Eito./Blog
Guide

Essential Eight for Small Business: Where to Start

You don't need a big IT team or a big budget to start. Here's a practical, no-nonsense guide to tackling the Essential Eight as a small Australian business.

Cas13 January 20269 min read

"We're too small to be a target." It's the most common thing Australian small business owners say about cybersecurity, and it's the most dangerous.

The reality is the opposite. Small businesses are targeted precisely because they're less protected. According to the ASD Annual Cyber Threat Report 2024-2025, the ACSC received over 84,000 cybercrime reports in the last year, averaging one every six minutes. Small businesses accounted for the largest share. Ransomware doesn't care how many staff you have.

The "Too Small" Myth

Cyber attacks on small businesses are rarely sophisticated, targeted operations. They're automated. Attackers scan the internet for common vulnerabilities (unpatched software, weak passwords, exposed services) and exploit whatever they find. Your business doesn't need to be interesting; it just needs to be vulnerable.

A plumber in Geelong, a dental practice in Brisbane, a logistics company in Perth. They all have client data, bank details, and operational systems that would be devastating to lose. The Essential Eight exists to protect exactly these kinds of businesses.

Start with Level 1

Here's the good news: Level 1 of the Essential Eight is designed to stop the most common, opportunistic attacks. It's not about perfect security. It's about getting the basics right. And for most small businesses, the basics go a very long way.

Don't try to tackle all eight strategies at once. Pick one or two, get them right, then move on. Progress beats perfection.

The Three Biggest Quick Wins

1. Turn On MFA Everywhere

Multi-factor authentication is the single most impactful thing you can do. Turn it on for email, cloud services, banking, anything that supports it. Most platforms (Microsoft 365, Google Workspace, Xero, MYOB) offer it for free. It takes 10 minutes to set up. The ACSC identifies compromised credentials as one of the most common ways attackers gain access to Australian networks, and recommends MFA as the number one action all Australians should take.

2. Keep Software Updated

Enable automatic updates on everything you can: operating systems, browsers, business applications. When a security update is available, apply it. Most attacks exploit vulnerabilities that already have patches available. Updating is free and usually takes minutes.

3. Back Up Your Data

Set up regular, automated backups of your critical data. Use the 3-2-1 rule: three copies, on two different types of media, with one stored offsite (or in the cloud). Most importantly, test your backups. A backup you can't restore from is the same as no backup at all.

What Level 1 Actually Looks Like

For a typical small business (5–20 staff, using cloud-based tools like Microsoft 365 or Google Workspace), Level 1 might look like this:

  • MFA enabled on all internet-facing services (email, cloud apps, VPN)
  • Automatic updates turned on for operating systems and key applications
  • Daily backups of important data, stored separately from your main systems
  • Admin accounts separated from daily-use accounts (no browsing the web as admin)
  • Macros disabled in Microsoft Office for most users
  • Web browsers configured to block ads, unnecessary extensions, and risky content types
  • A list of approved software (even an informal one) that staff are expected to use
  • Old, unsupported software removed from all devices

None of this requires specialist tools. Most of it can be done in a day or two with your IT provider, or if you're comfortable with technology, you can tackle many of these yourself.

What's Involved

The honest answer: it depends. Many Level 1 controls are free. They're configuration changes, not product purchases. MFA is free on most platforms. Updates are free. Backing up to an external drive costs less than a hundred dollars.

Where costs come in is if you need your IT provider to set things up. Budget a few hours of their time to review your current state and implement changes. Arriving with a clear picture of what needs fixing makes those conversations much more productive.

Running a free self-assessment with Eito before talking to your IT provider means you'll know exactly what gaps need addressing, allowing you to have more focused and productive conversations.

Common Mistakes to Avoid

  • Trying to achieve Level 3 when Level 1 isn't complete. Get the foundations right first.
  • Enabling MFA but only for some accounts. One unprotected admin account defeats the purpose.
  • Having backups but never testing restores. You don't have a backup until you've proven it works.
  • Assuming your IT provider has it covered. Ask them specifically about Essential Eight. Get it in writing.
  • Doing the assessment once and forgetting about it. Threats change. Reassess every six months.

Your Next Step

Take 5 minutes to run a Quick Check assessment. It covers the 10 most critical controls and gives you a traffic-light view of where you stand: red, amber, or green. From there, you can decide whether to do a full assessment, fix the gaps yourself, or share the results with your IT provider.

The worst thing you can do is nothing. Start small, start today.

Get Started

Ready to see where you stand?

Take 5 minutes to run a free Essential Eight Quick Check. No account required. Your data never leaves your browser.

Start Free Assessment