Back to Insights Cybersecurity

The Essential Eight, Explained for Business Owners

March 2026 · By Brodie Raffaele, Founder & Technology Advisor · 5 min read

Most Australian business owners have heard of the Essential Eight by now. But hearing about it and actually knowing where your business stands are two very different things. If you're running a business with 10 to 50 people in Perth or Western Australia, there's a good chance your cybersecurity practices are somewhere between "not quite right" and "better than nothing" - and that gap matters more than ever.

The Essential Eight is a framework published by the Australian Cyber Security Centre (ACSC) - the federal agency responsible for advising Australian businesses on cyber risk. It sets out eight baseline controls designed to protect organisations against the most common attacks. It's not just for government departments. It's the benchmark that clients, procurement teams, and insurers are increasingly using to decide whether your business is a safe partner to work with.

What the Essential Eight Actually Covers

The eight controls each target a specific way attackers get into your systems. In plain English:

  1. Application control - only let approved software run on company devices.
  2. Patch applications - keep apps like browsers, PDF readers and Office up to date.
  3. Configure Microsoft Office macro settings - block dodgy macros hidden in Word and Excel files.
  4. User application hardening - turn off risky features in browsers and Office (like Flash, ads and old plugins).
  5. Restrict administrative privileges - staff shouldn't be admins on their own laptops.
  6. Patch operating systems - keep Windows, macOS and servers up to date.
  7. Multi-factor authentication (MFA) - a second step (usually an app on your phone) to prove it's really you logging in.
  8. Regular backups - daily, off-site, and actually tested.

Think of them as layers. No single layer is foolproof. But together, they make it significantly harder for attackers to succeed - and much easier to recover if something does go wrong.

The framework uses a maturity model that works a bit like a school report card. Level Zero means the control isn't in place. Level One is the basics - it's there and working. Level Two is more rigorous, with logging and tighter rules. Level Three is fully implemented and regularly tested against real attack scenarios. For most SMBs, getting to Level One across all eight controls is a realistic and valuable starting point.

A Practical Readiness Self-Check

Before engaging a consultant or running a formal audit, it's worth doing a quick honest assessment of where your business currently sits. Work through these questions:

  • MFA: Do all staff use multi-factor authentication to access email, file storage, and any cloud applications? If the answer is "most of them" or "the technical staff do," you're not at Level One.
  • Patching: Are operating system and application updates applied within two weeks of release? If staff are dismissing update prompts or you're running software that's no longer supported, you have a patching gap.
  • Backups: Are backups running daily, stored in multiple locations including offsite or cloud, and tested regularly? A backup that hasn't been tested is a backup you can't trust.
  • Admin privileges: Do your staff use standard (non-admin) accounts for their day-to-day work? Giving everyone admin rights because it's convenient is one of the most common security mistakes in small businesses.
  • Macros: Are Microsoft Office macros blocked by default, with only approved macros permitted to run? Malicious macros embedded in documents are a common malware delivery method.

If you answered "no" or "I'm not sure" to any of these, your business has meaningful gaps in its Essential Eight posture - and those gaps represent real risk.

Why This Matters Right Now

The threat landscape in Australia has changed significantly over the past few years. The ACSC's Annual Cyber Threat Report consistently shows that SMBs are among the most targeted organisations, precisely because attackers know that smaller businesses often have weaker controls than large enterprises.

Beyond the threat itself, there are commercial consequences to consider. If your business works with local government, large construction or engineering firms, healthcare organisations, or any entity that handles sensitive data, you may already be facing contractual or procurement requirements around cybersecurity. The Essential Eight is increasingly the standard these organisations reference.

Cybersecurity is no longer just an IT concern - it's a business continuity and commercial risk that sits squarely on the owner's desk.

Where to Start if You're Behind

The good news is that you don't need to fix everything at once. Start with the three controls that deliver the most impact for the least effort:

  • Enable MFA everywhere. If you're using Microsoft 365, you can do this today at no extra cost. It blocks the overwhelming majority of account takeover attacks.
  • Fix your backups. Ensure backups run daily, are stored in at least two locations (one of which is offsite or cloud), and are tested quarterly. Document your recovery process so you know it works before you need it.
  • Get your patching under control. Automate operating system updates where possible. Create a schedule for reviewing and applying application updates. A managed IT provider can handle this as part of ongoing services.

Once those three are solid, work through the remaining five strategies. Each one builds on the last, and the compounding effect of having multiple controls in place is genuinely significant.

Getting a Formal Assessment

If you want a clear, objective picture of where your business sits against the Essential Eight, our Essential Eight assessment is the right starting point. This gives you a current-state baseline, a gap analysis, and a prioritised roadmap - without the jargon or the pressure to buy something immediately.

The goal isn't perfection. It's getting to a posture where your business is materially harder to attack than the average target, where a successful attack causes less damage, and where you can recover faster if the worst happens. That's what the Essential Eight is designed to deliver - and it's achievable for businesses of any size.

Want help applying this to your business?

We can assess your current Essential Eight posture and give you a plain-English roadmap to improve it.

Get in Touch
Back to Insights