.

It’s helped lift the baseline security posture of thousands of Australian organisations. It’s given boards something concrete to point at. And it’s given MSPs a common language to talk about “doing security properly”.

But here’s the uncomfortable truth:

The Essential Eight is not a good security framework for working with Microsoft 365 Copilot.

That doesn’t mean it’s useless.
It means it was never designed for this problem.

And pretending otherwise is where things start to break.

The Essential Eight Was Built for a Different Era

At its core, the Essential Eight is a host‑centric, exploit‑reduction framework.

Patch your systems.
Lock down macros.
Control admin privileges.
Stop ransomware from ruining your week.

That mindset made perfect sense when the primary risks were:

  • Malware executing on endpoints

  • Credential theft via phishing

  • Lateral movement across on‑prem networks

Copilot changes the threat model completely.

Copilot doesn’t break in.
It doesn’t escalate privileges.
It doesn’t drop malware.

It uses the access you’ve already given people—and amplifies it.

That’s a fundamentally different class of risk.

Copilot Turns “Access” Into the Attack Surface

The Essential Eight assumes that if a user can access something, the risk has already been accepted.

Copilot doesn’t.

Copilot takes that access and:

  • Aggregates it

  • Summarises it

  • Correlates it

  • Surfaces it in seconds

A user who technically had access to 10,000 SharePoint files—but never opened them—now has an AI assistant that can reason over all of them at once.

Nothing in the Essential Eight meaningfully addresses:

  • Overshared SharePoint sites

  • Inherited permissions chaos

  • “Everyone except external users” links

  • Legacy Teams and Groups no one remembers creating

From an Essential Eight perspective, everything is fine.

From a Copilot perspective, the tenant is a loaded weapon.

“We’re Essential Eight Compliant” Is a False Sense of Safety

This is where I see organisations get caught out.

They’ve ticked the boxes:

✅ MFA enforced
✅ Devices compliant
✅ Admin roles restricted
✅ Patching up to date

Then they turn on Copilot and assume security is handled.

It isn’t.

Because Essential Eight compliance tells you almost nothing about:

  • Who can see sensitive data

  • Whether data is correctly classified

  • Whether information barriers exist

  • Whether users understand the impact of AI on data exposure

Copilot doesn’t care that your macros are locked down.

It cares about data sprawl.

The Essential Eight Doesn’t Model “Inference Risk”

This is the biggest gap.

Copilot introduces inference risk—the ability to derive sensitive insights from non-sensitive data.

Individually harmless documents can become highly sensitive when combined:

  • A pricing doc

  • A staff list

  • A project timeline

  • A financial forecast

Copilot can stitch those together in ways humans rarely do.

The Essential Eight has no control for:

  • Semantic aggregation

  • Contextual inference

  • AI‑assisted discovery

You can be perfectly compliant and still expose far more than you realise.

Copilot Needs a Data‑Centric Security Model

If you’re serious about Copilot, your security thinking has to shift.

From:

“Can this device run malicious code?”

To:

“Should this person ever see this information—at scale?”

That means frameworks and controls that focus on:

  • Information architecture

  • Permission hygiene

  • Data classification and sensitivity labels

  • SharePoint and Teams governance

  • Ongoing access reviews

  • User behaviour and intent

None of which are meaningfully addressed by the Essential Eight.

This Doesn’t Mean You Throw the Essential Eight Away

Let’s be clear.

The Essential Eight is still a solid baseline.

You absolutely should be doing it.

But treating it as sufficient for Copilot is a mistake.

It’s like saying:

“We’ve installed seatbelts, so autonomous driving is safe.”

Different problem. Different risk profile.

The Right Question to Ask

Instead of asking:

“Are we Essential Eight compliant?”

Copilot forces a better question:

“What could Copilot expose tomorrow that we’d be uncomfortable explaining to the board?”

If you can’t answer that confidently, the framework you’re using is the wrong one for the job.

Copilot doesn’t reward checkbox security.

It rewards intentional design, clean data, and disciplined governance.

And that’s a conversation the Essential Eight simply wasn’t built to have.

Implementing ACSC Essential Eight Maturity Level 3 with Microsoft 365 Business Premium publication

bp

I’ve developed a new publication called – “Implementing ACSC Essential Eight Maturity Level 3 with Microsoft 365 Business Premium”. Here is the summary:


This guide is designed for small and medium business managed service providers (MSPs) aiming to achieve ACSC Essential Eight Maturity Level 3 (ML3) using Microsoft 365 Business Premium. ML3 is the highest standard of cyber resilience recommended by the Australian Cyber Security Centre (ACSC), focusing on proactive defense against sophisticated cyber threats and regulatory compliance.

  • The Essential Eight are eight interlocking security controls: Application Control, Patch Applications, Configure Office Macro Settings, User Application Hardening, Restrict Administrative Privileges, Patch Operating Systems, Multi-Factor Authentication (MFA), and Regular Backups.
  • ML3 requires proactive, defense-in-depth measures, rapid patching, advanced identity management, and centralized logging.
2. Microsoft 365 Business Premium as the Foundation
  • Integrates productivity tools with enterprise-grade security (Intune, Entra ID, Defender for Business, Purview).
  • The new Microsoft Defender Suite for Business Premium (formerly E5 Security add-on) provides advanced features like privileged identity management, threat hunting, and extended data retention.
3. Implementation Guidance for Each Control
  • Application Control: Use Windows Defender Application Control (WDAC) to prevent unauthorized code/drivers. Requires hardware support (TPM 2.0, VBS).
  • Patch Management: Enforce rapid patching for applications and OS, automate updates via Intune, and use Defender Vulnerability Management for monitoring.
  • Restrict Admin Privileges: Separate admin accounts, enforce least privilege, use Entra Privileged Identity Management (PIM), and centralize logging.
  • MFA: Only phishing-resistant, cryptographically bound factors (FIDO2, smartcards, Windows Hello for Business) are permitted at ML3.
  • Macro & Application Hardening: Block macros from the Internet, enforce signed macros, remove legacy components (IE11, old .NET), and apply Attack Surface Reduction rules.
  • Regular Backups: Use Microsoft Purview for retention, Azure Backup for non-M365 workloads, and test restores regularly.
  • Governance: Continuous compliance monitoring with Purview Compliance Manager, Sentinel, and regular audits.
4. Business & Operational Benefits
  • Enhanced security, regulatory compliance, operational efficiency, business continuity, and competitive advantage.
5. Licensing & Cost Considerations
  • ML3 can be achieved with Business Premium plus the Defender Suite add-on.
  • The guide provides a staged implementation plan (gap assessment, MFA rollout, patching, advanced controls, continuous improvement).
Conclusion

Achieving ML3 with Microsoft 365 Business Premium and the Defender Suite delivers measurable improvements in security, compliance, and resilience. The guide provides step-by-step instructions, best practices, and references to Microsoft documentation for each control area. Continuous improvement, regular training, and staying current with ACSC/Microsoft updates are emphasized for ongoing compliance and protection.

There is lots that I could keep adding to this publication but I’m going to throw it out there and see whether people find value before I invest more time in it. Currently the report is 31 pages in total.

I have also decided on a different distribution method this time as well. If you want a copy head over to my Ko-Fi at:

https://ko-fi.com/ciaops

and leave me a one time tip for whatever you feel it is worth I’ll email you a copy. Also ensure you include a message letting me know you want the publication.

If you then provide me feedback on the publication, such as how it can be improved or any errors you find, I’ll then send you the next version for free when it becomes available.

This seems to me to be the easiest way to determine whether it is worth my time investing more effort to improve the document.

Let’s see.