The Essential Eight is a cybersecurity framework from the Australian Cyber Security Centre (ACSC) — the government's lead cybersecurity agency. It identifies eight mitigation strategies that, implemented together, make it significantly harder for attackers to compromise your systems, steal data, or deploy ransomware. It's not a product you buy — it's a set of practices you implement.
Only approved applications can run on your systems. This prevents malware from executing even if it reaches a device — if it's not on the approved list, it can't run. For SMEs, this means configuring Windows AppLocker or similar tools to restrict execution to trusted applications.
Security updates for applications — browsers, Office, PDF readers, Java — applied within 48 hours of release. Unpatched applications are a primary entry point: known vulnerabilities with published fixes that haven't been applied.
Macros in Office documents are a common malware delivery mechanism. Block macros from internet-sourced documents by default; only allow vetted, trusted macros to run.
Disable unnecessary features in browsers, PDF viewers, and Office that attackers exploit — Flash, Java in browsers, ad networks. Reduces the attack surface without affecting core functionality.
Admin accounts used only for admin tasks, not daily work like email or browsing. When a compromised admin account gives an attacker full system control, restricting privileges limits the damage any single breach can cause.
OS security updates applied within 48 hours. Like application patching, this closes known vulnerabilities before exploitation. For most SMEs, enabling automatic updates is the simplest implementation.
Two or more verification forms to access systems — password plus a phone code or fingerprint. Enable on all internet-facing services: email, accounting software, banking, cloud storage, VPN. MFA alone prevents the vast majority of credential-based attacks.
Daily backups stored separately from main systems (ideally offline or immutable — can't be modified by ransomware), tested regularly for successful restoration. Untested backups are not backups. Test quarterly at minimum.
Each strategy has levels 0–3. Level 0 = not implemented. Level 1 = baseline for most organisations, preventing commodity attacks. Level 2 = protection against more targeted attacks. Level 3 = full implementation against sophisticated intrusion. For most SMEs, Level 1 across all eight provides substantial protection and is achievable without massive investment.
If implementing all eight simultaneously isn't feasible, prioritise: MFA on everything (prevents most credential attacks), regular tested backups (ensures ransomware recovery without paying), and patching OS and applications (closes the most exploited vulnerabilities). Start with these three, then systematically implement the remaining five.
A good provider will: assess your current maturity, develop an implementation roadmap by risk, deploy and configure tools, monitor compliance ongoing, and report maturity levels regularly. If your IT provider can't articulate how they address each strategy, they're managing hardware, not cybersecurity.
Several misconceptions prevent SMEs from implementing the Essential Eight effectively:
"It's only for large organisations." The ACSC explicitly recommends the Essential Eight for all Australian organisations, regardless of size. Small businesses are increasingly targeted by cybercriminals precisely because they're perceived as having weaker security. The Essential Eight is designed to be scalable — Level 1 implementation is achievable for any business with basic IT infrastructure.
"We need expensive enterprise software." Most Essential Eight controls can be implemented using built-in operating system features (Windows AppLocker for application control, Windows Update for patching, BitLocker for encryption) and low-cost cloud services (Microsoft 365 MFA, cloud backup). The primary investment is expertise to configure and monitor these tools, not software licensing.
"Antivirus is enough." Antivirus (endpoint protection) is only one component of one strategy. It doesn't address patching, admin privileges, MFA, backup testing, application control, or the other controls that together create a comprehensive defence. Businesses that rely solely on antivirus are addressing perhaps 15% of their attack surface.
"We're too small to be a target." Automated attacks don't discriminate by business size. Ransomware campaigns target thousands of businesses simultaneously through phishing emails and unpatched vulnerabilities. Your business doesn't need to be specifically targeted to be compromised — it just needs to have a vulnerability that an automated scan discovers.
For businesses starting from scratch, here's a practical 90-day implementation roadmap:
Month 1: MFA and Backups. Enable MFA on all internet-facing services (email, accounting, banking, cloud storage). Implement daily automated backups with at least one copy stored offline or in an immutable cloud location. Test a restoration to verify it works.
Month 2: Patching. Enable automatic updates for operating systems on all devices. Audit installed applications and remove any that are no longer needed. Enable automatic updates for remaining applications. Set a calendar reminder to check patch status weekly.
Month 3: Admin Privileges and Application Hardening. Audit who has administrator access — remove admin rights from daily-use accounts and create separate admin accounts for IT management tasks. Configure browser security settings (block Flash, disable unnecessary plugins) and set Microsoft Office to block macros from internet-sourced documents.
After 90 days, you'll have addressed the six highest-impact Essential Eight strategies. Application control (strategy 1) typically requires professional implementation and can be addressed in months 4–6, either internally or through a managed IT provider.
Take the free Cyber Security Health Check — 3 minutes to score your posture against the Essential Eight with prioritised recommendations. Book a technology review with Valont.