If you’ve been on the receiving end of a cybersecurity audit — from an insurer, an auditor, or an APRA-regulated partner — you’ve probably heard the phrase “Essential Eight.” It’s the Australian Cyber Security Centre’s (ACSC) baseline cybersecurity framework, and it’s quietly become the default yardstick for Australian business security posture.

This post explains what the Essential Eight actually is, what each of the eight strategies means in practice, and what “maturity level” you should aim for.

What is the Essential Eight?

The Essential Eight is a set of eight mitigation strategies that, when implemented together, prevent or significantly reduce the impact of the most common cyber attacks. It was developed by the ACSC (part of the Australian Signals Directorate) based on actual incident response data — what works, not just what sounds good on paper.

There are three maturity levels:

Maturity Level 1 (ML1) — defends against widespread, low-effort attacks using readily available tools
Maturity Level 2 (ML2) — defends against targeted attacks by skilled adversaries
Maturity Level 3 (ML3) — defends against sophisticated, adaptive adversaries with significant resources

For most SMBs, ML1 is the starting point and ML2 is where you should aim. ML3 is realistic only for regulated entities or larger enterprises with dedicated security teams.

The eight strategies

1. Application control

Only allow approved applications to run on company devices. This blocks the vast majority of commodity malware, which relies on being able to execute an arbitrary binary. Windows has built-in tools (AppLocker, Windows Defender Application Control) but third-party tools like Airlock Digital are commonly used in Australia.

Practical impact at ML1: application control on servers. At ML2: application control on all endpoints including laptops. ML2 is where this control earns its keep — it’s also the hardest one to roll out cleanly because you have to enumerate every legitimate app in the business first.

2. Patch applications

Apply security patches to applications (browsers, Office, Adobe, Java, etc.) within a defined timeframe — typically two weeks for important patches, 48 hours for internet-facing systems. CVEs with active exploitation get emergency treatment.

Practical impact: automated patching via Intune or a third-party RMM, with reporting that shows what’s up to date and what isn’t.

3. Configure Microsoft Office macro settings

Block macros from the internet. Allow only signed macros or macros from trusted locations. Office macros are a long-running attacker favourite because they can execute code with user permissions.

Practical impact: a group policy or Intune policy that restricts macro execution. Staff rarely notice; attackers lose a useful delivery mechanism.

4. User application hardening

Disable risky features in browsers and Office: Flash (thankfully dead but still appearing in legacy environments), Java from the internet, advertisements, and unnecessary browser extensions. Configure applications to run with minimum necessary privileges.

Practical impact: this is mostly a configuration exercise, not a software purchase. Intune and group policy templates cover it.

5. Restrict administrative privileges

Most users don’t need local administrator rights on their laptops. Admin accounts should be separate from day-to-day accounts, used only for privileged tasks, and protected with additional controls.

At ML2, this extends to privileged access workstations and just-in-time (JIT) elevation using tools like Entra PIM — admins request elevation for specific tasks, it’s approved, it’s logged, it expires.

Practical impact: this is one of the highest-leverage controls. It dramatically reduces blast radius when something does go wrong.

6. Patch operating systems

Apply OS security patches on the same timeframe as applications — 48 hours for internet-facing, two weeks for everything else. Remove unsupported operating systems (looking at you, Windows 10 after October 2025).

Practical impact: WSUS, Intune, or an RMM driving patching. Reporting is essential — without it, you don’t actually know your patch status.

7. Multi-factor authentication

Require MFA on every account that matters — all cloud services, VPN, remote access, administrative access. At ML1, MFA on internet-facing services. At ML2, MFA on all users and all privileged actions, and phishing-resistant MFA (FIDO2 / hardware keys / Windows Hello for Business) for administrators.

Practical impact: the single highest-leverage control. If you do nothing else on this list, do this.

8. Regular backups

Perform daily backups of important data, configurations and software. Store backups in a way that can survive a ransomware event — that means immutable or air-gapped storage. Test restoration regularly.

At ML1: daily backups, quarterly restore testing. At ML2: privileged access to backups is controlled, backups are immutable, and restore testing happens more frequently.

Practical impact: the safety net when prevention fails. Don’t assume backups work until you’ve restored from them.

How to approach implementation

Don’t try to do all eight at once. Realistic sequencing for most SMBs:

Quick wins (first 90 days):

MFA on every account that supports it
OS and application patching on a documented schedule
Backup with offsite copy (if not already)
Macro restrictions (free, low friction)
User application hardening via Intune/GPO

Medium-term (3-12 months):

Admin privilege restructure — separate accounts, remove standing local admin
Immutable backup tier
Patching reporting and SLA formalisation
MFA audit — move SMS-based MFA to app-based or hardware

Longer-term (12-24 months):

Application control rollout (this one takes time)
Privileged Access Workstations or JIT elevation for admins
Phishing-resistant MFA for administrators

What maturity level should your business aim for?

ML1 is the minimum credible posture for any Australian business. If you’re not at ML1, you’re below the baseline that insurers and auditors increasingly expect.

ML2 is where most businesses we support should aim. It’s achievable within a 12-18 month program and defends against the targeted attacks SMBs actually face.

ML3 is mostly for APRA-regulated entities, healthcare networks handling significant patient data, legal firms handling matters of public interest, and similar high-threat environments. ML3 is a significant investment and needs dedicated security resources.

The bottom line

The Essential Eight isn’t a checklist to tick once — it’s a baseline to maintain and improve over time. For Australian businesses, it’s also the framework you’ll increasingly be measured against by insurers, auditors, regulators, and enterprise customers doing vendor risk assessments.

If you don’t know where you currently stand, an Essential Eight assessment is a practical starting point. We can run one in a week, with a clear report showing your current maturity level per strategy and a prioritised roadmap to close the gaps. Get in touch to set one up.