In brief
- The Essential Eight is a set of eight practical controls from the Australian Signals Directorate that blunt the most common cyber attacks.
- It is measured in maturity levels from zero to three. It is a ladder to climb, not a pass or fail.
- Maturity level one is a realistic first target for most small and medium businesses.
- The controls work as a set. Raising all eight a little does more than perfecting one.
- You do not need a consultant’s report to begin. You need an honest baseline and a short list of fixes.
- Most businesses already have several controls partly in place through Microsoft 365 and the tools they own.
What is Essential Eight?
The Essential Eight is a set of eight mitigation strategies published and maintained by the Australian Signals Directorate through the Australian Cyber Security Centre. It was designed for Windows-based networks, which is what most Australian businesses run, and it targets the attacks that cause the most damage in practice: phishing, ransomware, stolen credentials and unpatched software.
It is a baseline the ASD recommends for every organisation. It is mandatory for non-corporate Commonwealth entities, and it is increasingly expected further down the chain: larger clients ask about it in tenders, and cyber insurers ask about it on renewal. It is not a certification, and there is no badge at the end. It is a way to measure and improve how hard your business is to attack.
The eight controls
| Control | What it does | Everyday example |
|---|---|---|
| Application control | Only approved programs can run | Blocks a malicious attachment from executing |
| Patch applications | Keeps apps up to date | Closes known holes in browsers and PDF readers |
| Configure Microsoft Office macro settings | Limits macros in Office files | Stops a booby-trapped spreadsheet |
| User application hardening | Turns off risky features | Disables the web plugins and ad paths that carry malware |
| Restrict administrative privileges | Limits who has admin rights | A compromised standard account cannot reconfigure the network |
| Patch operating systems | Keeps Windows current | Closes the holes worms spread through |
| Multi-factor authentication | Adds a second proof of identity | A stolen password alone will not get in |
| Regular backups | Keeps recoverable copies | You can restore after ransomware instead of paying |
Maturity is a ladder, not a badge
Each control is assessed against four maturity levels, from zero to three. The levels are tuned to how capable an attacker is, not to how much software you have bought.
| Level | Roughly mitigates |
|---|---|
| Level 0 | Clear weaknesses an opportunist can exploit |
| Level 1 | Commodity attacks using widely available tools and stolen passwords |
| Level 2 | Attackers willing to invest more time and better tradecraft |
| Level 3 | Adaptive, well-resourced attackers who adjust to your defences |
For most small and medium businesses, maturity level one across all eight controls is the right first goal. It turns away the opportunistic attacks that make up the bulk of real incidents. Level two suits businesses that hold sensitive data or are contractually required to go further. Level three is for high-value targets, and it is demanding to sustain.
The point is not a perfect score on one control. It is steady, even progress across all eight.
Where should your business start?
You can make real progress before anyone writes a report. Start by baselining honestly: for each of the eight, are you at level zero, one, two or three today? Then fix in this order, because it returns the most safety for the least effort:
- Turn on multi-factor authentication everywhere it is available, starting with email and remote access.
- Get patching under control for both applications and operating systems, ideally automatically.
- Check your backups actually restore, and keep at least one copy offline or otherwise out of reach.
- Remove standing administrative rights from day-to-day accounts.
What are the benefits of uplifting maturity?
A business that starts at level zero can usually reach a workable level one across most controls within a quarter. Multi-factor authentication is on, patching runs on a schedule, backups are tested, and admin rights are held by a few named people rather than everyone. None of that is glamorous, and all of it measurably reduces the chance of a bad day.
Getting there
The Essential Eight rewards consistency over spend. The businesses that do well treat it as an ongoing routine: assess, fix the weakest control, reassess, repeat. That is exactly the kind of steady work that is easy to deprioritise and expensive to skip.
Sybre can help Australian businesses baseline against the Essential Eight, close the gaps in a sensible order, and keep the controls healthy as the business changes. Contact us for an honest read on where you sit today, or see how we approach cybersecurity.
Frequently asked questions
Is the Essential Eight mandatory for our business?
It is mandatory for non-corporate Commonwealth entities. For everyone else it is strongly recommended rather than required, though larger clients and cyber insurers increasingly expect it.
What maturity level should we aim for?
Maturity level one across all eight controls is the right first target for most small and medium businesses. Aim for level two if you hold sensitive data or a contract requires it.
How long does it take to reach maturity level one?
A business starting from a low base can usually reach a workable level one within a quarter, depending on the state of its patching, backups and identity setup.
Do we need expensive tools to comply?
Much of level one is configuration of tools you already own, such as Microsoft 365 and Windows. Application control is the main strategy that typically needs dedicated tooling.
Does the Essential Eight replace cyber insurance?
No. It reduces the chance and impact of an incident, which complements insurance. Many insurers now ask about Essential Eight controls when you renew.
