What Is the Essential Eight? Australia's Cyber Security Framework Explained

What Is the Essential Eight? Australia's Cyber Security Framework Explained

If you've been trying to figure out where to start with cybersecurity for your business, the Australian Cyber Security Centre (ACSC) has an answer: the Essential Eight.

It's a prioritised set of eight security controls that the ACSC recommends as a baseline for all Australian businesses. Here's what each one is, why it matters, and how realistic it is for a small business.

What is the Essential Eight?

The Essential Eight is a set of mitigation strategies derived from the ACSC's analysis of the most common and impactful cyber attack methods. Implementing all eight — even at a basic level — significantly reduces the risk of the most prevalent cyber attacks.

The Eight Strategies:

1. Application Control Only allow approved applications to run on your business systems. This prevents malware from executing, even if it finds its way onto a device. For SMBs: Start by preventing your team from installing unapproved software.

2. Patch Applications Keep all applications updated — especially internet-facing ones (browsers, email clients, Office tools). Patch within two weeks of a release for most apps; faster for critical patches. For SMBs: Enable automatic updates. Review quarterly.

3. Configure Microsoft Office Macro Settings Disable macros in Microsoft Office documents unless they're from trusted, verified locations. Macros are a common malware delivery method. For SMBs: Set Office macro policy to disable all macros by default.

4. User Application Hardening Configure web browsers, email clients, and other applications to block dangerous content — Flash, Java in browsers, ads from unknown sources. For SMBs: Install a reputable ad blocker. Disable plugins you don't use.

5. Restrict Administrative Privileges Limit who has admin-level access to systems. Admin accounts should only be used when specifically needed — not for day-to-day browsing or email. For SMBs: Create separate admin and standard user accounts for all staff.

6. Patch Operating Systems Keep your device operating systems (Windows, macOS, iOS, Android) updated. Like patching applications, timely OS updates close known vulnerabilities. For SMBs: Enable automatic OS updates on all devices.

7. Multi-Factor Authentication Require MFA for all remote access, privileged accounts, and cloud services. (We've covered this extensively — it's the best single control available.) For SMBs: Enable MFA everywhere, especially email and cloud services.

8. Regular Backups Back up your data regularly. Store backups separately from your main systems. Test that they can actually be restored. For SMBs: Implement cloud backup and maintain at least one offline copy.

The maturity model

The ACSC provides a maturity model (Level 1 through 4) for each control. Most SMBs should aim for Level 2 across the board — it represents meaningful protection against the majority of attacks.

Getting started

Pick the two or three you're most behind on and start there. MFA is almost always the fastest win.

Download the ACSC's full Essential Eight guide at: cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight

Complement your technical controls with team training at Phishbate →