Most Australian business owners have heard of the Essential Eight by now. But hearing about it and actually knowing where your business stands are two very different things. If you're running a business with 10 to 50 people in Perth or Melbourne, there's a good chance your cybersecurity practices are somewhere between "not quite right" and "better than nothing" — and that gap matters more than ever.

The ACSC's Essential Eight is a framework of eight baseline mitigation strategies designed to protect your organisation from the most common cyber threats. It's not just for government departments. It's the benchmark that clients, procurement teams, and insurers are increasingly using to assess whether your business is a safe partner to work with.

What the Essential Eight Actually Covers

The eight strategies are: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication (MFA), and regular backups. Each one targets a specific method attackers use to get into your systems.

Think of them as layers. No single layer is foolproof. But together, they make it significantly harder for attackers to succeed — and they make it much easier to recover if something does go wrong. The framework uses a maturity model from Level Zero (no controls in place) through to Level Three (fully implemented and regularly tested). For most SMBs, achieving Level One across all eight is a realistic and valuable starting point.

A Practical Readiness Self-Check

Before engaging a consultant or running a formal audit, it's worth doing a quick honest assessment of where your business currently sits. Work through these questions:

  • MFA: Do all staff use multi-factor authentication to access email, file storage, and any cloud applications? If the answer is "most of them" or "the technical staff do," you're not at Level One.
  • Patching: Are operating system and application updates applied within two weeks of release? If staff are dismissing update prompts or you're running software that's no longer supported, you have a patching gap.
  • Backups: Are backups running daily, stored in multiple locations including offsite or cloud, and tested regularly? A backup that hasn't been tested is a backup you can't trust.
  • Admin privileges: Do your staff use standard (non-admin) accounts for their day-to-day work? Giving everyone admin rights because it's convenient is one of the most common security mistakes in small businesses.
  • Macros: Are Microsoft Office macros blocked by default, with only approved macros permitted to run? Malicious macros embedded in documents are a common malware delivery method.

If you answered "no" or "I'm not sure" to any of these, your business has meaningful gaps in its Essential Eight posture — and those gaps represent real risk.

Why This Matters Right Now

The threat landscape in Australia has changed significantly over the past few years. The ACSC's Annual Cyber Threat Report consistently shows that SMBs are among the most targeted organisations, precisely because attackers know that smaller businesses often have weaker controls than large enterprises.

Beyond the threat itself, there are commercial consequences to consider. If your business works with local government, large construction or engineering firms, healthcare organisations, or any entity that handles sensitive data, you may already be facing contractual or procurement requirements around cybersecurity. The Essential Eight is increasingly the standard these organisations reference.

Cybersecurity is no longer just an IT concern — it's a business continuity and commercial risk that sits squarely on the owner's desk.

Where to Start if You're Behind

The good news is that you don't need to fix everything at once. Start with the three controls that deliver the most impact for the least effort:

  • Enable MFA everywhere. If you're using Microsoft 365, you can do this today at no extra cost. It blocks the overwhelming majority of account takeover attacks.
  • Fix your backups. Ensure backups run daily, are stored in at least two locations (one of which is offsite or cloud), and are tested quarterly. Document your recovery process so you know it works before you need it.
  • Get your patching under control. Automate operating system updates where possible. Create a schedule for reviewing and applying application updates. A managed IT provider can handle this as part of ongoing services.

Once those three are solid, work through the remaining five strategies. Each one builds on the last, and the compounding effect of having multiple controls in place is genuinely significant.

Getting a Formal Assessment

If you want a clear, objective picture of where your business sits against the Essential Eight, a cybersecurity maturity assessment is the right starting point. This gives you a current-state baseline, a gap analysis, and a prioritised roadmap — without the jargon or the pressure to buy something immediately.

The goal isn't perfection. It's getting to a posture where your business is materially harder to attack than the average target, where a successful attack causes less damage, and where you can recover faster if the worst happens. That's what the Essential Eight is designed to deliver — and it's achievable for businesses of any size.