The Complete Essential Eight Guide for Australian Small Businesses

What Is the Essential Eight?

The Essential Eight is a set of eight cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) and recommended by the Australian Cyber Security Centre (ACSC). These eight strategies were selected from a broader set of 37 mitigation strategies because they are the most effective at preventing malware delivery, limiting the extent of cyber incidents, and recovering data when things go wrong.

Originally published in 2017, the Essential Eight has become the benchmark cybersecurity framework for Australian organisations — particularly small and medium businesses that may not have the resources for a full enterprise security programme.

The eight strategies are grouped into three objectives:

For a concise overview, see our article: Essential Eight Explained.

Why It Matters for Australian Businesses

Cyberattacks targeting Australian small businesses have increased significantly. The ACSC's 2024-2025 Cyber Threat Report found that the average cost of cybercrime for small businesses has risen to over $46,000 per incident, with ransomware and business email compromise (BEC) as the leading threats.

Here's why implementing the Essential Eight should be a priority for your business:

• Regulatory expectations are tightening. The 2026 Privacy Act amendments have increased penalties for data breaches. Organisations handling personal data are expected to demonstrate reasonable security measures — and the Essential Eight is widely considered the baseline.
• Cyber insurance increasingly requires it. Many Australian cyber insurance providers now reference Essential Eight compliance as part of their underwriting criteria. Without it, you may face higher premiums or reduced coverage.
• It's proven and practical. The ASD estimates that implementing just the top four strategies can prevent up to 85% of common cyberattacks. The full eight address 95%+ of threats.
• Government contracts require it. Any organisation working with the Australian Government or Defence is expected to achieve Maturity Level 2 or higher.

Read more: Why Is Cyber Security Important for Australian Businesses

The Essential Eight Maturity Model

The ACSC's Maturity Model provides a structured way to measure how well your organisation has implemented each of the eight strategies. There are four levels:

Important: The ACSC recommends achieving the same maturity level across all eight strategies before advancing to the next level. These controls rely on each other — weakening one reduces the effectiveness of the entire framework.

For a deeper look at how the levels work: Essential 8 Maturity Model Explained

Strategy 1: Application Control

What it does: Application control ensures only approved and trusted applications can execute on your systems. This is one of the most effective defences against malware, ransomware, and unauthorised software — because if an application isn't on the approved list, it simply won't run.

Why it matters: Malware relies on being able to execute on a victim's system. Application control stops it at the gate. Microsoft's AppLocker or Windows Defender Application Control (WDAC) are common tools used to enforce this.

What to do at each maturity level:

• Level 1: Application control is implemented on workstations to restrict execution of executables, software libraries, scripts, and installers to an approved set.
• Level 2: Application control rules are validated on an annual or more frequent basis, and logging of blocked execution attempts is enabled.
• Level 3: Microsoft's recommended application blocklist is implemented, and application control is applied to all user-accessible locations including temporary folders.

Deep dive: Application Control Best Practices: All You Need to Know

Strategy 2: Patch Applications

What it does: Patching applications means regularly updating all software (web browsers, email clients, PDF viewers, Microsoft Office, and other business applications) to fix known security vulnerabilities before attackers can exploit them.

Why it matters: Attackers actively scan for unpatched software. A single unpatched application can be the entry point for a devastating breach. The ASD considers this one of the top four strategies that can prevent 85% of intrusions.

What to do at each maturity level:

• Level 1: Patches, updates, or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release. Patches for other applications are applied within one month.
• Level 2: Patches for internet-facing services are applied within 48 hours if an exploit exists. An automated mechanism is used to confirm and record patch deployment.
• Level 3: Patches for internet-facing services are applied within 48 hours of release (whether or not an exploit exists). Vulnerability scanners are used at least fortnightly to identify missing patches.

Deep dive: Essential Eight: Patch Applications Guide

Strategy 3: Configure Microsoft Office Macro Settings

What it does: This strategy controls whether Microsoft Office macros can run, and under what conditions. Macros are small programs embedded in Office documents that can automate tasks — but they're also one of the most common malware delivery methods.

Why it matters: A typical attack scenario involves an employee receiving a phishing email with an attached Word or Excel file. When opened, the document prompts the user to "enable macros" — which then executes malicious code. Restricting macros stops this attack chain.

What to do at each maturity level:

• Level 1: Microsoft Office macros are disabled for users who do not have a demonstrated business requirement.
• Level 2: Macros in files from the internet are blocked. Macros are only allowed in trusted locations with restricted write access, or are digitally signed by a trusted publisher.
• Level 3: Only macros running from within a sandboxed environment, trusted locations, or digitally signed by trusted publishers are allowed. Win32 API calls from macros are blocked.

Related reading: Defend Your Business With the Essential Eight

Strategy 4: User Application Hardening

What it does: Application hardening involves configuring web browsers, PDF viewers, and other user-facing applications to block risky features — such as Flash, Java, and web advertisements — that attackers commonly exploit to deliver malware.

Why it matters: Even fully patched applications have features that can be exploited. By disabling unnecessary features (like Java in browsers, or ads that serve malvertising), you reduce the attack surface without affecting productivity.

What to do at each maturity level:

• Level 1: Web browsers are configured to block or disable Flash content, web advertisements, and Java from the internet. Internet Explorer 11 is disabled or removed.
• Level 2: Web browsers are hardened using ASD and vendor recommendations. .NET Framework 3.5 (including .NET 2.0) is disabled or removed. PowerShell is configured in Constrained Language Mode.
• Level 3: Child processes from Microsoft Office, web browsers, and PDF software are blocked. PowerShell script block logging is enabled.

Deep dive: User Application Hardening: Essential Eight Guide

Strategy 5: Restrict Administrative Privileges

What it does: This strategy limits who has administrative (admin) access to systems and for what purpose. Admin accounts have elevated permissions — they can install software, change system settings, and access sensitive data. If compromised, an attacker inherits all those permissions.

Why it matters: One of the most common ways attackers escalate a breach is by gaining admin credentials. If your staff are routinely working with admin accounts (or if everyone in the office has admin rights), a single phishing email can give an attacker the keys to your entire network.

What to do at each maturity level:

• Level 1: Requests for privileged access are validated when first requested. Privileged accounts are not used for reading email and browsing the web. Privileged accounts are restricted to separate admin workstations.
• Level 2: Privileged access is automatically disabled after 12 months without revalidation. Privileged access events are centrally logged and protected from modification.
• Level 3: Just-in-time administration is used for privileged access. Windows platforms use Credential Guard and Remote Credential Guard. Privileged accounts (excluding local admin) cannot log on to unprivileged workstations.

Deep dive: Restrict Administrative Privileges: Your Essential Eight Guide

Strategy 6: Patch Operating Systems

What it does: Just like patching applications, this strategy ensures that operating systems (Windows, macOS, Linux, and server OS) are kept up to date with the latest security patches.

Why it matters: Operating system vulnerabilities are among the most targeted by attackers because they affect every application running on that system. The end of Windows 10 support (October 2025) makes this particularly urgent — businesses still running Windows 10 without Extended Security Updates are exposed to unpatched vulnerabilities.

What to do at each maturity level:

• Level 1: Patches for internet-facing services are applied within two weeks. Patches for other systems are applied within one month. Unsupported operating systems are replaced.
• Level 2: Patches for internet-facing services are applied within 48 hours if an exploit exists. An automated mechanism confirms patch deployment.
• Level 3: Patches for internet-facing services are applied within 48 hours of release. The latest release of operating systems is used. Vulnerability scanners run at least fortnightly.

Deep dive: Patch Operating Systems: Essential Eight Guide for Australian SMBs

Related: Windows 10 End of Support: What It Means for Your Business

Strategy 7: Multi-Factor Authentication (MFA)

What it does: MFA requires users to provide two or more forms of verification before accessing a system — typically something they know (password) combined with something they have (phone, hardware token) or something they are (biometric).

Why it matters: Passwords alone are not enough. Credential theft through phishing, data breaches, and brute-force attacks means that passwords are routinely compromised. MFA adds a second layer that stops attackers even if they have the password. Microsoft reports that MFA blocks 99.9% of automated credential attacks.

What to do at each maturity level:

• Level 1: MFA is used to authenticate users to their organisation's internet-facing services. MFA is used for remote access (VPN, RDP). MFA uses something users have and something users know, or something users are.
• Level 2: MFA is used for all users when authenticating to internet-facing services. MFA is phishing-resistant (e.g., FIDO2 security keys, Windows Hello for Business). MFA events are centrally logged.
• Level 3: MFA is used for all users when authenticating to all important data repositories. MFA is verifier impersonation resistant and replay resistant.

Related reading: Why Multi-Factor Authentication Is Essential for Your Business

Strategy 8: Regular Backups

What it does: Regular backups ensure that critical business data, system configurations, and software can be restored if lost to ransomware, hardware failure, accidental deletion, or any other incident.

Why it matters: Backups are your last line of defence. If every other strategy fails and ransomware encrypts your files, a clean, tested backup is the difference between paying a ransom and getting back to business. Without reliable backups, even a minor incident can become an existential threat.

What to do at each maturity level:

• Level 1: Backups of important data, software, and configuration settings are performed and retained. Backups are synchronised to enable restoration to a common point in time. Backups are stored disconnected from the network or in a non-rewritable format.
• Level 2: Unprivileged accounts cannot access or modify backups. Privileged accounts (excluding backup admin accounts) cannot access or modify backups. Backup restoration is tested as part of disaster recovery exercises at least once.
• Level 3: Unprivileged and privileged accounts cannot access or modify backups. Backup restoration is tested as part of disaster recovery exercises at least once per quarter.

Related reading: Backups for Small Business: A Complete Guide and What Every Disaster Recovery Plan Must Include

How to Get Started

Implementing the Essential Eight doesn't have to be overwhelming. Here's a practical roadmap for small businesses:

1. Assess your current state. Use the ACSC's maturity model to benchmark where your business stands across all eight strategies. A professional cyber security audit can do this for you.
2. Target Maturity Level 1 across all eight strategies first. Don't try to achieve Level 3 in one area while ignoring others. Consistency matters because the strategies are interdependent.
3. Prioritise the top four. Application control, patching applications, configuring macros, and user application hardening prevent the majority of attacks. Start here.
4. Automate where possible. Use tools like Microsoft Intune, WSUS, or your MSP's remote management platform to automate patching and enforce policies.
5. Train your staff. Technology alone isn't enough. Cyber security training ensures your team recognises threats and follows security practices.
6. Review and improve. Conduct annual reviews to progress through maturity levels and adapt to new threats.

Frequently Asked Questions