Australia's Cybersecurity
Standard — Implemented Right
The Essential Eight is the ACSC's baseline framework for protecting Australian businesses from cyber attack. It's not just a compliance checklist — it's the most effective set of controls you can implement. Melbits assesses your maturity and builds a clear roadmap to get you there.
What Is the Essential Eight?
The Essential Eight is a set of eight prioritised mitigation strategies developed by the Australian Cyber Security Centre (ACSC). When implemented together, they make it significantly harder for adversaries to compromise systems.
Unlike broad compliance frameworks, the Essential Eight is specifically designed around the most common attack vectors targeting Australian organisations — ransomware, phishing, credential theft, and malware execution. It's practical, measurable, and increasingly expected by cyber insurers, regulators, and enterprise clients.
For Melbourne SMBs, achieving even Maturity Level 1 closes the vast majority of vulnerabilities that attackers actively exploit. ML2 and ML3 take you to a level that satisfies most regulatory and contractual requirements.
Understanding the Three Maturity Levels
The Essential Eight Maturity Model defines three levels of implementation. Each level builds on the last — start where you are, and we'll build a roadmap to where you need to be.
Maturity Level 1
Aligned to adversaries using commodity and off-the-shelf tools — phishing kits, common malware, and credential stuffing attacks.
- Basic application control in place
- Critical patches applied within one month
- MFA on internet-facing services
- Daily backups of important data
- Standard user accounts for daily tasks
Maturity Level 2
Aligned to more capable adversaries using targeted spear-phishing, exploiting unpatched vulnerabilities, and credential-based attacks.
- Application control enforced consistently
- Patches applied within two weeks of release
- MFA across all remote access and admin accounts
- Admin privileges reviewed regularly
- Macros blocked from internet-sourced files
- Backups tested and verified regularly
Maturity Level 3
Aligned to sophisticated, persistent adversaries — targeted attacks, living-off-the-land techniques, and attempts to subvert security controls.
- Full application control with logging
- OS patches within 48 hours for critical vulns
- Phishing-resistant MFA (hardware keys)
- Just-in-time admin access enforced
- Immutable, air-gapped backup copies
- All controls monitored and audited
Each Control Explained
The eight strategies are grouped into three objectives: preventing malware delivery, limiting malware execution, and recovering from incidents.
Application Control
Prevents unauthorised software — including malware — from executing on workstations and servers. Only approved, whitelisted applications can run. This is the single most effective control for stopping ransomware and malicious code.
Patch Applications
Unpatched software is one of the most commonly exploited attack vectors. This control requires that internet-facing applications are patched within 48 hours of critical patches being released, and all others within defined timeframes.
Configure Microsoft Office Macros
Malicious macros in Word and Excel documents are a primary delivery mechanism for malware. This control blocks macros in documents downloaded from the internet, and only allows digitally signed macros from trusted sources.
User Application Hardening
Hardens web browsers and other user-facing applications by disabling dangerous features — Flash (deprecated), Java browser plugins, and ads that can serve malicious content. Reduces the attack surface significantly.
Restrict Administrative Privileges
Compromised admin accounts cause catastrophic damage. This control limits who has administrative access, enforces the use of separate admin accounts for admin tasks, and requires regular reviews to remove unnecessary privileges.
Patch Operating Systems
Unpatched operating systems — particularly internet-facing systems — are a critical vulnerability. This control requires OS patches to be applied within defined timeframes, with the fastest response for critical vulnerabilities.
Multi-Factor Authentication
MFA prevents credential-based attacks even when passwords are compromised. At ML1, it's required for internet-facing services. At ML3, phishing-resistant MFA (such as hardware security keys or passkeys) is required for all privileged access.
Regular Backups
When ransomware or a disaster strikes, backups are your last line of defence. This control requires that important data, software, and configuration settings are backed up regularly, stored securely (including offline copies), and — critically — tested to confirm they actually work.
Not Sure Where Your Business Sits?
Most Melbourne businesses overestimate their Essential Eight maturity. Our free gap assessment gives you an honest picture of where you stand across all eight controls — and what it would take to get to ML2 or ML3.
Why Choose Melbits for
Essential Eight Implementation?
Essential Eight isn't just a documentation exercise. Effective implementation requires deep technical knowledge of Microsoft 365, Intune, Entra ID, and endpoint management — the exact environment most Melbourne businesses run.
Certified Assessors
Our team has completed Essential Eight Assessor Training and holds current cybersecurity qualifications. We assess against the actual ACSC methodology, not an approximation.
Microsoft 365 Native
Most E8 controls in an SMB environment are implemented through Intune, Entra ID, and Defender. We live in this stack daily — no learning curve, no trial and error.
Plain-English Reporting
Our assessment reports are written for business owners, not just IT teams. Risk-ranked findings, clear remediation steps, and an honest maturity score against each control.
Realistic Timelines
We don't oversell ML3 to every client. We'll tell you what maturity level is appropriate for your risk profile, and give you a costed, realistic roadmap to get there.
Minimal Business Disruption
We sequence control implementation to minimise impact on your team. Application control doesn't have to break your business — if it's deployed carefully.
Ongoing Maintenance
Essential Eight isn't a one-time project. As your environment evolves, controls drift. We include ongoing E8 monitoring in our managed service to keep your maturity current.
Common Questions
Is the Essential Eight mandatory for my business?
It's mandatory for Australian government agencies and their suppliers. For private businesses it's currently voluntary — but many cyber insurers, enterprise clients, and industry bodies now require it or use it to assess risk. It's also the most practical cybersecurity baseline available for Australian organisations.
What maturity level should we aim for?
ML2 is the practical target for most Melbourne SMBs — it closes the vast majority of known attack vectors and satisfies most insurer and contractual requirements. ML3 is appropriate for businesses handling highly sensitive data, operating in regulated sectors, or supplying federal government.
How long does implementation take?
ML1 can typically be achieved in 4–8 weeks for a well-supported environment. ML2 is usually 3–6 months depending on the starting point and business complexity. We assess your current state first so you know exactly what's involved before committing.
Will it disrupt our business?
Application control is the control most likely to cause disruption if deployed incorrectly. We use a staged audit-then-enforce approach, testing thoroughly in report-only mode before enforcement — so your team isn't locked out of legitimate tools.
Ready to Simplify Your IT?
Join 80+ Melbourne businesses who've upgraded their IT experience with Melbits. Book a free consultation and get a clear picture of where your technology stands — no jargon, no pressure.