The cost of a cyber incident to an Australian small or medium business runs well into the tens of thousands of dollars, and the ASD's annual reporting shows it climbing year on year. It is not only the headline-grabbing data breaches. Credential theft, ransomware and misconfigured cloud access all carry real financial consequences, and the window to exploit a new weakness is shrinking as attackers adopt AI.
The Australian Cyber Security Centre (ACSC) developed the Essential Eight framework to give organisations a practical, prioritised set of mitigation strategies that, when implemented properly, reduce the likelihood and impact of the most common cyber attacks.
What Are the Essential Eight?
The Essential Eight are eight specific security controls that the ACSC considers the most effective baseline for Australian organisations:
- Application Control: only allow approved applications to run on your systems
- Patch Applications: keep all applications updated and patched promptly
- Configure Microsoft Office Macro Settings: restrict macro execution to trusted sources only
- User Application Hardening: configure browsers and applications to block web-based attacks
- Restrict Administrative Privileges: limit admin access to those who genuinely need it
- Patch Operating Systems: keep operating systems patched and supported
- Multi-Factor Authentication (MFA): require MFA for all remote access and privileged accounts
- Regular Backups: back up important data, test restoration regularly
The Maturity Level Model
The Essential Eight uses a maturity level system that runs from 0 to 3, measuring how completely each control is implemented rather than how many you have simply switched on:
- Maturity Level 0: meaningful weaknesses remain; the controls are not yet properly in place.
- Maturity Level 1: protects against attackers using widely available, commodity tradecraft.
- Maturity Level 2: protects against attackers willing to invest more time and effort, and to work around basic controls.
- Maturity Level 3: protects against adaptive attackers who target your organisation specifically and move quickly on any gap.
The ACSC's guidance is to implement the eight as a package and reach a consistent level across all of them, rather than maxing out one control while another lags. Most organisations are advised to target Maturity Level 2 as a baseline, with Level 3 for those handling sensitive data or operating in high-risk environments. Maturity is not a one-off either: it is reassessed over time as your systems and the threat landscape change. For how this compares with a full management system, see Essential Eight vs ISO 27001.
Who Needs to Comply?
Essential Eight compliance is mandatory for many federal government agencies and increasingly expected by enterprise clients, cyber insurers, and procurement teams. Even if it's not currently mandatory for your business, a strong Essential Eight maturity level is becoming a procurement requirement. It gives you something concrete to show when clients or insurers ask about your security controls.
Where to Start
The first step is an Essential Eight maturity assessment: a structured evaluation of where you currently sit against each of the eight controls. This gives you a clear baseline and a prioritised remediation roadmap. Most businesses discover they're further along than they thought on some controls and significantly behind on others. For a quick indicative read before you commit, try our free Essential Eight self-assessment tool, which gives you a maturity level in about three minutes.
The Essential Eight is a baseline, not a finish line.
Eight controls, implemented as a package and kept at a consistent maturity level, stop the great majority of common attacks. The work is knowing where you sit today and closing the gaps in priority order, then holding that line as your systems and the threats both change.
