Homeโ€บBlogโ€บEssential Eight Guide for SMBs
๐Ÿ›ก๏ธ Cybersecurityโฑ 8 min read

Essential Eight Compliance Guide for Australian SMBs

The Essential Eight is a set of eight mitigation strategies developed by the ASD to protect organisations against cyber threats. Implementing at Maturity Level 1 mitigates 85% of targeted cyber intrusions. Here's what each strategy means and where to start.

The Essential Eight is the Australian Government's recommended cybersecurity framework โ€” and it applies to businesses of all sizes, not just government agencies

The Essential Eight is a set of eight mitigation strategies developed by the Australian Signals Directorate (ASD) to protect organisations against cyber threats. While originally designed for government agencies, the ACSC now recommends it for all Australian organisations. According to the ASD, implementing the Essential Eight at Maturity Level 1 mitigates 85% of targeted cyber intrusions.

The eight strategies explained

1. Application control

Only approved applications can run on your systems. This prevents attackers from executing malicious software โ€” even if they gain access to a workstation. For SMBs, this typically means configuring application whitelisting on business-critical systems and disabling macro execution in Microsoft Office by default.

2. Patch applications

Apply security patches to applications within 48 hours for critical vulnerabilities, or two weeks for non-critical. Unpatched software is the most common attack vector โ€” 60% of breaches involve vulnerabilities for which a patch was available but not applied. Focus on internet-facing applications first: web browsers, email clients, PDF readers, and Microsoft Office.

3. Configure Microsoft Office macro settings

Block macros from the internet, only allow vetted macros in trusted locations, and disable macro execution for users who don't need it. Malicious macros remain one of the most common initial access techniques used by attackers targeting Australian businesses.

4. User application hardening

Configure web browsers to block Flash, ads, and Java from the internet. Disable unnecessary features in applications. This reduces the attack surface โ€” the fewer features running, the fewer potential entry points for attackers.

5. Restrict administrative privileges

Administrative accounts should only be used for administrative tasks. Day-to-day work should use standard user accounts. Privileged accounts should be validated regularly and removed when no longer needed. 80% of successful attacks involve compromised administrative credentials, so limiting who has admin access directly limits your risk exposure.

6. Patch operating systems

Apply security patches to operating systems within 48 hours for critical vulnerabilities. Replace end-of-life operating systems (e.g., Windows 10 reaches end of support in October 2025). Unpatched operating systems are trivially exploitable by automated attack tools.

7. Multi-factor authentication (MFA)

Require MFA for all remote access, VPNs, cloud services (Microsoft 365, Google Workspace), privileged accounts, and any internet-facing authentication. MFA blocks 99.9% of automated credential attacks according to Microsoft research. Phishing-resistant MFA (hardware keys, passkeys) is preferred over SMS-based MFA.

8. Regular backups

Back up important data, software, and configuration settings regularly. Store backups offline or in a separate environment. Test restoration quarterly. Backups are your last line of defence against ransomware โ€” if you can restore from a clean backup, you don't need to pay the ransom.

Maturity levels

The Essential Eight uses a four-level maturity model:

  • Maturity Level 0 โ€” not aligned with the intent of the strategy. Most SMBs start here
  • Maturity Level 1 โ€” partly aligned. Basic implementation that mitigates 85% of targeted intrusions. This is the recommended starting point for SMBs
  • Maturity Level 2 โ€” mostly aligned. More comprehensive coverage. Recommended for businesses handling sensitive data
  • Maturity Level 3 โ€” fully aligned. Complete implementation with continuous monitoring. Required for government agencies and critical infrastructure

Why SMBs should care

Three reasons the Essential Eight matters for small and medium businesses:

  1. Insurance requirements โ€” cyber insurance providers increasingly require Essential Eight alignment as a condition of coverage. Without it, your premiums increase or you can't get coverage at all
  2. Supply chain requirements โ€” government agencies and large enterprises increasingly require Essential Eight compliance from their suppliers and contractors
  3. Practical protection โ€” the eight strategies are specifically chosen because they provide the most protection for the least effort. They're not theoretical โ€” they're the distilled experience of Australia's signals intelligence agency

How to start โ€” the SMB approach

You don't need to implement all eight strategies at Maturity Level 3 on day one. Start with the highest-impact, lowest-effort items:

  1. Enable MFA everywhere (strategy 7) โ€” the single highest-impact action
  2. Enable automatic updates (strategies 2 and 6) โ€” for all applications and operating systems
  3. Configure daily backups (strategy 8) โ€” automated, offsite, and tested
  4. Restrict admin access (strategy 5) โ€” separate admin and daily-use accounts
  5. Then work through the remaining four strategies with professional guidance

Where does your business sit on the Essential Eight?

RabbiiCo Studio's Essential Eight Gap Assessment evaluates your current maturity level across all eight strategies and provides a prioritised remediation roadmap. Designed for Australian SMBs.

Get your Essential Eight assessment โ†’