If you run a business in Australia, you've probably heard the term “Essential Eight” mentioned by your IT provider, your accountant, or your cyber insurance broker. But what is it, exactly? And does it actually apply to your business?
The Essential Eight is a set of cybersecurity strategies developed by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate. It represents the baseline — the minimum set of controls that every organisation should have in place to protect itself against the most common cyber threats. It's not a product you buy. It's a framework you implement.
This guide explains each of the eight strategies in plain English, why they matter for small and medium businesses, and how to get started.
Why the Essential Eight Matters for SMBs
There's a persistent misconception that cyber attacks only target large enterprises. The reality is the opposite. The ACSC's latest Annual Cyber Threat Report found that small businesses reported the highest average loss per cybercrime incident — over $46,000. Attackers target SMBs precisely because they tend to have weaker defences and fewer resources to detect and respond to incidents.
Cyber insurance providers are increasingly asking about Essential Eight compliance before issuing or renewing policies. Some won't cover businesses that lack basic controls like multi-factor authentication. And if you handle personal data — which almost every business does — the Privacy Act and the Notifiable Data Breaches scheme create legal obligations to protect that data.
Key point: The Essential Eight isn't just a government checklist. It's increasingly a requirement for cyber insurance, client contracts, and regulatory compliance. Implementing it reduces your attack surface by over 85% against the most common threats.
The Eight Strategies Explained
1. Application Control
Application control prevents unauthorised software from running on your systems. Instead of trying to block every piece of malware individually, you define which applications are allowed to run — and everything else is blocked by default.
For SMBs, this typically means configuring Windows AppLocker or Microsoft Defender Application Control to restrict which programs can execute on company devices. It's one of the most effective controls against malware, ransomware, and unauthorised software installations.
2. Patch Applications
When software vendors discover security vulnerabilities, they release patches (updates) to fix them. Attackers know this — and they actively exploit vulnerabilities in unpatched software, often within days of a patch being released.
The Essential Eight recommends patching internet-facing applications (browsers, email clients, PDF readers, Microsoft Office) within 48 hours of a critical patch being released. For other applications, within two weeks. This isn't about feature updates — it's about closing known security holes before attackers walk through them.
3. Configure Microsoft Office Macro Settings
Macros are small programs embedded in Office documents (Word, Excel) that automate tasks. They're also one of the most common ways malware is delivered — an employee opens what looks like a normal invoice or spreadsheet, and a hidden macro installs ransomware or a backdoor.
The fix is straightforward: block macros from the internet by default, and only allow macros from trusted locations or digitally signed by trusted publishers. Most businesses don't need macros at all, and those that do can implement targeted exceptions rather than leaving the door open.
4. User Application Hardening
This strategy involves configuring web browsers and other applications to reduce their attack surface. In practical terms, it means disabling or restricting features that attackers exploit — like Flash (now obsolete), Java applets in browsers, and unnecessary browser extensions.
It also means configuring browsers to block advertisements (a common malware delivery vector), disabling auto-run for external media, and restricting PowerShell to signed scripts only. These are configuration changes, not software purchases.
5. Restrict Administrative Privileges
Administrative accounts have unrestricted access to systems — installing software, changing configurations, accessing all files. If an attacker compromises an admin account, they effectively own your entire network.
The Essential Eight requires that admin privileges be limited to the people who genuinely need them, only for the tasks that require them, and only for the duration needed. Day-to-day work — email, web browsing, document editing — should never be done from an admin account. This single control dramatically limits the damage an attacker can do even if they get in.
6. Patch Operating Systems
The same principle as patching applications, but for the operating systems themselves — Windows, macOS, Linux, and mobile operating systems. Critical patches should be applied within 48 hours. Operating systems that are no longer supported by the vendor (like Windows 10 after October 2025) should be replaced, as they no longer receive security updates.
For many SMBs, this is the most visible gap. We still encounter businesses running Windows 10 machines that haven't been updated in months, or servers running operating systems that reached end-of-life years ago.
7. Multi-Factor Authentication (MFA)
MFA requires users to provide two or more forms of verification before accessing an account — typically a password plus a code from an authenticator app, a push notification, or a hardware key. Even if an attacker steals a password through phishing or a data breach, they can't log in without the second factor.
MFA should be enabled on all internet-facing services: email (Microsoft 365 or Google Workspace), VPN, remote desktop, cloud applications, and any system containing sensitive data. Microsoft reports that MFA blocks over 99.9% of account compromise attacks. It is the single highest-impact control most SMBs can implement.
8. Regular Backups
Backups are your last line of defence. If everything else fails — if ransomware encrypts your files, if a server fails, if an employee accidentally deletes critical data — backups are how you recover.
The Essential Eight specifies that backups should be performed regularly, stored offline or disconnected from the network (so ransomware can't encrypt them too), tested regularly to confirm they actually restore, and retained for an appropriate period. Cloud backup solutions like Azure Backup or Veeam provide automated, offsite backup with immutable storage that ransomware cannot delete or modify.
| Strategy | Primary Threat It Addresses | Difficulty for SMBs |
|---|---|---|
| Application Control | Malware, ransomware | Moderate |
| Patch Applications | Known vulnerabilities | Low–Moderate |
| Office Macro Settings | Malware via documents | Low |
| User Application Hardening | Drive-by downloads, exploits | Low |
| Restrict Admin Privileges | Privilege escalation, lateral movement | Low–Moderate |
| Patch Operating Systems | Known vulnerabilities | Low–Moderate |
| Multi-Factor Authentication | Credential theft, phishing | Low |
| Regular Backups | Ransomware, data loss | Low |
Maturity Levels: Where Should Your Business Be?
The Essential Eight uses a maturity model with four levels:
- Maturity Level Zero: Weaknesses exist that could be exploited. This is where most businesses start before any assessment.
- Maturity Level One: Basic implementation. Addresses the most common, opportunistic attacks. This is the minimum target for most SMBs.
- Maturity Level Two: More thorough implementation. Addresses more capable attackers who are willing to invest more time and effort.
- Maturity Level Three: Full implementation. Addresses sophisticated adversaries. Typically required for government agencies and critical infrastructure.
For most small and medium businesses, Maturity Level One is the practical target. It addresses the vast majority of threats you'll face and is achievable without enterprise-level budgets or dedicated security teams.
Not sure where your business sits on the Essential Eight maturity model? We provide free cybersecurity assessments for Sydney businesses.
Get a Free Assessment →How to Get Started
You don't need to implement all eight strategies simultaneously. Start with the controls that deliver the most impact for the least effort:
- Enable MFA everywhere. Start with email (Microsoft 365 or Google Workspace), then extend to VPN, cloud apps, and remote access. This can be done in a day and has the single biggest impact on your security posture.
- Set up automated patching. Enable automatic updates for operating systems and configure a patch management process for business applications. Microsoft Intune (included in Business Premium) automates this for Windows devices.
- Implement proper backups. Ensure you have automated daily backups stored offsite with immutable retention. Test a restore to confirm it works — a backup you can't restore is not a backup.
- Block Office macros from the internet. A single Group Policy change that eliminates one of the most common malware delivery methods.
- Review admin accounts. Audit who has admin access, remove it from anyone who doesn't need it, and create separate admin accounts for those who do.
These five actions alone will move most businesses from Maturity Level Zero to a strong Level One position.
The Bottom Line
The Essential Eight isn't a theoretical exercise — it's the practical baseline that stops the attacks Australian businesses actually face. You don't need a massive budget or a dedicated security team. You need the right controls, properly configured, consistently maintained.
Every week that your business operates without these controls is a week you're exposed to threats that are entirely preventable. The question isn't whether you can afford to implement the Essential Eight. It's whether you can afford not to.