Eito./Blog
Education

What Is the Essential Eight? A Plain-English Guide for Australian Businesses

The Essential Eight is Australia's top cybersecurity framework, but most small businesses have never heard of it. Here's what it is and why it matters.

Cas1 January 202610 min read

If you run a business in Australia, you've probably heard the term "cybersecurity" thrown around a lot. You might even have a vague sense that you should be doing more about it. But where do you actually start?

The answer, for most Australian organisations, is the Essential Eight: a set of eight baseline cybersecurity strategies recommended by the Australian Cyber Security Centre (ACSC). Think of it as the minimum standard for protecting your business against the most common cyber threats.

Where It Comes From

The ACSC (part of the Australian Signals Directorate) maintains a list of 37 strategies to mitigate cyber security incidents. The Essential Eight are the top eight from that list. They're the strategies that, when implemented properly, provide the strongest baseline defence against the threats that affect Australian organisations every day.

Originally, the framework was mandatory only for Australian Government agencies. But it has since become the de facto standard for businesses of all sizes, especially as insurers, contracts, and supply chain partners now routinely ask: "What maturity level are you at?"

The Eight Strategies

Each strategy addresses a specific type of risk. Here's what they are in plain English:

1. Application Control

Only approved software can run on your systems. This stops malware, ransomware, and unauthorised programs from executing, even if someone accidentally downloads them.

2. Patch Applications

Keep your software up to date. When vendors release security patches (fixes for known vulnerabilities), apply them quickly, ideally within 48 hours for critical issues. Outdated software is one of the easiest ways attackers get in.

3. Patch Operating Systems

Same idea, but for your operating systems: Windows, macOS, Linux. Keeping these updated closes the security holes that attackers actively scan for.

4. Restrict Administrative Privileges

Not everyone needs admin access. The fewer people who can install software, change settings, or access everything, the smaller the damage if an account is compromised. This is about the principle of least privilege: giving people only the access they need to do their job.

5. Multi-Factor Authentication (MFA)

Passwords alone aren't enough. MFA adds a second verification step (like a code from your phone or a fingerprint) to prove you are who you say you are. It stops the vast majority of credential-based attacks.

6. Regular Backups

Back up your important data regularly, store backups securely, and test that you can actually restore from them. If ransomware hits or a system fails, backups are your safety net. Without them, you're starting from zero.

7. Microsoft Office Macro Settings

Macros are small programs that run inside Office documents (Word, Excel). Attackers love them because they can hide malicious code in seemingly innocent spreadsheets. Restricting which macros can run significantly reduces this risk.

8. User Application Hardening

Configure your everyday applications (web browsers, PDF readers, Microsoft Office) to block risky features like unnecessary browser extensions, JavaScript in PDFs, and web ads. These features are common attack vectors that most users never need.

Maturity Levels: What Are They?

Each strategy has three maturity levels: Level 1, Level 2, and Level 3. They're cumulative, meaning Level 2 includes everything from Level 1 plus additional requirements, and Level 3 includes everything from both.

  • Level 1 is the baseline. It protects against common, opportunistic attacks, the kind that hit thousands of businesses every day. This is where most SMBs should start.
  • Level 2 adds protection against more capable adversaries who are specifically targeting your organisation. Typically relevant for businesses handling sensitive data.
  • Level 3 is the highest level, designed to protect against sophisticated, state-sponsored threats. Mainly relevant for government, defence contractors, and critical infrastructure.

If you're a small business, Level 1 across all eight strategies is your goal. Don't let anyone tell you that you need Level 3. For most SMBs, it's unnecessary and unrealistic.

Who Needs to Care?

Technically, the Essential Eight is mandatory for Australian Government entities. But in practice, it's becoming the benchmark for everyone. Cyber insurers are asking about it on application forms. Large organisations are requiring it from suppliers. Defence contracts increasingly require Level 2 or higher through the DISP (Defence Industry Security Program).

And beyond compliance, it's just good practice. The ACSC's Annual Cyber Threat Report consistently shows that small businesses are a primary target, not because they have the most valuable data, but because they're the easiest to attack.

How to Get Started

The first step is understanding where you stand. A self-assessment (like the free one offered by Eito) walks you through each strategy and maturity level, asking plain-English questions about what you have in place. You'll get a clear picture of your gaps and a prioritised list of what to fix first.

From there, you can work through the gaps yourself, share the results with your IT provider, or engage a professional assessor for a formal evaluation. The important thing is to start.

The Essential Eight isn't a one-time exercise. Cyber threats evolve, and your security posture should too. Plan to reassess at least every six months.

Get Started

Ready to see where you stand?

Take 5 minutes to run a free Essential Eight Quick Check. No account required. Your data never leaves your browser.

Start Free Assessment