The Australian Cyber Security Centre’s Essential Eight is the closest thing Australian SMEs have to a single, government-backed cyber security baseline. It’s referenced in over 90% of Commonwealth tenders, sits in most cyber insurance renewal questionnaires, and is increasingly being asked about by enterprise customers doing supplier due diligence.
And it’s possible to reach Maturity Level 1 in 90 days for a Melbourne SME of typical complexity (50-100 staff, M365 tenant, a handful of line-of-business apps). The catch is that “possible” requires sequencing the work right, otherwise you’ll be 90 days in with three controls done badly and five barely started.
This is the roadmap we use when a Melbourne client asks us to get them from “we have antivirus and MFA on email” to “we can answer the Essential Eight question on a tender response”.
Phase 1 (Days 1–14): Discovery and quick wins
The first two weeks are about understanding what you’ve got, not deploying new tooling. We map every endpoint, every server, every M365 tenant setting, every line-of-business app, every admin account. We document what exists today against the eight strategies.
The quick wins in this phase are usually:
- Force MFA on every admin account (most SMEs are 80% there but have a couple of legacy break-glass accounts that aren’t)
- Disable Microsoft Office macros from internet-sourced files (a single Group Policy tick)
- Enable Office hardening settings that ASD recommends and don’t break anything
- Audit user privileges and remove standing local admin from any account that doesn’t need it
None of those four require capital expenditure. All four close real risk.
Phase 2 (Days 15–45): The hard ones — patching, application control, admin privileges
The middle phase is where most Essential Eight projects get stuck. Three controls are operationally heavy:
Application control is the single biggest stop on ransomware (attackers can’t run binaries you haven’t allowed). It’s also the strategy that breaks the most workflows. We deploy in audit mode for two weeks, log every executable that runs, then build the allowlist from what’s actually in use. Application control done well is invisible. Done badly it generates 50 helpdesk tickets in the first week.
Patch applications and operating systems within 48 hours for critical vulnerabilities. Most Melbourne SMEs are doing monthly patching at best. The discipline change is bigger than the tooling change. Read our application patching piece for the operational detail.
Restrict administrative privileges. Pull standing local admin from end users, move privileged work to dedicated admin accounts, audit who has what. This is where users get most upset because the helpful “let me just install this” workflow goes away. Plan the comms before the change. Our restricting admin privileges guide covers the rollout.
Phase 3 (Days 46–75): Backups, MFA depth, hardening
By day 45 you should have application control rolling, patch SLAs tightened, and admin privileges contained. Phase 3 is about depth.
Daily backups, tested. Most SMEs back up. Most don’t restore. We implement a backup that meets the 3-2-1-1-0 standard (three copies, two media, one off-site, one immutable, zero errors verified) and we run a real restore in week 8 to prove it works.
Multi-factor authentication everywhere, not just on email. Every internet-facing service. Every admin function. Every remote access tool. Where MFA isn’t supported by a vendor, escalate it to the vendor or replace the service.
Microsoft Office macro restrictions finalised — block all macros except those that are signed and explicitly allowed. This breaks Excel power-users in finance teams; budget for a one-day training session.
Phase 4 (Days 76–90): Documentation, evidence, and self-assessment
The last two weeks are about making the work auditable. The Essential Eight maturity self-assessment isn’t useful without evidence. We document control implementation, capture screenshots and reports, and build the artefacts you’ll need when the cyber insurer or tender response asks.
By day 90 you should have:
- A self-assessment showing Maturity Level 1 across all eight strategies (and Level 2 for at least three)
- An evidence pack — screenshots, configuration exports, patch reports, backup test results
- A 12-month uplift plan to push toward Maturity Level 2 across the board
- An incident response runbook with named contacts and call trees
Our Essential Eight compliance guide goes deeper on each strategy and the Essential Eight maturity levels piece explains what Level 1 vs 2 vs 3 actually require.
What you should expect to spend
For a Melbourne SME of 50-100 staff, the realistic 90-day cost range is $25,000–$60,000. The variance comes from how mature you are at day 1. If you’ve already got M365 E3, MFA on email, and reasonable patching, you’re at the low end. If you’re starting from “we have a firewall and Bitdefender”, you’re at the high end.
That number doesn’t include the ongoing managed security cost — that’s typically $40–$80 per user per month on top of standard managed IT.
What to do next
If you’ve got an enterprise customer, government tender, or insurance renewal coming up that’s asking about Essential Eight, working backward from the deadline is the right move. Reach out via book a 90-day kickoff and we’ll send the schedule, scope and quote within 48 hours.
If the Essential Eight is on your radar but not urgent, our managed security service includes ongoing maturity uplift as part of the monthly fee — no separate project gate.
