The Essential Eight is a set of eight baseline cybersecurity strategies published by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC). It exists for one reason: most cyber incidents that hit Australian businesses exploit the same handful of weaknesses. Get these eight right and you stop the overwhelming majority of common attacks before they start.
It’s increasingly more than best practice. Cyber-insurance providers ask about it, larger clients now expect it from their suppliers, and it underpins many government and contractual security requirements. For a small or mid-sized business, it’s the clearest, most respected starting point for “are we actually secure?”
The eight strategies
The ACSC groups the Essential Eight around preventing attacks, limiting their impact, and recovering from them:
- Application control – only approved programs are allowed to run, so malware can’t simply execute.
- Patch applications – keep software like browsers, Office, PDF readers and plugins up to date; known vulnerabilities are a favourite way in.
- Configure Microsoft Office macro settings – block untrusted macros, a common malware delivery method.
- User application hardening – disable risky features (Flash, ads, Java in browsers) that attackers abuse.
- Restrict administrative privileges – limit admin access to those who truly need it, so a compromised account can’t do as much damage.
- Patch operating systems – keep Windows, macOS and server OSes current, especially for known exploited flaws.
- Multi-factor authentication (MFA) – require a second factor so a stolen password isn’t enough on its own.
- Regular backups – maintain tested, secured backups so you can recover from ransomware or data loss.
Maturity levels
Each strategy is measured against maturity levels 0 to 3. Level 0 means significant gaps; Level 1 is a sensible baseline for many businesses; Levels 2 and 3 suit organisations facing more targeted threats. The goal isn’t to rush to Level 3 everywhere – it’s to reach a consistent, risk-appropriate level across all eight, then maintain it.
Why it matters for Australian SMBs
Smaller businesses are targeted precisely because attackers assume their defences are thinner. The Essential Eight closes the gaps that automated attacks rely on, often using tools you may already own (such as Microsoft 365). It also gives you a clear, defensible answer when a client, insurer or auditor asks how you manage cyber risk.
How to get started
Start with a gap assessment against each of the eight, prioritise quick wins like MFA and patching, and make sure your backups are tested and ransomware-resilient. Then close the remaining gaps on a realistic roadmap.
TrendsIT helps businesses across Australia and New Zealand assess, implement and maintain the Essential Eight as part of managed IT – without disrupting your team. Book a free assessment and we’ll show you exactly where you stand and what to fix first.
