What is the Essential Eight?

The Essential Eight is a set of eight baseline security strategies published by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate. It exists because the ACSC noticed something useful: the vast majority of cyber incidents they investigate would have been prevented or contained by the same handful of controls. The Essential Eight is that handful.

It's mandatory for federal government entities and voluntary for everyone else, but "voluntary" is doing less work every year. Larger customers now ask their suppliers about it, and cyber insurance questionnaires are essentially an Essential Eight quiz with a premium attached.

The eight controls in plain English

1. Application control

Only approved programs are allowed to run. Most malware is just a program that shouldn't be running on your machine. Instead of trying to recognise every bad program (antivirus), application control flips the logic: nothing runs unless it's on the approved list. It's the most technically involved of the eight, which is why it's rarely where a small business starts.

2. Patch applications

Update your software promptly. Attackers don't usually break in through cleverness; they walk in through publicly known holes in out-of-date software such as browsers, PDF readers and accounting packages. The control is simply: apply security updates quickly (within 48 hours for actively exploited vulnerabilities), and stop using software the vendor no longer supports.

3. Configure Microsoft Office macro settings

Block the booby-trapped spreadsheet. Macros are small programs embedded in Office documents, and "invoice attached, enable macros to view" has been a favourite attack for a decade. The control: block macros from the internet entirely, and only allow them for the few staff with a genuine business need.

4. User application hardening

Turn off the risky features you don't use. Browsers and Office apps ship with legacy features that attackers love and almost no small business needs, like Internet Explorer 11, ancient plug-in tech and Office child processes. Hardening means switching those off.

5. Restrict administrative privileges

Don't give everyone the master keys. If a staff member clicks a bad link and they're a standard user, the damage is contained to what they can touch. If they're an administrator, the attacker owns the network. Admin rights should be limited to the people who genuinely need them, used through separate admin accounts, and reviewed regularly.

6. Patch operating systems

Keep Windows (and macOS) updated, and supported. The same logic as patching applications, applied to the operating system itself. This includes not running operating systems past their end of support, when security fixes stop arriving no matter how dangerous the newly found holes are.

7. Multi-factor authentication (MFA)

A password alone is not enough. MFA adds a second proof of identity, such as an app prompt or hardware key, so a stolen password no longer equals a stolen account. It's the single highest-value, lowest-cost control on this list. If you do exactly one thing after reading this page, turn on MFA for email and remote access.

8. Regular backups

Assume the worst will happen, and rehearse recovering from it. Backups are what turn ransomware from an existential event into a bad week. The control requires backups that are regular, kept separate from your live systems (so an attacker can't encrypt them too), retained appropriately, and, the part everyone skips, tested by actually restoring them. We cover the practical side in our cloud vs local backup guide.

Maturity levels: what 0 to 3 actually means

The ACSC defines four maturity levels for each control, based on the sophistication of attacker each level is designed to resist:

Level What it means in practice
Level 0 Significant gaps: the control is absent or trivially bypassed.
Level 1 Resists commodity attacks: automated, opportunistic attacks using widely available tools. The realistic target for most small businesses.
Level 2 Resists moderately capable attackers willing to invest time in a specific target. Appropriate for businesses holding sensitive data.
Level 3 Resists adaptive, well-resourced adversaries. Government and critical-infrastructure territory.

Importantly, the ACSC says to implement all eight controls to the same maturity level before climbing higher. A Level 3 firewall next to Level 0 backups is theatre, not security.

Do small businesses have to comply?

Legally, no (unless a contract says otherwise). Practically, three forces are pushing it onto you anyway: customers adding security questions to supplier onboarding, insurers pricing premiums off these exact controls, and the Privacy Act. If you're covered by the Notifiable Data Breaches scheme, demonstrating baseline controls like these is central to showing you took reasonable steps to protect personal information.

Where to start: the practical order of attack

For a typical small business, this sequencing gets the most protection per dollar:

  1. MFA everywhere: email, Microsoft 365, remote access, banking. Days of effort, massive risk reduction.
  2. Backups done properly, separated from live systems and restore-tested.
  3. Patching on autopilot: automatic OS and application updates, with someone verifying they actually applied.
  4. Strip admin rights: standard accounts for daily work, including the boss.
  5. Macro settings and hardening: mostly configuration, mostly invisible to staff.
  6. Application control last: highest effort; tackle it once the rest is stable.

Want the broader picture first? The Essential Eight is the technical core, but people and process matter too. Our small business cyber security checklist covers the full picture, including what to do if an incident happens.