If you’ve spent any time looking into cybersecurity in Australia, you’ve probably heard people throwing around the term “Essential Eight.” It might sound like a spy movie sequel, but it’s actually a set of cyber security strategies created by the Australian Cyber Security Centre (ACSC) to help businesses defend against the most common cyber security threats.
The Essential Eight isn’t a law or a compliance framework — it’s a practical baseline aimed at mitigating the damage caused by any system compromise. Think of it as a “must-do” checklist for anyone who doesn’t want to end up on the wrong side of a ransomware attack or data breach.
What are these strategies, I hear you ask? Here is a breakdown:-
- Application Control – Stop unapproved programs from running. If malware can’t execute, it can’t cause trouble.
- Patch Applications – Keep your software up to date. Attackers love old vulnerabilities.
- Configure Microsoft Office Macro Settings – Macros are handy, but also a common attack vector. Lock them down.
- User Application Hardening – Disable unnecessary features in browsers and PDF readers that attackers often exploit.
- Restrict Administrative Privileges – Give admin rights only to people who truly need them (and even then, sparingly).
- Patch Operating Systems – Same deal as applications. Outdated systems are hacker goldmines.
- Multi-Factor Authentication (MFA) – Even if a password gets stolen, MFA can stop the attacker in their tracks.
- Regular Backups – Because sometimes, despite your best efforts, things still go wrong. Good backups mean you recover fast.
Each of these strategies targets a different attack pathway — together, they dramatically reduce your organization’s risk.
The ACSC breaks implementation into maturity levels (0–3):
- Maturity Level 1: You’ve got the basics in place — good for stopping lazy attackers.
- Maturity Level 2: You’ve locked things down further — capable of stopping most targeted attacks.
- Maturity Level 3: You’re basically Fort Knox — strong detection, response, and prevention across the board.
Most SMBs should aim for Maturity Level 2, but even getting to Level 1 should be considered a huge win. The trick is balancing security vs sanity — automating where possible, scripting what you can, and making sure your team actually understands what’s being implemented.
You can check out what the Australian Cyber Security Centre has on the Essential 8 here.
Over the next few posts, we’ll break down each of the Eight and show how to enforce them using Microsoft 365, Intune, and open-source tools like Wazuh and OSQuery — because, let’s face it, not everyone has the budget for E5 or Sentinel.
Got questions or want to see a topic covered? Reach out — we love helping you tighten your security baseline.
Until next time, keep your bits tight and your baselines clean.
