If you've heard the phrase 'Essential Eight' from an insurer, a tender document or a worried board member, here's what it actually means for a small-to-medium Australian business — minus the jargon.
What is the Essential Eight?
The Essential Eight is a set of prioritised mitigation strategies published by the Australian Cyber Security Centre (ACSC). It isn't legislation and it isn't a certification — it's a practical framework describing the eight controls that block the most common attack paths into Australian organisations.
The eight strategies are: patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening, and regular backups.
Why SMEs should care
Attackers don't only target enterprises — they automate, and automation doesn't discriminate by company size. SMEs are often hit precisely because controls like MFA and patching are missing or inconsistent. The Essential Eight is valuable for SMEs because it's prioritised: it tells you what to fix first.
The three maturity levels
Each strategy is assessed against maturity levels (one to three), reflecting increasingly strict implementation. Most SMEs should initially target Maturity Level One across all eight strategies — that alone eliminates the majority of opportunistic attacks.
Where to start (in order)
In our experience running security for Australian SMEs, the practical order is:
- MFA everywhere. The single highest-value control. No MFA-free accounts, ever — including "service" and shared mailboxes.
- Patch what's exposed. Operating systems and applications, with internet-facing systems patched fastest.
- Rein in admin rights. Separate admin accounts, least-privilege access, and remove local admin from daily-driver machines.
- Backups you've tested. Regular backups, monitored daily and restore-tested — your last line against ransomware.
- Then the rest. Application control, macro restrictions and application hardening round out the set.
A note on "Essential Eight certified"
Be wary of providers claiming Essential Eight "certification" — no such certification scheme exists. The honest claim is alignment: assessing your environment against the maturity model and closing gaps. That's the language we use at Techist, because it's the accurate one.
The bottom line
You don't need an enterprise budget to be a hard target. Maturity Level One across the Essential Eight is achievable for most SMEs within a sensible budget — especially when controls are built into how your IT is managed day-to-day, rather than bolted on as a project.