The average cost of a cyber attack on an Australian SMB is approximately $46,000 per incident, and that figure has been rising every year. It's not only the headline-grabbing data breaches. Credential theft, ransomware, and misconfigured cloud access all carry real financial consequences. Australian businesses of all sizes are dealing with this.
The Australian Cyber Security Centre (ACSC) developed the Essential Eight framework to give organisations a practical, prioritised set of mitigation strategies that, when implemented properly, reduce the likelihood and impact of the most common cyber attacks.
What Are the Essential Eight?
The Essential Eight are eight specific security controls that the ACSC considers the most effective baseline for Australian organisations:
- Application Control: only allow approved applications to run on your systems
- Patch Applications: keep all applications updated and patched promptly
- Configure Microsoft Office Macro Settings: restrict macro execution to trusted sources only
- User Application Hardening: configure browsers and applications to block web-based attacks
- Restrict Administrative Privileges: limit admin access to those who genuinely need it
- Patch Operating Systems: keep operating systems patched and supported
- Multi-Factor Authentication (MFA): require MFA for all remote access and privileged accounts
- Regular Backups: back up important data, test restoration regularly
The Maturity Level Model
The Essential Eight uses a maturity level system from 0 (not implemented) to 3 (fully implemented). The ACSC recommends that most organisations target Maturity Level 2 as a baseline, and Level 3 for those handling sensitive data or operating in high-risk environments.
Who Needs to Comply?
Essential Eight compliance is mandatory for many federal government agencies and increasingly expected by enterprise clients, cyber insurers, and procurement teams. Even if it's not currently mandatory for your business, a strong Essential Eight maturity level is becoming a procurement requirement. It gives you something concrete to show when clients or insurers ask about your security controls.
Where to Start
The first step is an Essential Eight maturity assessment: a structured evaluation of where you currently sit against each of the eight controls. This gives you a clear baseline and a prioritised remediation roadmap. Most businesses discover they're further along than they thought on some controls and significantly behind on others.