What Is the Essential Eight?
If you run a business in Australia, you have probably heard the term “Essential Eight” thrown around — maybe by your IT provider, maybe by an industry body, maybe by a government department you deal with. But what does it actually mean, and why should you care?
The Essential Eight is a set of baseline cybersecurity strategies developed by the Australian Signals Directorate (ASD) — the federal government’s top authority on cyber defence. Originally published as part of a broader set of mitigation strategies, these eight were singled out because they are the most effective at preventing the vast majority of cyber incidents. They are not theoretical. They are practical, proven measures that stop real attacks.
For small and mid-size businesses across Australia — from manufacturers in the outer suburbs to accounting firms in the CBD — the Essential Eight is quickly becoming the minimum standard of cyber hygiene. It is not just for government agencies anymore. Insurance companies are asking about it. Clients are asking about it. Regulators are asking about it.
This guide breaks down all eight strategies in plain English, explains the maturity model, and gives you a practical roadmap for getting your business compliant — without the jargon.
Why the Essential Eight Matters in 2026
Cyber attacks on Australian businesses are not slowing down. The Australian Cyber Security Centre (ACSC) continues to report increases in ransomware, business email compromise, and data breaches affecting organisations of every size. The old assumption that “we are too small to be a target” has been thoroughly debunked — attackers increasingly use automated tools that do not discriminate by company size.
Here is what has changed in recent years that makes the Essential Eight more relevant than ever:
Cyber insurance requirements have tightened. Insurers are increasingly requiring evidence of Essential Eight compliance — or at least progress toward it — before they will underwrite a policy. Some are refusing to pay claims where basic controls were not in place.
Supply chain expectations have risen. Larger organisations, especially in government and critical infrastructure, are requiring their suppliers and contractors to demonstrate baseline cybersecurity maturity. If you work with government at any level, the Essential Eight is effectively mandatory.
The cost of breaches keeps climbing. The average cost of a data breach for an Australian SME now runs into the hundreds of thousands of dollars when you factor in downtime, remediation, legal fees, notification costs, and reputational damage. The Essential Eight is designed to prevent exactly these scenarios.
Regulatory expectations are clearer. While the Essential Eight is not yet legislated as a requirement for all businesses, it is referenced in guidance from APRA, the Privacy Act amendments, and various industry-specific regulations. It is the de facto standard that regulators expect you to be working toward.
The Eight Strategies Explained
Let us walk through each of the eight strategies. For each one, we will explain what it does, why it matters, and what it looks like in practice for a typical Australian business.
1. Application Control
Application control means only allowing approved software to run on your systems. Instead of trying to block every known piece of malware (which is a losing game), you create a whitelist of trusted applications and block everything else.
In practice, this means that if someone accidentally downloads a malicious file or a rogue program tries to execute, it simply cannot run because it is not on the approved list. This is one of the most effective controls against malware and ransomware.
For most SMEs, implementing application control starts with your servers and high-risk workstations and expands from there. Your IT provider should be able to deploy and manage this through endpoint management tools.
2. Patch Applications
This one is straightforward: keep your software up to date. When vendors release security patches for applications like web browsers, Microsoft Office, PDF readers, and other commonly used software, those patches need to be applied promptly — ideally within 48 hours for critical vulnerabilities.
Unpatched applications are one of the most common entry points for attackers. The vulnerability is publicly known, the exploit is often available, and the only thing standing between you and a breach is whether you have applied the fix.
Automated patch management tools make this manageable, even for businesses with dozens or hundreds of devices. The key is having a system — not relying on individual staff to click “update later” every Tuesday.
3. Configure Microsoft Office Macro Settings
Microsoft Office macros are small programs that run inside Word, Excel, and other Office documents. They are incredibly useful for automating tasks, but they are also one of the most exploited attack vectors in existence. A huge proportion of malware is delivered via malicious macros embedded in email attachments.
The Essential Eight recommends blocking macros from the internet (so macros in documents downloaded from the web or received via email are disabled by default) and only allowing macros in trusted documents where there is a verified business need.
For most businesses, this means configuring Group Policy settings to disable macros by default and creating exceptions only where genuinely needed. It is a relatively simple change that eliminates a massive attack surface.
4. User Application Hardening
This strategy is about reducing the attack surface of the applications your staff use every day. It includes things like disabling Flash (which should already be gone), blocking Java from the web, disabling unnecessary features in web browsers, and configuring applications to not process untrusted content automatically.
In plain terms: strip away the features that nobody uses but that attackers love to exploit. Web browsers, in particular, should be configured to block ads, disable unneeded plugins, and prevent drive-by downloads.
This is typically handled through Group Policy and browser configuration profiles that your IT team can deploy across all machines centrally.
5. Restrict Administrative Privileges
Administrative accounts — the ones that can install software, change settings, and access everything — are the keys to the kingdom. If an attacker compromises an admin account, they effectively own your network.
The Essential Eight requires that administrative privileges are restricted to only those staff who genuinely need them, that admin accounts are not used for everyday tasks like reading email or browsing the web, and that admin access is regularly reviewed and revalidated.
For most businesses, this means ensuring that your day-to-day user accounts are standard (non-admin) accounts, that a separate admin account exists for when elevated access is genuinely needed, and that the number of people with admin access is kept to an absolute minimum.
6. Patch Operating Systems
Same principle as patching applications, but for the operating systems themselves — Windows, macOS, Linux, and the firmware on your network devices. OS vulnerabilities are high-value targets for attackers because a compromised operating system gives them deep access to the machine.
Critical OS patches should be applied within 48 hours. Operating systems that are no longer supported by the vendor (like older versions of Windows) should be replaced or isolated from the network, because they will never receive patches for newly discovered vulnerabilities.
This is another area where automated patch management is essential. Manual patching across a fleet of devices is unreliable and unsustainable.
7. Multi-Factor Authentication (MFA)
Multi-factor authentication means requiring two or more forms of verification before granting access — typically something you know (a password) plus something you have (a phone, a hardware key) or something you are (a fingerprint).
MFA should be implemented on all internet-facing services (email, VPNs, cloud applications, remote desktop), and ideally on all access to sensitive data and systems. It is one of the single most effective controls against credential theft and business email compromise.
If your staff are still logging into Microsoft 365, your accounting software, or your VPN with just a username and password, you have a significant vulnerability. MFA is no longer optional — it is table stakes.
8. Regular Backups
The final strategy is ensuring that you have regular, tested, and resilient backups of your important data, software, and configuration settings. Backups should be performed frequently, stored securely (including offsite or in the cloud), and — critically — tested regularly to ensure they can actually be restored.
Backups are your last line of defence against ransomware. If your systems are encrypted by an attacker, the ability to restore from a clean backup can be the difference between a few hours of disruption and a business-ending event.
The 3-2-1 rule is a good starting point: three copies of your data, on two different types of media, with one copy stored offsite. But the real test is whether you have actually practised a restore. A backup you have never tested is not a backup — it is a hope.
Understanding the Maturity Model
The Essential Eight is not a binary pass/fail. The ASD defines four maturity levels — zero through three — that reflect increasing levels of implementation sophistication.
Maturity Level Zero: The strategy is either not implemented or only partially implemented, with significant gaps. This is where most businesses start, and it means you have material vulnerabilities.
Maturity Level One: The strategy is implemented to a basic standard. It addresses the most common attack techniques but may not cover more sophisticated threats. For many SMEs, reaching Maturity Level One across all eight strategies is a realistic and meaningful first milestone.
Maturity Level Two: The strategy is implemented to a higher standard, addressing more sophisticated attack techniques. This level typically requires more investment in tooling and process, and is what mid-market organisations and government suppliers are increasingly expected to achieve.
Maturity Level Three: The strategy is fully implemented to the highest standard, addressing the most advanced threats. This level is typically required for organisations handling highly sensitive data or operating in high-risk environments.
The ASD recommends that organisations aim for a consistent maturity level across all eight strategies, rather than being strong in some and weak in others. An attacker will always target your weakest point.
Where Most Australian Businesses Fall Short
In our experience working with businesses across Melbourne’s northern and western suburbs and beyond, the most common gaps we see are:
No application control. Most SMEs have never implemented application whitelisting. They rely entirely on antivirus, which is necessary but nowhere near sufficient on its own.
Inconsistent patching. Patches get applied eventually, but not within the 48-hour window that the Essential Eight requires. Critical vulnerabilities sit exposed for weeks or months.
Admin accounts used for everyday work. Staff — including business owners — log in with admin accounts for daily tasks. When those accounts are compromised, the attacker gets full access.
MFA not applied everywhere. MFA might be on email but not on the VPN, or on the VPN but not on the accounting software. Attackers look for the gap.
Backups that have never been tested. Backups exist on paper, but no one has actually attempted a full restore. When the crisis hits, the backup turns out to be incomplete, corrupted, or too slow to restore.
How to Get Started with Essential Eight Compliance
Getting your business to Essential Eight compliance does not have to be an overwhelming project. Here is a practical roadmap:
Step 1: Assess where you are. Get an IT audit that specifically measures your current maturity against the Essential Eight framework. You cannot improve what you have not measured.
Step 2: Set a target maturity level. For most SMEs, Maturity Level One is the right initial target. It is achievable, meaningful, and will satisfy most insurance and supply chain requirements.
Step 3: Prioritise the quick wins. MFA, patching, and backup testing are typically the fastest to implement and deliver the biggest immediate risk reduction. Start there.
Step 4: Build a roadmap for the harder controls. Application control and user application hardening require more planning and testing. Work with your IT provider to build a phased rollout that does not disrupt operations.
Step 5: Document everything. Compliance is not just about having the controls in place — it is about being able to demonstrate that they are in place. Keep records of your policies, your implementation, your testing, and your reviews.
Step 6: Review and improve regularly. Cyber threats evolve. Your controls need to evolve with them. Schedule quarterly reviews of your Essential Eight maturity and adjust your roadmap as needed.
How TechAssist Helps with Essential Eight Compliance
At TechAssist, we help businesses across Australia implement the Essential Eight as part of our cybersecurity services and Essential Eight compliance program. We start with a thorough assessment, build a prioritised roadmap, and handle the implementation so your team can focus on running the business.
Our approach is practical and no-nonsense. We do not sell fear, and we do not push solutions you do not need. We assess where you are, identify the gaps that matter most, and close them systematically — with clear reporting so you always know where you stand.
Whether you are starting from scratch or looking to move from Maturity Level One to Two, we can help you get there without the complexity and cost that larger consulting firms charge.
Related reading: maturity levels | application controls | ransomware attacks
Ready to assess your Essential Eight maturity? Get in touch and we will start with a no-obligation conversation about where your business stands and what it will take to get compliant.
