Essential Eight for small business
What the ACSC Essential Eight maturity model means in practice — and a realistic path for Melbourne SMEs.
What the Essential Eight is
The Australian Cyber Security Centre’s Essential Eight is a prioritised list of mitigation strategies — patch applications and OS, restrict admin rights, configure Office macros, application control, restrict Microsoft Office, user application hardening, MFA, and daily backups. Maturity levels show how consistently you apply them.
Start where attackers start
For most small businesses, the highest return is patching, MFA on every account, restricted admin, and tested backups. Email authentication (SPF, DKIM, DMARC) and modern antivirus or EDR close the next biggest gaps. You do not need maturity level three everywhere on day one.
Microsoft 365 mapping
Conditional access, enforced MFA, disabling legacy auth, and Defender policies cover large parts of the identity and hardening controls. Document approved apps and admin roles. Pair cloud settings with device compliance via Intune or equivalent MDM.
Realistic roadmap
Quarter one: MFA, backups with restore test, and patch cadence. Quarter two: admin separation, macro policies, and email filtering. Quarter three: application control where feasible and independent security review. Track progress in plain language leadership can follow.
Try it now
Run the related tools
Need a hand?
Run the tools. Then talk to us.
Use our free diagnostics to see what is wrong, then get Melbourne IT support for the fix.
Keep reading
More guides
Website security headers explained
HSTS, CSP and the headers that improve trust, SEO and protection against common attacks.
- Start with the basics
- Check what you already have
MFA for business teams
Why every account needs a second factor — and how to roll it out without locking staff out on Monday morning.
- Passwords are not enough
- Choose the right methods