Services Cybersecurity Essential Eight Readiness

Cybersecurity

Essential Eight readiness,
made practical.

We help Western Australian SMBs work out where they sit against the ACSC Essential Eight, decide what to fix first, and run the uplift - without enterprise overhead.

What’s in a Lucente E8 engagement

  • Maturity assessment - structured review of each of the eight controls against ML1, ML2, or ML3 as appropriate
  • Gap analysis - clear picture of what’s in place, what’s missing, and what’s partially in place
  • Prioritised uplift roadmap - sequenced by risk reduction and effort, not alphabetically
  • Uplift project delivery - we run the controls we recommended, end to end
  • Evidence pack - documentation suitable for insurance renewals, customer due diligence, and tenders
  • Ongoing alignment - once uplifted, controls are maintained under your managed plan, not left to drift

From "we’ve heard of it" to actually aligned

The ACSC Essential Eight is the most useful starting point for SMB cyber maturity in Australia. It’s pragmatic, well-documented, and the gap between "not quite right" and "aligned to ML1" is usually smaller than people think - once someone actually does the work.

Most businesses we assess are partway there already. Patching is happening, MFA is on most accounts, application control is missing, admin privileges are loose, and macros are running freely. We make it clear what’s real, what’s a gap, and what to fix in what order.

E8 Readiness sits inside our cybersecurity service. If you want a fast self-serve check first, run the Essential Eight Assessment. It gives you a starting point before we talk.

Run the self-assessment Talk to us about E8

Maturity levels

Where you are, and where you need to be

0
ML0
Gaps an attacker can use
1
ML1
Baseline against common attacks
Most SMBs start here
2
ML2
Resists targeted attackers
Common target
3
ML3
Hardened against adaptive threats

We help most WA SMBs move from ML0 or ML1 to a solid ML1 to ML2. ML3 is for high-risk or regulated environments.

The eight controls

What the Essential Eight actually covers

Eight controls, grouped into three outcomes: prevent attacks, limit their impact, and recover when something goes wrong.

Prevent

Application control

Only approved applications can execute on your devices.

Prevent

Patch applications

Critical app vulnerabilities patched within defined timeframes.

Prevent

Configure Microsoft Office macros

Macros blocked by default; only allowed where business-justified.

Prevent

User application hardening

Web browsers and Office hardened to reduce attack surface.

Limit

Restrict admin privileges

Privileged access reviewed, scoped, and time-limited where possible.

Limit

Patch operating systems

OS vulnerabilities patched within defined timeframes.

Limit

Multi-factor authentication

MFA on email, remote access, privileged accounts, and important data systems.

Recover

Regular backups

Backups taken, retained, protected from tampering, and actually tested.

Common questions

Do we need to reach ML3 to be "secure"?

No. ML1 is the right target for most SMBs - it blocks the bulk of common, untargeted attacks. ML2 and ML3 are appropriate where you have higher-risk data, regulatory requirements, or you’re in a supply chain that demands it.

How long does a typical uplift take?

Assessment is usually one to two weeks. Uplift project length depends on starting maturity and environment size - small businesses often reach ML1 within 4 to 8 weeks once the work is sequenced properly.

Is E8 the same as ISO 27001 or NIST?

No. E8 is narrower and more tactical - eight specific controls. ISO 27001 and NIST CSF are broader management frameworks. E8 is a great starting point for SMBs; the broader frameworks make sense once you have an in-house security function or regulatory mandate.

Do we need to be a managed customer to engage on E8?

An assessment can be done standalone. The uplift project, however, only delivers lasting value if someone is maintaining the controls afterwards - that’s why we deliver uplifts alongside ongoing managed IT, either by us or by your internal team.

Will this help with cyber insurance renewals?

Yes. Insurers increasingly require evidence of MFA, endpoint protection, patching, backups, and admin controls. The evidence pack from a Lucente E8 engagement is structured to answer those questions directly.

Let’s see where you actually sit.

A short conversation is usually enough to tell whether you’re closer to ML1 than you think - or whether there’s real work to do.

Talk to us about E8