Essential Eight Practical Guide for Melbourne Businesses

What is the Essential Eight and why does it matter?

The Essential Eight is a set of eight mitigation strategies developed by the Australian Cyber Security Centre (ACSC) — part of the Australian Signals Directorate. These strategies were selected because they address the most common methods attackers use to compromise Australian organisations.

For Melbourne businesses with 10 to 200 staff, the Essential Eight provides a practical, structured security framework. Unlike enterprise security frameworks that require dedicated teams and significant budgets, the Essential Eight can be implemented incrementally by businesses of any size.

The strategies are:

1. Application control
2. Patch applications
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privileges
6. Patch operating systems
7. Multi-factor authentication
8. Regular backups

Each strategy targets a specific phase of a cyberattack. Together, they create a layered defence that makes it significantly harder for attackers to compromise your organisation.

What are the Essential Eight maturity levels?

The ACSC defines four maturity levels for each strategy:

Maturity Level Zero — The strategy is not implemented or only partially implemented with significant gaps. Most Australian SMBs start here.

Maturity Level One — The strategy is partly aligned with the intent. Basic controls are in place but may not cover all scenarios. This is the recommended starting point for most businesses.

Maturity Level Two — The strategy is mostly aligned. Controls are comprehensive and cover the majority of attack scenarios. This is the target for businesses handling sensitive data or facing regulatory requirements.

Maturity Level Three — The strategy is fully aligned with ACSC recommendations. Controls are comprehensive, tested, and maintained. This level is typically required for government entities and high-security environments.

For most Melbourne SMBs, achieving Maturity Level One across all eight strategies is a realistic and impactful goal. From there, progressing to Level Two on high-priority strategies provides additional protection.

How do you implement each Essential Eight strategy?

Strategy 1: What is application control and how do you implement it?

Application control restricts which software can execute on your systems. Only approved applications are allowed to run — everything else is blocked.

Why it matters: Attackers frequently use malicious software to compromise systems. If that software cannot execute, the attack fails at the first step.

Implementation for SMBs: Windows Defender Application Control (WDAC) or AppLocker in Microsoft environments. Start with audit mode to understand what is running in your environment before enforcing restrictions.

Common pitfall: Implementing application control without audit mode first. This breaks legitimate software and frustrates users. Always audit before enforcing.

Strategy 2: How do you keep applications patched?

Application patching means updating third-party software — browsers, PDF readers, Java, Zoom, and other applications — within defined timeframes when security vulnerabilities are discovered.

Why it matters: Unpatched applications are one of the most common entry points for attackers. A known vulnerability in a PDF reader or browser can be exploited to execute malicious code.

Implementation for SMBs: Use Microsoft Intune or a third-party patch management tool to deploy patches to all devices. Critical patches should be applied within 48 hours. Non-critical patches within two weeks.

Common pitfall: Only patching Microsoft products and ignoring third-party applications. Chrome, Adobe Reader, Zoom, and Java are frequently exploited and must be included in your patching process.

Strategy 3: How should you configure Microsoft Office macros?

Macro configuration controls which Microsoft Office macros are allowed to run. Macros from the internet should be blocked entirely. Trusted macros should be digitally signed.

Why it matters: Malicious Office macros have been a primary malware delivery mechanism for years. An email attachment with a macro that downloads ransomware is one of the most common attack vectors.

Implementation for SMBs: Configure Group Policy or Intune to block macros from the internet, only allow signed macros from trusted publishers, and disable macros in documents downloaded from email or the web.

Common pitfall: Blocking all macros without considering business-critical macros in Excel spreadsheets or Access databases. Identify legitimate macro usage before configuring restrictions.

Strategy 4: What is user application hardening?

User application hardening locks down web browsers, email clients, and PDF readers to prevent common exploit techniques.

Why it matters: Attackers use browser vulnerabilities, malicious advertisements, and document exploits to gain initial access. Hardening these applications reduces the attack surface.

Implementation for SMBs: Disable Flash, Java in browsers, and unnecessary browser extensions. Block ads using browser policies. Configure email clients to not automatically download external content. Disable PDF JavaScript execution.

Common pitfall: Hardening browsers but not configuring email client settings. Outlook’s default behaviour of loading external images and previewing attachments creates unnecessary risk.

Strategy 5: How do you restrict administrative privileges?

Administrative privilege restriction means limiting who has admin access to systems and how those admin accounts are used.

Why it matters: If an attacker compromises an account with admin privileges, they can install software, modify security settings, access all data, and move laterally across your network. Limiting admin accounts limits damage.

Implementation for SMBs: Remove local admin rights from standard user accounts. Create separate admin accounts for IT staff that are only used for administrative tasks. Implement just-in-time admin access where possible. Audit admin account usage regularly.

Common pitfall: Giving all staff local admin rights because it is easier for IT. This is the single most common security mistake in SMB environments and dramatically increases the impact of any compromise.

Strategy 6: How do you keep operating systems patched?

Operating system patching means applying Windows, macOS, and Linux security updates within defined timeframes.

Why it matters: Operating system vulnerabilities are regularly exploited by attackers. Unpatched systems are low-hanging fruit.

Implementation for SMBs: Use Windows Update for Business, Microsoft Intune, or WSUS to deploy OS patches. Critical patches within 48 hours. Monthly cumulative updates within two weeks. Remove unsupported operating systems (Windows 10 reaches end of support in October 2025).

Common pitfall: Patching workstations but neglecting servers. Servers often run older OS versions with deferred patching — making them prime targets.

Strategy 7: How do you implement multi-factor authentication?

Multi-factor authentication (MFA) requires users to provide two or more verification factors — something they know (password) plus something they have (phone, hardware key) or something they are (biometric).

Why it matters: MFA blocks the vast majority of credential-based attacks. Even if an attacker steals a password through phishing, they cannot access the account without the second factor.

Implementation for SMBs: Enable MFA on Microsoft 365, VPN, remote desktop, and all cloud services. Use the Microsoft Authenticator app or hardware security keys. Avoid SMS-based MFA where possible — app-based or hardware-based MFA is more secure.

Common pitfall: Enabling MFA on Microsoft 365 but not on VPN, firewall admin, or other remote access services. Attackers target the services without MFA.

Strategy 8: How do you implement reliable backups?

Regular backups means backing up important data and system configurations, storing backups securely, and testing restore procedures.

Why it matters: Backups are your last line of defence against ransomware, hardware failure, and accidental deletion. Without tested backups, recovery from any major incident is uncertain.

Implementation for SMBs: Back up all critical data daily. Store at least one copy offline or in immutable cloud storage. Test full restores quarterly — not just verify that backup jobs complete, but actually restore data and confirm it works.

Common pitfall: Assuming cloud storage (OneDrive, SharePoint) is a backup. Cloud sync is not backup — if files are encrypted by ransomware, the encrypted versions sync to the cloud. You need a separate, independent backup solution.

What priority order should Melbourne businesses follow?

For businesses starting from Maturity Level Zero, we recommend this implementation sequence based on impact and effort:

1. Multi-factor authentication — Highest impact, lowest effort. Implement on all accounts immediately.
2. Patch applications and operating systems — Close the most commonly exploited vulnerabilities.
3. Regular backups with tested restores — Ensure recovery capability before implementing disruptive changes.
4. Restrict administrative privileges — Limit the blast radius of any compromise.
5. Configure Microsoft Office macros — Block a primary malware delivery mechanism.
6. User application hardening — Lock down browsers and email clients.
7. Application control — Most effective but requires careful planning and testing.

This order prioritises controls that provide immediate risk reduction while building toward comprehensive coverage. Each step makes the next step more effective.

What common mistakes should you avoid?

Treating Essential Eight as a one-off project. The Essential Eight requires ongoing maintenance — patches, configuration management, and regular review. It is not a set-and-forget exercise.

Aiming for Maturity Level Three immediately. Start with Level One across all eight strategies. Consistent Level One is far more protective than Level Three on one strategy and Level Zero on the others.

Ignoring the human element. Technical controls are essential but insufficient. Staff awareness training complements the Essential Eight by addressing the human actions that bypass technical controls.

Not documenting your maturity level. Without documentation, you cannot demonstrate compliance to cyber insurers, clients, or regulators. Maintain a maturity assessment record that you update at least annually.