Melbourne IT professional reviewing Essential Eight cybersecurity compliance checklist
Compliance

Essential Eight Compliance: A Plain-English Guide for Melbourne SMBs

PN
Peter Nelson
· · 10 min read

The Australian Signals Directorate's Essential Eight explained for small and medium Melbourne businesses — what it is, what each control means, and how to actually implement it.

The Essential Eight gets mentioned frequently in cyber security conversations for Melbourne businesses — by IT providers, cyber insurers, and occasionally by the Australian Signals Directorate in news coverage of major breaches. Despite this, most Melbourne SMB owners have only a vague understanding of what it actually requires.

This guide explains the Essential Eight in plain English: what each of the eight controls means, what the maturity levels represent, and how a Melbourne SMB of 20–100 staff can realistically achieve and maintain compliance.

What Is the Essential Eight?

The Essential Eight is a set of baseline cyber security controls developed by the Australian Signals Directorate (ASD) — the government agency responsible for Australian cyber intelligence and defence. It was first published in 2017 and has been regularly updated since.

The ASD designed the Essential Eight to address the most common attack vectors used in real-world cyber incidents against Australian organisations. Unlike many security frameworks, it is not a comprehensive checklist of every possible security control — it is a prioritised set of eight controls that collectively address the majority of cyber attacks targeting Australian businesses.

Compliance with the Essential Eight is not legally mandated for most Melbourne SMBs. However, it has become effectively required in several contexts:

  • Cyber insurance: Major insurers now require evidence of Essential Eight controls as a condition of cover, particularly MFA and patching
  • Government contracts: Federal and many state government contracts require suppliers to demonstrate Essential Eight compliance
  • Client due diligence: Larger clients, particularly professional services counterparties, are increasingly requiring their suppliers to evidence Essential Eight alignment
  • Industry regulation: Healthcare, financial services, and legal sectors increasingly reference Essential Eight in their IT governance expectations

The Four Maturity Levels

The Essential Eight uses four maturity levels to describe implementation quality:

Maturity Level 0 (ML0): Weaker than the baseline. Controls are absent, inconsistent, or provide minimal mitigation. Most Melbourne businesses start here for some controls.

Maturity Level 1 (ML1): Partially aligned. Controls are implemented but with gaps. Mitigates opportunistic, automated attacks. This is the minimum target for any Melbourne business.

Maturity Level 2 (ML2): Mostly aligned. Controls are more comprehensive. Mitigates targeted attacks from moderately sophisticated adversaries. This is the appropriate target for Melbourne professional services firms, healthcare practices, and legal firms within 12 months.

Maturity Level 3 (ML3): Fully aligned. Controls are comprehensive and verified. Mitigates sophisticated, targeted attacks. Required for federal government contractors and some regulated industries. Achievable but demanding for Melbourne SMBs.

The Eight Controls, Explained

1. Application Control

What it means: Only software that has been explicitly approved can run on devices. Anything not on the approved list is blocked.

Why it matters: Most malware is delivered via executable files — either downloaded by a user, received in email, or dropped by another malicious process. Application control prevents unauthorised executables from running at all, regardless of whether antivirus has seen them before.

In practice for Melbourne SMBs: This is one of the harder controls to implement well. It requires either software whitelisting (approved list) or Microsoft AppLocker/Windows Defender Application Control. A managed IT provider with Intune expertise can implement this without disrupting normal business operations, but it requires careful scoping.

ML1 minimum: Application control applied to workstations to prevent malicious executables running from user writable directories (Downloads, Desktop, Temp).

2. Patch Applications

What it means: Software applications (browsers, Office, PDF readers, etc.) are patched within defined timeframes after a patch is released.

Why it matters: Unpatched applications are one of the most common attack vectors. Browser vulnerabilities, Adobe Reader exploits, and Office macro vulnerabilities are regularly used in real-world attacks against Australian businesses. Patching removes the vulnerability before attackers can exploit it.

In practice for Melbourne SMBs: Automated patching through tools like Patch My PC, Intune, or NinjaOne makes this achievable without manual effort. The key discipline is the timeframe — ML1 requires patches within one month for internet-facing applications; ML2 tightens this to two weeks.

ML1 minimum: Internet-facing applications (browsers, email clients, PDF readers) patched within one month of release. Critical vulnerability patches applied within 48 hours.

3. Configure Microsoft Office Macro Settings

What it means: Microsoft Office macros (small programs embedded in Word, Excel, and PowerPoint files) are disabled or restricted to authorised publishers only.

Why it matters: Macros are one of the most common mechanisms for delivering malware via email attachments. A malicious Word document with an embedded macro can install ransomware, steal credentials, or establish persistent access. Blocking untrusted macros eliminates this attack vector entirely.

In practice for Melbourne SMBs: This is a Group Policy or Intune configuration setting. For most Melbourne professional services businesses, disabling macros from the internet entirely causes minimal disruption — the vast majority of legitimate macro use involves internally-created files, which remain unaffected.

ML1 minimum: Macros from the internet blocked. Macros from trusted locations (internal network, specific publisher certificates) allowed.

4. User Application Hardening

What it means: Web browsers, PDF readers, and Microsoft Office are configured to block or restrict risky features — Flash content, Java, web advertisements with embedded scripts.

Why it matters: Many browser and application exploits work through features that have legitimate uses but are commonly weaponised: browser extensions that steal credentials, malicious advertisements that execute code, PDF files that launch executables.

In practice for Melbourne SMBs: A configuration baseline applied via Intune or Group Policy. The ASD provides hardening guides for each major application. A good managed IT provider applies these as standard.

ML1 minimum: Internet Explorer disabled. Flash blocked. Java blocked in browsers. Office configured to block macros from the internet.

5. Restrict Administrative Privileges

What it means: Only accounts that genuinely need administrative access have it. Staff use standard user accounts for day-to-day work and only elevate to admin when required for specific tasks.

Why it matters: Ransomware and malware run with the permissions of the account they infect. An administrator’s account can modify system files, install software, change security settings, and access all data on the system. A standard user account cannot. Restricting admin access limits what an attacker can do with a compromised account.

In practice for Melbourne SMBs: This requires reviewing which staff have local or domain admin rights and removing them where they are not needed. It also requires a mechanism for staff who legitimately need occasional admin access to elevate temporarily — usually a separate admin account used only for that purpose.

ML1 minimum: Users do not have local admin rights on their workstations. Separate admin accounts used for privileged tasks. Default admin accounts disabled or renamed.

6. Patch Operating Systems

What it means: Operating systems (Windows, macOS, server OS) are patched within defined timeframes.

Why it matters: Like application patching, OS vulnerabilities are regularly exploited. Windows and server OS patches address vulnerabilities in core components — networking stack, kernel, Active Directory — that can provide attackers with system-level access.

In practice for Melbourne SMBs: Windows Update for Business or Intune can automate this. The critical distinction at ML2 is that end-of-life operating systems are not acceptable — businesses running Windows 10 past its October 2025 end-of-life date are effectively at ML0 for this control.

ML1 minimum: OS patches applied within one month of release. Critical vulnerability patches applied within 48 hours.

7. Multi-Factor Authentication (MFA)

What it means: Users must provide a second factor (a code, a push notification, a hardware key) in addition to their password to access systems. A password alone is insufficient.

Why it matters: Credential theft — through phishing, data breaches, or brute force — is the most common account compromise mechanism. MFA means a stolen password is useless without the second factor. Microsoft data shows MFA blocks over 99% of automated credential attacks.

In practice for Melbourne SMBs: Microsoft Authenticator with number matching for Microsoft 365 is the standard implementation for most Melbourne businesses. Conditional Access in Entra ID allows granular control — requiring MFA for all sign-ins, requiring compliant devices, blocking legacy authentication.

ML1 minimum: MFA required for all remote access (VPN, remote desktop, email). MFA required for privileged accounts (administrators).

ML2 minimum: MFA required for all users accessing all internet-facing services, not just remote access.

8. Regular Backups

What it means: Important data is backed up regularly, backups are tested, and the backups are stored separately from the primary systems.

Why it matters: Backup is the recovery mechanism of last resort. When all other controls fail — when ransomware encrypts your data, when a staff member accidentally deletes critical files, when hardware fails — your backup is what allows you to restore. A backup that has never been tested may not work when you need it.

In practice for Melbourne SMBs: 3-2-1 architecture (3 copies, 2 media types, 1 offsite) implemented with immutable cloud storage. Monthly tested restores with documented results. Backup scope including Microsoft 365 data (which Microsoft does not back up for you).

ML1 minimum: Backups performed and retained for at least three months. Backups stored offline, offsite, or in a separate cloud account. Backups tested at least annually.

ML2 minimum: Backups tested at least annually with documented results. Unprivileged accounts cannot access or delete backups.

How Long Does Essential Eight Implementation Take?

For a Melbourne SMB of 15–50 staff starting from a typical baseline:

  • ML1 within 60–90 days: Achievable with a managed IT provider who includes Essential Eight as part of their service. The quick wins (MFA, patching automation, macro settings) can be implemented in the first few weeks.

  • ML2 within 6–12 months: Requires more careful planning, particularly for application control (which needs scoping work to avoid disrupting legitimate software), privileged access review (which requires a people-and-process change), and backup architecture (which may require new tooling).

  • ML3 within 12–24 months: Requires sustained investment and ongoing governance. Realistic for motivated Melbourne businesses but requires treating security as a strategic priority, not a compliance exercise.

A Practical Starting Point for Melbourne SMBs

If you have not yet started your Essential Eight journey, the three controls that provide the highest return against real-world attacks are:

  1. MFA — implement Microsoft Authenticator with number matching for all Microsoft 365 users this month
  2. Patching — implement automated patching for applications and OS across all endpoints
  3. Backups — verify your current backups are intact, test a restore, and implement immutable offsite storage

These three controls address the vectors most commonly exploited in real-world attacks against Melbourne SMBs. The remaining five controls build on this foundation and increase your overall maturity.

Our Essential Eight compliance service helps Melbourne businesses assess their current maturity level, develop a remediation roadmap, and implement controls through our managed IT platform. We also provide the documentation that cyber insurers and government procurement teams require.

Contact us for a free Essential Eight maturity assessment for your Melbourne business.

Related Articles

Free Clarity Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

See If You Qualify

Takes 2 minutes · No obligation · Free

Apply Now
4.5 Google Rated No Lock-In Contracts