What Is the Essential Eight?

The Essential Eight is a set of eight cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). It was originally designed for Australian government agencies but has become the de facto baseline for private-sector businesses — particularly those in finance, healthcare, legal, and real estate.

Unlike broad frameworks such as ISO 27001, the Essential Eight is deliberately practical. Each control targets the most common attack vectors used by cybercriminals against Australian organisations. Implementing them won't make you invincible, but it will neutralise the vast majority of opportunistic attacks.

📊
ACSC Cyber Threat Report 2023–24
Over 94,000 cybercrime incidents were reported in Australia in 2023–24 — one every six minutes. Small and medium businesses accounted for a significant share of reported incidents, with the average cost of a cybercrime event for SMBs exceeding $49,000.

The Three Maturity Levels Explained

Each of the eight controls is assessed against four maturity levels: 0 through 3. Here's what they mean in practice for a Melbourne SMB:

ML0
Not implemented

Controls are absent or have significant gaps. This is where most businesses start and where attackers have the easiest time.

ML1
Basic controls in place

Protects against opportunistic, low-sophistication attacks. Appropriate for businesses with a low risk profile and no sensitive client data obligations.

ML2
Most risks mitigated

Protects against more targeted attacks. This is the level most accounting firms, law practices, medical centres, and real estate agencies should be targeting. Required for government contractors.

ML3
Advanced, automated controls

Appropriate for organisations handling highly sensitive data or facing sophisticated, targeted threats. Mandatory for Commonwealth entities.

For most Melbourne SMBs, Maturity Level 2 is the right target. It's what cyber insurers are increasingly requiring, what government supply chain contracts demand, and what professional bodies like CPA Australia and the Law Institute of Victoria are beginning to expect.

The Essential Eight Compliance Checklist

Here are the eight controls, what they require at ML2, and what they look like in practice for a typical Melbourne professional services firm.

01

Application Control

Prevent unapproved software from running on your systems. At ML2, this means only applications on an approved list can execute — blocking ransomware, malware, and unauthorised tools from running even if they get onto a device.

Windows Defender Application Control AppLocker Intune
Implementation effort: High Requires careful testing to avoid blocking legitimate software
02

Patch Applications

Keep all applications updated, with critical patches applied within 48 hours of release and all patches applied within two weeks. This closes the door on known vulnerabilities before attackers can exploit them.

Automated patch management RMM tools Microsoft Intune
Implementation effort: Medium Easily handled by a managed IT provider
03

Configure Microsoft Office Macro Settings

Disable or tightly restrict Office macros. Malicious macros embedded in Word and Excel documents are a leading delivery mechanism for malware in Australian businesses. At ML2, macros must be disabled for users who don't need them, with digitally signed macros only for those who do.

Microsoft 365 Admin Centre Group Policy Intune
Implementation effort: Low Configurable in minutes via M365 admin
04

User Application Hardening

Configure web browsers and other internet-facing applications to block malicious content. This includes disabling Flash, Java, and web advertisements in browsers, and blocking access to dangerous file types. Reduces the attack surface significantly for phishing and drive-by attacks.

Browser Group Policy Microsoft Edge settings DNS filtering
Implementation effort: Low Policy-based, can be deployed via Intune
05

Restrict Administrative Privileges

Limit admin accounts to only those who need them, and ensure admin accounts are used only for admin tasks — never for email or web browsing. At ML2, privileged access workstations and just-in-time access are best practice. This is critical: compromised admin credentials give attackers the keys to your entire environment.

Entra ID (Azure AD) Privileged Identity Management Local Admin Password Solution
Implementation effort: High Requires careful planning — can disrupt workflows if done poorly
06

Patch Operating Systems

Similar to patching applications, but focused on the OS itself. Critical OS patches must be applied within 48 hours, and all patches within two weeks. Outdated operating systems are a leading cause of successful ransomware attacks. End-of-life operating systems (like Windows 10 after October 2025) must be replaced.

Windows Update for Business WSUS Intune
Implementation effort: Medium Ongoing process — manageable with automation
07

Multi-Factor Authentication (MFA)

Require a second form of verification for all users — especially for email, remote access, and admin accounts. At ML2, MFA is required for all internet-facing services and all privileged accounts. This single control stops the majority of account takeover attacks and is non-negotiable for any business using Microsoft 365 or cloud services.

Microsoft Authenticator Entra ID Conditional Access Hardware keys (FIDO2)
Implementation effort: Low Fastest ROI of all eight controls — deploy this first
08

Regular Backups

Maintain regular, tested backups of important data, software, and configuration settings. At ML2, backups must be performed daily, stored offline or in a separate environment, and tested for restoration at least every three months. Without this, a ransomware attack can permanently destroy years of business data.

Azure Backup Veeam Immutable cloud backups
Implementation effort: Medium Ongoing cost, but essential — tested backups are the last line of defence

Where to Start: A Practical Roadmap for Melbourne SMBs

Most Melbourne businesses we work with start their Essential Eight journey at Maturity Level 0 or 1. Here's the order we recommend tackling the controls based on effort-to-impact ratio:

1
Quick wins first — Deploy MFA across all Microsoft 365 accounts, configure Office macro settings, and enable browser hardening. These take hours, cost little, and dramatically reduce your attack surface.
2
Get patching automated — Implement automated patch management for both applications and the OS. A good RMM tool or managed IT provider handles this continuously.
3
Audit and restrict admin accounts — Review who has admin rights, remove unnecessary privileges, and implement separate admin accounts for IT staff. This is high effort but high impact.
4
Verify and upgrade your backups — Test restoration of your backups. Many businesses discover their backups haven't been working correctly when they try to restore from them.
5
Tackle application control last — This is the most disruptive control to implement. Do it after you've got the others in place and have a clear inventory of your software environment.

How Long Does It Take?

For a Melbourne professional services firm of 10–30 users starting from scratch, reaching Maturity Level 2 typically takes 3–6 months with a dedicated IT partner. The timeline depends heavily on your existing infrastructure, the age of your hardware, and how well-documented your current environment is.

Maturity Level 1 can often be achieved within 4–8 weeks for most businesses.

What Does It Cost?

The cost of Essential Eight implementation varies significantly based on your starting point, team size, and existing technology. For a 20-person Melbourne professional services firm:

Component Indicative Cost
Initial gap assessment $1,500 – $3,500
MFA & conditional access setup $500 – $1,500
Patch management (ongoing) Included in managed IT
Application control implementation $2,000 – $5,000
Admin privilege restructure $1,000 – $3,000
Total (one-off implementation) $5,000 – $15,000

These are indicative ranges — actual costs depend on your environment. Ongoing managed IT and cybersecurity services (which maintain your compliance posture continuously) typically run from $99–$149 per user per month for a Business-tier plan that includes Essential Eight alignment.

💡
Compare this to the cost of a breach
The average cost of a cyber incident for an Australian SMB is over $49,000 — not including reputational damage, lost clients, or regulatory penalties under the Privacy Act. Essential Eight implementation typically pays for itself the first time it prevents a serious incident.

Who Needs to Comply?

Strictly speaking, the Essential Eight is only mandatory for Commonwealth government entities. However, for Melbourne private-sector businesses, compliance is increasingly expected in these situations:

  • Government contractors and suppliers — Many government agencies now require Essential Eight ML2 as a contract condition.
  • Cyber insurance applicants — Insurers are increasingly asking about Essential Eight controls during underwriting, and premiums reflect your maturity level.
  • Professional services firms — Accounting, legal, and medical practices have regulatory obligations around data security that align with Essential Eight controls.
  • Businesses handling sensitive personal information — Under the Privacy Act, organisations must take reasonable steps to protect personal data. Essential Eight provides a clear framework for demonstrating those steps.

Getting a Free Essential Eight Assessment

The fastest way to understand your current maturity level is a gap assessment — a structured review of your IT environment against each of the eight controls. At Melbits, we offer a free initial consultation that includes a high-level assessment of your current posture and a prioritised list of quick wins.

Our team has been implementing Essential Eight controls for Melbourne businesses since the framework was introduced, across industries including accounting, legal, medical, real estate, and pharmacy. We know what works, what doesn't, and how to implement controls in a way that doesn't disrupt your team's day-to-day work.