The Essential Eight Explained: A Plain-English Guide for Melbourne Small Businesses

Published 16 June 2026 · Tech Seek

The Essential Eight Explained: A Plain-English Guide for Melbourne Small Businesses

In 2022, a company had its cyber insurance claim refused and its policy torn up after a breach. The reason was simple and brutal. On the application they had said they used multi-factor authentication to protect their systems. When attackers got in through a server that had none, the insurer rescinded the policy from day one. No payout, despite years of premiums.

It is not just an overseas problem or a big-company problem. The Australian Signals Directorate received more than 84,700 cybercrime reports in 2024 to 2025, around one every six minutes, and the average self-reported cost of an incident for a small business climbed to $56,600.

The Essential Eight is the framework designed to stop most of this. You have probably heard the name, maybe from your insurer, a government tender, or a client's security questionnaire, and found a wall of jargon when you looked it up.

This guide cuts through that. What the Essential Eight actually is, what each of the eight controls means in plain English, which ones you can do yourself, what it realistically costs, and where to start.

And one piece of reassurance up front: even government agencies with real budgets find this hard. You are not behind. You just need a sensible path.

Here's what's covered:

What the Essential Eight actually is

The Essential Eight is a set of eight cyber security controls created by the Australian Signals Directorate, the federal agency responsible for cyber security. It protects internet-connected business systems against the most common attacks, and it is the baseline the Australian government recommends.

Here is something most explanations skip. The Essential Eight is not the whole picture. It is the eight most effective controls pulled from a much longer ASD list called the Strategies to Mitigate Cyber Security Incidents. Think of it as the greatest hits: the handful of measures that stop the most attacks for the least effort.

The eight controls do three jobs. Some stop attacks getting in (application control, patching, macro settings, application hardening, restricting admin rights). One limits the damage if an attacker does get in (multi-factor authentication). And one gets you back on your feet afterwards (regular backups).

It was built with Microsoft Windows business networks in mind. ASD is open that it was not specifically designed for cloud services or mobile-heavy setups, though the principles still apply, and we'll cover where the gaps are later.

The point of the whole thing is simple: do these eight things well, and you stop the large majority of attacks that actually hit Australian businesses.

The maturity levels, and the rule most people miss

The Essential Eight is not pass or fail. It works on maturity levels, which describe how thoroughly you have put each control in place.

The four maturity levels

There are four levels, zero through three.

Maturity Level 0 means there are real gaps in your setup. Most small businesses that have never looked at this start here, and that is normal, not shameful.

Maturity Level 1 protects you against opportunistic attackers using common, off-the-shelf tools. This is the realistic first target for most small businesses, and it stops a huge share of everyday attacks.

Maturity Level 2 protects against more determined attackers who put real effort into getting in, including trying to slip past weaker security. This is increasingly the practical baseline if you handle sensitive data, want government work, or want clean cyber insurance.

Maturity Level 3 protects against skilled, adaptive attackers. It is demanding, and outside government and defence contexts most businesses do not need it.

The catch that trips businesses up

Here is the rule almost everyone misses. Your overall maturity level is your lowest score across all eight controls, not your average.

You could be doing seven of the eight controls brilliantly at Level 2, but if the eighth is sitting at Level 0, your overall maturity is Level 0. ASD wants you to reach the same level across all eight before you push any of them higher.

This matters because it changes how you plan. There is no point gold-plating one control while another is wide open. You lift all eight together, evenly, which is exactly how the roadmap later in this guide is built.

The eight controls in plain English (and what you can do yourself)

Here is what each control actually means, why it matters, and whether it is something you can handle in-house or worth getting help with. We have ordered them by what gives a small business the most protection for the least pain, rather than ASD's official order.

1. Multi-factor authentication

Multi-factor authentication (MFA) means logging in needs more than a password: a code from an app, a tap on your phone, or a security key. Even if someone steals your password, they cannot get in without that second factor.

This is the single highest-value thing on the list. Microsoft has said an account using MFA is more than 99.9% less likely to be compromised. It is also the control most often missing when cyber insurance claims get denied, so it is the first thing to fix.

The common mistake is putting MFA on email only and stopping there. It needs to be on everything: email, your accounting system, remote access, all of it. Switching it on is straightforward; doing it properly across every system and making sure nobody can quietly turn it off is where a managed setup helps.

2. Regular backups

Backups are copies of your data you can restore from if the worst happens. They are your last line of defence against ransomware, because if your data is encrypted but you have a clean backup, you can recover without paying anyone.

The catch is that a backup only counts if it actually works. The two ways businesses get caught are backups that were never test-restored (so nobody noticed they had silently failed), and backups an attacker can reach and delete along with everything else.

A good setup means daily backups, kept off-site and disconnected, and actually tested. This is the kind of thing worth having managed, and we go deeper on it in our guide to IT disaster recovery .

3. Patch your applications

Patching means keeping your software updated. The programs attackers target most are the everyday ones: browsers, Office, PDF readers, and security software.

When a serious flaw is found, the clock starts. ASD's standard is to patch critical vulnerabilities within 48 hours, and other internet-facing applications within two weeks. That is hard to keep up with manually across a whole team.

You can do some of this yourself, but doing it consistently, on time, across every device is where it usually falls down. This is one of the controls Tech Seek handles as managed patching so it does not depend on someone remembering.

4. Patch your operating systems

Same idea as patching applications, applied to Windows itself and any servers you run. Known operating-system flaws are widely shared among attackers, so an unpatched or out-of-date system is a soft target.

The big one here is running software past its end of life, when it stops getting security updates entirely. If you are still on an unsupported version of Windows, that is an open door no other control fully closes.

Like application patching, this is best managed and automated rather than left to chance.

5. Restrict admin privileges

Admin accounts can install software, change settings, and reach everything. The more people who have that power, and the more those accounts are used for everyday work, the more damage a single compromised login can do.

Restricting admin privileges means only the people who genuinely need admin access have it, those accounts are kept separate and not used for email or browsing, and access is reviewed regularly.

The common mistake is everyone running as an administrator because it is convenient. It is convenient for attackers too. This one needs a bit of discipline and is worth setting up with help.

6. Configure Microsoft Office macro settings

Macros are little automated scripts inside Office files. They are useful, but they are also a classic way attackers deliver malware: you open a dodgy attachment, the macro runs, and you are infected.

The control is to block macros from the internet by default, only allow vetted ones where they are genuinely needed, and stop staff from changing the setting themselves.

This can be set centrally through Microsoft 365, which Tech Seek manages, rather than left to each person's machine.

7. User application hardening

Hardening means turning off risky features you do not need, so there is less for an attacker to exploit. Old technologies like Flash and Java, web ads, and certain browser features are common weak points.

The principle is simple: every feature you are not using is a door you can close. Fewer open doors, smaller attack surface.

This is more technical and leans towards getting help, since it means knowing which features are safe to disable without breaking the things your team actually relies on.

8. Application control

Application control means only approved, trusted software is allowed to run on your systems, and everything else is blocked by default. Picture a bouncer with a guest list: if a program is not on the list, it does not run, even if a staff member accidentally downloads it.

It is the most effective control against malware, and also the hardest to do. It takes real setup, ongoing maintenance, and constant updating as legitimate software changes, which is why it is usually the last control a business tackles.

Being straight with you: application control is specialist work, and it is not something Tech Seek provides. The good news is that the other seven controls done well, plus solid endpoint protection like Bitdefender, cover the large majority of real-world risk for a small business. Application control is a higher-maturity step we can point you towards when you are ready, not where you start.

Where are you now? A five-minute self-check

Before you can plan, you need a rough sense of where you stand. Run through these honestly. A "no" or "not sure" is a gap to close.

  • Is multi-factor authentication switched on for every staff member, across every important system, not just email?
  • Are your backups running daily, kept off-site or disconnected, and have you actually tested a restore in the last few months?
  • Is your software, including Windows, set to update promptly and consistently across every device?
  • Are you still running any software that is past its end of life and no longer getting security updates?
  • Do only a couple of people have admin access, and are those admin accounts kept separate from everyday email and browsing?
  • Are Office macros blocked by default, with staff unable to change the setting?
  • Has anyone deliberately turned off risky features and old plugins your team does not need?

If you answered "yes" confidently to most of these, you are in good shape and probably sitting around Maturity Level 1 or beyond. If a few made you wince, you have found your starting points, and you are in the same boat as most small businesses.

What it actually costs, and how long it takes

This is the question every guide dodges, so here is an honest answer. There is no fixed price, because it depends entirely on where you are starting and how your systems are set up.

ASD does not publish a cost. Some controls cost almost nothing to put in place: switching on MFA and configuring macro settings is mostly a matter of configuration, not new spend. Others, like proper backups, endpoint protection, and the tooling behind patching, carry a real but modest ongoing cost.

For a sense of scale, some Australian providers put the work to reach the entry maturity level for a 20-to-50-person business in the range of roughly $10,000 to $25,000, with a timeframe of around three to six months to reach a solid Level 2. Treat those as illustrative rather than a quote, because the honest number depends on your environment.

The better way to think about it is against the alternative: an average small-business incident now costs around $56,600, before you count the downtime and the lost trust.

The only way to get a real figure is to look at your actual setup. A discovery session is a no-obligation way to find out where you sit and what closing the gaps would involve.

Why your cyber insurer cares (and the claims that got denied)

If you have renewed a cyber insurance policy lately, you will have noticed the questionnaire got longer and more pointed. Insurers now want to know exactly which of these controls you have, and they are checking.

Two real cases show why this matters. In one, an insurer rescinded a company's policy entirely after a breach, because the business had stated on its application that it used multi-factor authentication for admin access when it did not. The attacker got in through a server with no MFA, and the policy was voided from the start.

In another, the City of Hamilton in Canada was hit by ransomware and found its insurer would not cover losses where the absence of multi-factor authentication was the root cause. The bill ran to over $18 million.

The pattern is clear. Insurers increasingly treat controls like MFA, tested backups, and endpoint protection as conditions of cover, not nice-to-haves. If you say you have them and you do not, or you simply never put them in, a claim can be reduced or denied at the worst possible moment.

Aligning with the Essential Eight is one of the cleanest ways to satisfy what insurers now ask for, and to keep your renewal smooth and your premium sensible.

What the Essential Eight does not cover

Most pages selling Essential Eight services will not tell you this, but you should know it. The Essential Eight is a strong technical baseline, not a complete security strategy.

It does not cover governance: who is responsible for security, your policies, and how decisions get made. It says little about your people, where most breaches actually start, so staff awareness training sits alongside it rather than inside it.

It does not address third-party and supply-chain risk, the danger that comes through your vendors and the software you rely on. It does not deal with data governance: what you collect, where it lives, and how long you keep it. And because it was built for traditional Windows networks, it does not fully cover modern cloud and Microsoft 365 setups, which need their own attention.

None of this makes the Essential Eight less worth doing. It makes it the foundation, not the whole house. A complete approach pairs the Essential Eight with proper cyber security , staff training, and sensible policies. Anyone telling you the Essential Eight alone makes you bulletproof is overselling it.

A realistic roadmap: your first 90 days and beyond

You do not do all eight at once. Here is a sensible order that follows the "lift everything together, basics first" principle.

Your first 90 days: the high-impact basics. Get multi-factor authentication onto every system. Get backups running daily, off-site, and test a restore. Get patching under control for both applications and operating systems, and retire anything past its end of life. These three jobs alone stop the large majority of real attacks, and they are the controls insurers care about most.

The next few months: tighten access and configuration. Restrict admin privileges down to the few who need them, and keep those accounts separate. Lock down Office macros centrally. Begin user application hardening, turning off the risky features you do not use.

Beyond that: maturity and the hard control. Once the first seven are solid and even, you can look at lifting your maturity level and, if your risk warrants it, tackling application control with specialist help. By then you will already have closed most of your real exposure.

The mistake to avoid is trying to be perfect on one control while others sit untouched. Even progress across all eight beats gold-plating one.

If working through that on your own feels like a lot on top of running a business, that is exactly what a discovery session is for. We will look at where you stand and map the practical next steps.

Start with what matters

The Essential Eight can look overwhelming from the outside, all maturity levels and compliance language. Strip it back and it is eight sensible things, most of which a good IT setup should be doing anyway.

If you do nothing else, start with the three that matter most: multi-factor authentication everywhere, backups that are tested and out of reach, and patching that actually keeps up. Those alone put you ahead of most small businesses and satisfy most of what insurers and clients ask for. The rest you build from there, evenly, over time.

You do not have to work it out alone. Tech Seek is a Melbourne MSP with in-house technicians who help local businesses put these controls in place, MFA, managed patching, tested backups, endpoint protection, and the rest, without the jargon or the lock-in contracts. The discovery session is a straightforward place to find out where you stand and what your sensible next step is.

Frequently Asked Questions

Is the Essential Eight mandatory for small business?

No. The Essential Eight is only legally mandatory for non-corporate Commonwealth government entities. For private businesses it is voluntary.

In practice, though, it is increasingly required in all but name. Cyber insurers, government tenders, and larger clients doing due diligence now expect Essential Eight-aligned controls, so for many small businesses it has become a commercial necessity even though no law forces it.

What maturity level should a small business aim for?

Maturity Level 1 is the realistic starting target and stops a large share of everyday attacks. Maturity Level 2 is increasingly the practical baseline if you handle sensitive data, want government work, or want the smoothest cyber insurance.

Maturity Level 3 is demanding and aimed at high-risk and government environments. Most small businesses do not need it.

How long does it take to implement?

Reaching Maturity Level 1 typically takes a few weeks to a couple of months, depending on your starting point. Reaching a solid Level 2 for a small business is more often a three-to-six-month project.

The honest answer depends on how much is already in place. A business already using MFA and decent backups is much closer than one starting from scratch.

How much does it cost?

There is no fixed price. Some controls cost almost nothing beyond configuration time, while others carry a modest ongoing cost for tooling and management. As an illustration, some Australian providers put entry-level implementation for a 20-to-50-person business in the rough range of $10,000 to $25,000, but your real number depends on your setup.

The way to get an accurate figure is an assessment of your actual environment, not a generic quote.

Do I need all eight, or can I start with some?

The Essential Eight is designed to work as a package, and your overall maturity is set by your weakest control, so the goal is all eight. But you do not implement them all at once.

Start with multi-factor authentication, backups, and patching. They give you the most protection for the least effort, and they are the controls insurers care about most.

Does the Essential Eight cover cloud and Microsoft 365?

Not completely. It was designed for traditional Windows business networks, and ASD is upfront that it was not built specifically for cloud services. Many of the controls map well onto Microsoft 365, but cloud and SaaS setups have their own security needs that sit outside the Essential Eight.

If your business runs largely in the cloud, treat the Essential Eight as the foundation and add cloud-specific security on top.

How does it relate to ISO 27001 and SMB1001?

The Essential Eight is a set of technical controls. ISO 27001 is a broader, certifiable governance standard for managing security across an organisation. SMB1001 is an Australian, small-business-focused standard that, unlike the Essential Eight, you can actually be certified against.

They overlap and complement each other. The Essential Eight is often the technical core inside a wider standard like ISO 27001 or SMB1001.

Is the Essential Eight enough on its own?

No, and anyone who says otherwise is overselling it. The Essential Eight is a strong technical baseline, but it does not cover governance, the depth of staff training, supply-chain risk, data governance, or the full picture of cloud security.

Think of it as the foundation. A complete approach pairs it with training, sensible policies, and cloud-specific protection.

Is there an Essential Eight certification?

No official certification exists. You can self-assess, or have a third party assess you against ASD's maturity model, but there is no government "Essential Eight certified" stamp.

If you specifically need a certification to show clients or tenders, SMB1001 is the Australian standard that offers one, and it incorporates Essential Eight-style controls.

What changed in the November 2023 update?

The most recent significant update, still current, tightened several controls. It introduced phishing-resistant multi-factor authentication at higher maturity levels, set a 48-hour deadline for patching critical vulnerabilities, and adjusted some logging and application-control requirements.

The practical takeaway is that the bar moved up, particularly on MFA and patching speed, which is part of why even government agencies have found the higher levels harder to reach.

Will the Essential Eight help my cyber insurance?

Yes. Insurer questionnaires now map closely to Essential Eight controls, especially MFA, tested backups, and endpoint protection. Having these in place tends to mean easier renewals, better terms, and far less risk of a claim being reduced or denied.

The reverse is also true: missing controls like MFA are a leading reason claims get knocked back.

Does it stop ransomware and phishing?

It substantially reduces both, but nothing is a guarantee. Backups and application control blunt ransomware, while macro settings, patching, and MFA cut off common phishing and malware routes.

The gap the Essential Eight does not close is human: a convincing phishing email still relies on someone clicking. That is why staff awareness training belongs alongside the technical controls.

Need a hand with this in your business? Tech Seek provides local, in-house IT support for Melbourne small businesses since 2006.

Talk to our team

Stop IT Problems From Disrupting Your Business

Book a free IT risk review and see how responsive local support keeps your team productive.

Call Us Book Free Review