If you run a small business in Australia, you’ve probably started hearing about the “Essential Eight.” Maybe a government tender mentioned it. Maybe your insurance broker asked about it. Maybe your IT provider brought it up and you nodded along without quite understanding what they meant.
You’re not alone. The Essential Eight is Australia’s most important cybersecurity framework, but it was written for IT security professionals — not business owners. This guide translates it into plain language so you can understand what it is, why it matters, and what you need to do about it.
Australian Cyber Threat Snapshot — FY2024-25
84,700+
Cybercrime reports filed
Every 6 min
One report every six minutes
$56,600
Average cost per incident (SMB)
14%
Increase year-on-year
Source: ASD Annual Cyber Threat Report FY2024-25
What Is the Essential Eight?
The Essential Eight is a set of eight cybersecurity strategies published by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). These eight controls are considered the most effective baseline for mitigating cyber threats targeting Australian organisations.
Think of it as a safety checklist for your digital business — similar to how a building needs fire exits, smoke detectors, and emergency plans. The Essential Eight covers the digital equivalents: keeping software updated, controlling who can access what, and making sure you can recover if something goes wrong.
The framework was first published in 2017, based on the earlier “Top 4” strategies that the ASD had recommended since 2010. It has been updated regularly, most recently in November 2023, to reflect the evolving threat landscape.
The Eight Strategies
The eight controls are grouped into three objectives: preventing attacks from getting in, limiting the damage if they do, and recovering when something goes wrong. Here’s what each one means in plain language.
Prevent Attacks
Application Control
Only approved software can run on your devices
Patch Applications
Keep business software updated within 48 hours
Configure Macros
Disable or restrict Office macros to block malware
User App Hardening
Lock down browsers and email clients
Limit the Impact
Restrict Admin Privileges
Only those who need full access get it
Patch Operating Systems
Keep Windows/macOS updated, replace unsupported OS
Multi-Factor Authentication
Require a second verification step for logins
Recover Data
Regular Backups
Back up critical data, store separately, test restores
Objective 1: Prevent Attacks
Application Control — Only approved software can run on your computers. This stops malware, ransomware, and unauthorised programs from executing. For most small businesses, this means configuring your operating system’s built-in application control features.
Patch Applications — Keep your business software up to date. When vendors like Microsoft, Adobe, or your accounting software provider release security updates, apply them within 48 hours for critical vulnerabilities. Outdated software is the single most common entry point for attackers.
Configure Microsoft Office Macro Settings — Disable or restrict macros in Microsoft Office files. Macros are small programs embedded in Word and Excel documents that attackers use to deliver malware. Most businesses don’t use macros — if you don’t need them, block them.
User Application Hardening — Lock down your web browsers and email clients. Disable Flash, Java applets, and unnecessary features that attackers exploit. Configure browsers to block ads and restrict scripts from untrusted sites.
Objective 2: Limit the Impact
Restrict Administrative Privileges — Don’t give everyone admin access. Only the people who genuinely need full system access should have it, and even then, they should use a separate admin account only when performing administrative tasks. Most staff should use standard accounts for daily work.
Patch Operating Systems — Keep Windows, macOS, and any server operating systems updated. Like application patching, critical security updates should be applied within 48 hours. Unsupported operating systems (like Windows 10 after October 2025) should be replaced.
Multi-Factor Authentication (MFA) — Require a second form of verification when logging in to important services — email, accounting software, cloud storage, remote access. MFA blocks over 99% of account compromise attacks. If you only do one thing on this list, do this.
Objective 3: Recover Data and Systems
Regular Backups — Back up your critical business data regularly, store backups offline or in a separate cloud environment, and test that you can actually restore from them. Backups are your last line of defence — if everything else fails, you need to be able to recover.
Essential Eight Maturity Levels
The Essential Eight uses a maturity model with four levels (0 to 3). Each level represents an increasing degree of implementation. Every organisation starts somewhere — the goal is to reach at least Maturity Level 1 and build from there.
Level 0
Incomplete
Controls not implemented or significantly flawed. Most businesses start here without realising it.
⭐ Start Here
Level 1
Partly Aligned
Basic controls in place. The entry point for all organisations. Achievable by any business regardless of size or IT capability.
Level 2
Mostly Aligned
Stronger controls with broader coverage. Appropriate for businesses handling sensitive data or pursuing government contracts.
Level 3
Fully Aligned
Comprehensive implementation across all controls. Typically required for Defence contracts and critical infrastructure.
Who Needs to Comply?
The Essential Eight is mandatory for all non-corporate Commonwealth entities (Australian Government agencies) under the Protective Security Policy Framework (PSPF). But increasingly, compliance is expected or required for:
Government contractors — If you bid on government tenders, many now require evidence of Essential Eight compliance (typically Maturity Level 1 or 2) as part of the evaluation criteria. Defence contracts are particularly strict.
Cyber insurance applicants — Australian cyber insurers increasingly ask about Essential Eight alignment during the application process. Demonstrating compliance can reduce premiums and improve your chances of being approved for coverage.
Businesses handling sensitive data — Healthcare providers, accountants, lawyers, and financial advisers all handle sensitive client information. Industry associations and regulators are increasingly referencing Essential Eight as the expected standard of care.
Supply chain requirements — Larger organisations are starting to require their suppliers and partners to demonstrate cybersecurity maturity. Essential Eight is the default framework they reference.
Common Misconceptions
“It’s only for big business”
Wrong. The ASD reports show that small businesses are disproportionately targeted. The average cost of a cyber incident for small businesses is $56,600 — and that’s just the direct costs. The Essential Eight was designed to be achievable at Maturity Level 1 by any organisation, regardless of size.
“I need an IT team to comply”
Not at Maturity Level 1. Many of the controls are configuration changes to existing software — turning on auto-updates, enabling MFA, configuring backup schedules. A platform like CyberSmart360 guides you through what needs to happen and flags which tasks you can do yourself versus which need professional help.
“We use cloud software, so we’re already covered”
Cloud services handle some controls (like patching their own servers), but you’re still responsible for MFA configuration, admin privilege management, backup verification, and application control on your own devices. The shared responsibility model means you can’t outsource everything.
“It’s a one-time thing”
No. Cybersecurity is ongoing. Software updates come out weekly, staff change, new devices are added, and threats evolve. The Essential Eight requires continuous compliance — regular assessments, ongoing patching, and periodic reviews of your controls.
How CyberSmart360 Helps
CyberSmart360 translates the Essential Eight into a guided self-assessment that any business owner can complete — no IT security expertise required. Here’s the process:
1
Take the Assessment
Answer guided, plain-language questions about how your business uses technology. 8 domains, under 2 hours.
~ 2 hours
2
Get AI Analysis
Our AI analyses your answers and produces your compliance score, maturity level, and gap analysis.
< 60 seconds
3
Follow Your Plan
Receive a prioritised 12-month remediation plan with cost estimates, DIY flags, and professional-needed indicators.
12-month roadmap
4
Track Progress
Reassess as you implement. Watch your score improve. Generate audit-ready PDF reports anytime.
Unlimited reassessments
$49/month or $470/year • 2 users included • Start your free 7-day trial →
Getting Started
If you’re a small business owner reading this and thinking “I should probably do something about this,” you’re right. Here’s the simplest path:
1. Understand where you stand. Take a baseline assessment. CyberSmart360’s guided self-assessment translates every Essential Eight control into plain-language questions for your industry. It takes under two hours.
2. Get your compliance score. Our AI analyses your answers and produces a compliance score across all eight domains within 60 seconds. No waiting for a consultant.
3. Follow the remediation plan. You’ll receive a prioritised 12-month action plan that tells you exactly what to fix, in what order, with cost estimates and clear flags for tasks you can handle yourself versus tasks that need professional help.
4. Track your progress. Reassess as you implement changes. Watch your compliance score improve. Generate audit-ready PDF reports whenever you need them.
Frequently Asked Questions
How long does the assessment take?
Under two hours for most small businesses. The assessment wizard covers eight domains (one per step), with an average of 15–20 questions per domain. Auto-save means you can stop and resume anytime.
Do I need technical knowledge?
No. Every question is translated into plain language with examples relevant to your industry. If you know how your business uses technology — email, accounting software, file storage — you can complete the assessment.
What maturity level should I aim for?
Start with Maturity Level 1. It covers the most critical controls and is achievable for any business. Once you’ve reached ML1, you can work toward ML2 and ML3 as your security posture matures.
How much does it cost?
CyberSmart360 starts at $49/month (or $470/year) with a free 7-day trial — no credit card required. That includes two user seats, unlimited assessments, AI-powered analysis, remediation plans, and audit-ready PDF reports. Additional team members are $15/month each.
Is my data safe?
All data is stored on Australian servers (DigitalOcean Sydney data centre). We use encryption in transit and at rest, row-level security in our database, and follow OWASP secure coding practices throughout the platform.
The Bottom Line
The Essential Eight is Australia’s cybersecurity baseline. Whether you need it for a government tender, cyber insurance, client trust, or simply protecting your business — understanding and implementing these eight controls is no longer optional for any business that uses technology.
You don’t need a $15,000 consultant. You don’t need an IT security team. You need a clear assessment, a plain-language plan, and the tools to track your progress.
Start your free 7-day trial and see where your business stands in under two hours.