Back to Insights
Essential EightWeb SecurityUser Application HardeningASD

ASD Essential Eight vs Your Daily News: Why Must We Choose?

MM
Murray Mills
2 min read

The Conflict

The ASD's Essential Eight is designed to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are well-documented and widely recommended.

Yet recently, I encountered a frustrating situation that highlights a growing tension between security best practice and everyday usability.

What Happened

Under the Essential Eight, Maturity Level One requires, under the category "User Application Hardening", that:

"Web browsers do not process web advertisements from the internet."

In most cases, meeting this requirement is achievable through default web advertisement blockers built into modern browsers such as Microsoft Edge and Google Chrome.

However, a major Australian news website, one that previously worked perfectly with these protections in place, now blocks access entirely if ad-blocking is detected. The site becomes completely unusable.

The Impossible Choice

So our options become:

  1. Follow ASD Essential Eight guidance from the Australian Signals Directorate, the government body responsible for protecting Australia against cyber security threats, and lose access to daily news.

  2. Disable security protections to read news and catch up on Australian and world events.

This is a false choice that shouldn't exist.

Why This Matters for Organisations

For organisations implementing the Essential Eight (particularly those seeking government contracts or compliance), this creates a real operational problem:

  • Employees can't access legitimate information sources while maintaining compliance
  • Exceptions create policy gaps that are difficult to manage at scale
  • It undermines confidence in the security controls themselves

The Broader Issue

This is symptomatic of a larger problem: the disconnect between security standards and the commercial realities of the web. When following government security guidance renders significant portions of the internet inaccessible, we need to ask whether:

  • Content providers should be held to a standard that doesn't force users to weaken their security posture
  • The Essential Eight guidance needs more nuanced implementation guidance for these scenarios
  • There's a role for government in mediating between security best practice and commercial content delivery

Security shouldn't require sacrificing access to information. We can do better.

Related Insights

When Will the Australian Government Act on Cyber?

Australia continues to face a barrage of security incidents, yet mandatory security standards for all businesses remain absent. How many more breaches will it take before we see real action?

Need cyber security guidance for your organisation?

Get in Touch

Make a Difference With Expert Guidance

Let's Work Together