Padlock on a laptop keyboard representing cybersecurity
Cybersecurity

The Essential Eight Explained for Melbourne SMBs

PN
Peter Nelson
· · 7 min read

The Australian Signals Directorate's Essential Eight is the baseline cybersecurity framework for Australian businesses. Here's what it actually means in practice for businesses with 10-200 staff.

The Essential Eight comes up constantly in conversations about cybersecurity - especially with businesses that have just renewed their cyber insurance, received a questionnaire from a government client, or had a scare with a phishing attack. But what it actually means in practice for a Melbourne business with 20 or 50 staff is often unclear.

This post explains the Essential Eight without the jargon, and gives you a realistic picture of what implementation looks like for a small or medium business.

What Is the Essential Eight?

The Essential Eight is a set of eight cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) - the same government agency responsible for signals intelligence and cyber security guidance for Australian government and industry.

The original framework was published in 2017 and has been updated since. The eight strategies are organised into three maturity levels (Maturity Level 1, 2, and 3), with Level 1 representing a baseline that significantly reduces the risk of common cyber attacks, and Level 3 representing a mature, hardened security posture appropriate for higher-risk organisations.

For most Melbourne SMBs, Maturity Level 1 or Level 2 is the target. Government contractors and organisations handling sensitive data should aim for Level 2 or Level 3.

The Eight Strategies

1. Application Control

Application control means that only approved applications can run on your endpoints. If malware or a malicious script tries to execute on a workstation, application control blocks it because it is not on the approved list.

In practice, this means implementing Microsoft AppLocker or Windows Defender Application Control (WDAC) on all Windows endpoints, configured to allow only applications your business actually needs. It also means having a process for adding new approved applications when staff legitimately need them.

This is one of the harder controls to implement in an SMB environment because it requires a complete application inventory and ongoing maintenance. But it is also one of the most effective - application control stops a large proportion of ransomware attacks before they execute.

2. Patch Applications

Patch management means that all applications - not just operating systems - are patched within a defined timeframe after a security patch is released. The ASD recommends patching internet-facing applications within 48 hours of a patch release, and all other applications within two weeks.

This sounds straightforward but requires a proper patch management system. Many businesses run behind on application patches because their IT provider only patches operating systems, or because patching requires downtime that nobody schedules.

3. Configure Microsoft Office Macro Settings

Many ransomware attacks use malicious macros embedded in Word or Excel files sent via email. Disabling macros for documents received from external sources - and blocking macros from running when they were not digitally signed - eliminates this attack vector.

For most businesses, this means configuring Group Policy or Microsoft Intune to block unsigned macros. The business impact is usually minimal because most legitimate macros are internal documents that can be signed or whitelisted.

4. User Application Hardening

User application hardening covers configuring applications to minimise attack surface. Practically, this means:

  • Disabling internet Explorer 11 (deprecated, but still present on older Windows installations)
  • Blocking web advertisements that can carry malicious scripts
  • Disabling or blocking unneeded features in web browsers (Java, Flash, unnecessary plugins)

For most SMBs, the main action items are ensuring a modern, hardened browser configuration and implementing ad blocking through a DNS-level solution or browser extension policy.

5. Restrict Administrative Privileges

This is one of the most impactful controls for SMBs. Administrative privilege restriction means that day-to-day user accounts should not have local administrator rights on their workstations, and that administrative accounts should only be used for administrative tasks - not for email, web browsing, or general work.

The reason this matters is that many attacks work by compromising a regular user account and then escalating privileges to administrator level. If the initial compromise is a non-administrator account, the attacker’s ability to cause damage is significantly limited.

In practice, this means maintaining separate admin accounts for IT staff and removing local admin rights from standard user accounts. For many SMBs, this is a change because staff have historically had admin rights for convenience. The transition requires communication and usually some adjustments for specific applications that require elevated privileges.

6. Patch Operating Systems

Like application patching, operating system patching should happen within 48 hours for internet-facing systems and two weeks for all other systems. End-of-life operating systems (anything older than Windows 10, or out-of-support Windows 10 versions) should be replaced because they no longer receive security updates.

7. Multi-Factor Authentication

MFA is the one control that most businesses are now familiar with. It requires a second form of verification beyond a password - typically a code from an authenticator app or a hardware key - before granting access to systems.

MFA should be enforced for:

  • Microsoft 365 (email, SharePoint, Teams) - this is the highest priority
  • Remote access (VPN, Remote Desktop)
  • Cloud services (accounting software, CRMs)
  • Any system accessible from the internet

The ASD recommends phishing-resistant MFA for higher-maturity implementations - this means authentication apps or hardware keys rather than SMS codes, which can be intercepted through SIM-swapping attacks.

8. Regular Backups

The backup control in the Essential Eight has specific requirements that go beyond “we have a backup”:

  • Backups must cover systems, applications, and data
  • Backups must be tested by restoring data as part of a recovery exercise
  • Backups must be stored offline or in a geographically separate location so that a ransomware attack cannot reach them
  • At least three backup copies must exist (the 3-2-1 rule: three copies, on two different media types, with one offsite)

Many businesses have backups that have never been tested. When they need to restore after a ransomware attack, they discover the backup has been failing silently for months. Tested, offsite backups are what actually determines how quickly you recover from a catastrophic incident.

What Maturity Level Do You Need?

For most Melbourne SMBs, the target should be Maturity Level 1 as a minimum, with a plan to reach Level 2 within 12 to 18 months.

Maturity Level 1 covers the basics: MFA everywhere, patching on schedule, backups tested and offsite, admin rights restricted, and macro settings configured. This alone will stop the vast majority of commodity cyber attacks.

Maturity Level 2 adds more systematic controls: application control, stricter admin privilege management, phishing-resistant MFA, and more comprehensive hardening.

If you have government contracts, cyber insurance requirements, or handle sensitive personal data at scale, Level 2 should be your target.

Getting Your Business to Maturity Level 1

Here is a realistic timeline for a 20 to 50 person business starting from a baseline of “we have antivirus and a firewall”:

Month 1:

  • Enable MFA on Microsoft 365 and all remote access (this is the single highest-impact action)
  • Review backup configuration, test a restore, implement offsite backup if not already in place
  • Patch all applications and operating systems to current versions

Month 2:

  • Remove local admin rights from standard user accounts
  • Configure macro settings in Microsoft 365
  • Review and harden browser configurations

Month 3:

  • Implement a patch management process with documented patching schedule
  • Begin application inventory in preparation for application control
  • Document and test backup recovery procedures

Month 4-6:

  • Deploy application control in audit mode, review results, refine allow list
  • Enable application control enforcement
  • Document everything for cyber insurance and compliance purposes

None of this requires exotic security software or substantial capital expenditure. It requires a managed IT provider who understands the framework and has a systematic approach to implementation.

One More Thing on Cyber Insurance

If you are renewing cyber insurance or applying for the first time, insurers are increasingly asking for evidence of Essential Eight implementation. Having documented evidence that you have implemented even Maturity Level 1 controls - MFA, tested backups, current patching, restricted admin privileges - makes a material difference to both insurability and premium levels.

If your current IT provider cannot provide this documentation, or does not know what the Essential Eight is, that is a signal worth paying attention to.

Related Articles

Free Right Fit Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

Book Your Free Right Fit Call

Takes about 2 minutes. We'll confirm if we're the right fit - or point you in the right direction.

Step 1 of 8 13%

Takes about 2 minutes · No obligation

4.5★ Google Rated
Valued at $250 - Free
No Lock-In Contracts