Home / Help Center / Essential 8 for Small Business
Cyber Security
By ยท Published 28 May 2026 ยท Updated 28 May 2026

Essential 8 for Small Business: What It Is and Where to Start

If you've heard "Essential 8" thrown around by your insurer, your accountant, a government tender, or a security-conscious customer โ€” you're not the only one. The Australian Signals Directorate's Essential 8 is becoming the de-facto baseline for cyber security in Australia, and small businesses are increasingly being asked to meet at least Maturity Level 1. Here's what the Essential 8 actually is, what each control means in plain English, and how to start working toward it without blowing the bank.

What the Essential 8 Actually Is

The Essential 8 (often "E8") is a set of eight mitigation strategies published by the Australian Cyber Security Centre (ACSC), which sits inside the Australian Signals Directorate. They've been progressively refined since 2017 and are now the most-referenced security baseline in the country. The ACSC also defines four maturity levels (0โ€“3) for each control, describing how robustly the control is implemented.

The framework was originally aimed at federal government, but state government, defence contractors, insurers, large companies and increasingly mid-sized customers now expect their suppliers to demonstrate at least Maturity Level 1. The full official documentation is at cyber.gov.au โ€” what you're reading is the plain-English summary for a small business owner.

Why Insurers and Tender Documents Ask About It

A few reasons it's getting more important fast:

  • Cyber insurance. Most Australian cyber policies now require ML1 (or equivalent controls) as a prerequisite. Without them, claims get denied. See our cyber insurance requirements article for more.
  • Government and large enterprise tenders. Any contract involving government data โ€” local, state or federal โ€” increasingly asks for an Essential 8 assessment.
  • Privacy Act reforms. The 2022/23 Privacy Act amendments and the proposed Cyber Security Act reforms set a "reasonable steps" baseline that effectively maps to Essential 8 for most SMBs.
  • Supply chain pressure. If you're a contractor to a larger organisation, expect to be asked about your security controls within the next 12 months if you haven't been already.

The Eight Controls (Plain English)

1. Application Control

What it means: Only allow software that's been approved to run on company devices. Block everything else by default.

How small businesses actually do this: Microsoft Defender Application Control or AppLocker on Windows 11 Pro / Enterprise. For a small business not running Active Directory, this is the hardest control to implement well โ€” it usually waits until you've got the easier ones done.

ML1 target: Block known executable types in user folders (Downloads, AppData).

2. Patch Applications

What it means: Keep the software on your computers up to date โ€” particularly Office, web browsers, PDF readers, Java, and similar internet-facing applications. Critical security patches applied within 48 hours for ML2+.

How small businesses actually do this: Auto-updates on Chrome, Edge, Firefox, Office 365, Adobe Reader. Use a remote monitoring tool (we use Datto, NinjaOne, or similar in our managed IT plans) to verify it's happening on every machine.

ML1 target: Patch internet-facing apps within two weeks of release; remove unsupported versions.

3. Configure Microsoft Office Macros

What it means: Block Office macros from the internet. Macros are a favourite delivery method for ransomware.

How small businesses actually do this: Microsoft now blocks internet macros by default in 365. The fix is to make sure nobody has unticked that, and to disable macros entirely on accounts that don't need them.

ML1 target: Macros blocked for users who don't need them; macros from the internet blocked outright.

4. User Application Hardening

What it means: Web browsers and Office shouldn't run risky features by default โ€” Java in the browser, Flash (extinct now, but the principle remains), ads, untrusted Office add-ins, etc.

How small businesses actually do this: Modern browsers default to most of this. The work is removing legacy stuff (uninstall Java, kill old Office add-ins, enforce ad-blocking via group policy or extensions). Edge and Chrome managed via the cloud admin centre simplify this enormously.

ML1 target: Block ads, block child processes from Office apps, block Java in the browser.

5. Restrict Administrative Privileges

What it means: Don't let everyday user accounts have admin rights. Admin accounts should be separate, used only when needed, and have MFA.

How small businesses actually do this: Make each user a standard user on their PC. Create a separate admin account for installs (your IT person uses it, or you do for specific tasks). In 365, use Privileged Identity Management or simply separate admin accounts.

ML1 target: Admin accounts can't browse the web or read email; separated from standard accounts.

6. Patch Operating Systems

What it means: Same as patching applications, but for Windows itself and any servers. Critical patches within 48 hours for ML2+.

How small businesses actually do this: Don't fight Windows Update. Set it to auto-install. Plan a monthly "patch Tuesday" reboot window for any servers. Use RMM tools to verify compliance.

ML1 target: Patch internet-facing systems within two weeks; unsupported operating systems removed entirely. Yes, this means Windows 10 needs to be gone โ€” see our Windows 10 end of support article.

7. Multi-Factor Authentication

What it means: A password alone isn't enough to log in. A second factor (authenticator app, hardware token) is required for important systems.

How small businesses actually do this: Turn on MFA in Microsoft 365 for every user. Turn on MFA in Xero, MYOB, banks, anywhere with financial data. Use Microsoft Authenticator or Authy for users; consider YubiKeys for admin accounts. See our MFA explainer for the detail.

ML1 target: MFA on all user accounts for internet-facing services and admin actions.

8. Regular Backups

What it means: Daily backups of important data and configuration. Backups must be tested. Backups must be protected from being deleted by ransomware.

How small businesses actually do this: Cloud-immutable backup of M365 and any local files. Quarterly test restores. See our NAS vs cloud backup and 3-2-1 backup articles.

ML1 target: Daily backups, restorable, retained for at least three months, with restoration tested annually.

The reality for Townsville SMBs: Most small businesses we onboard are at ML0 (none of it implemented properly) when we start. With Microsoft 365 + good config + our managed IT, most reach a defensible ML1 inside 60โ€“90 days. The wins compound: ransomware risk drops sharply once MFA + patching + backups are real, even before the harder controls (application control, admin privilege separation) are tackled.

Maturity Levels โ€” How Robust Is "Done"?

For each of the 8 controls, the ACSC defines four maturity levels:

  • ML0: Not implemented, or not implemented well enough to count.
  • ML1: Mitigates basic attacks from opportunistic adversaries. The realistic target for small business.
  • ML2: Mitigates more sophisticated targeted attacks. Realistic for mid-market businesses.
  • ML3: Mitigates advanced, persistent threats. Required for some defence and government work.

The honest message: ML1 covers the vast majority of cyber attacks a small business will face. ML2 is the better target if you handle sensitive data (medical, legal, financial). ML3 is for organisations that genuinely face nation-state attackers and is overkill for almost every Townsville SMB.

Where to Start (60-Day Plan)

If you're starting from scratch, here's the order we'd actually tackle it for a typical 5โ€“20 staff Townsville business:

Week 1: Foundations

  • Audit what you have โ€” users, devices, software, where data lives
  • Enable MFA on Microsoft 365 for every account (control 7)
  • Enable MFA on Xero, MYOB, banking, anywhere financial
  • Set up immutable cloud backup of 365 mailboxes and SharePoint (control 8)

Weeks 2-4: Patching and Hardening

  • Enable auto-updates everywhere โ€” Windows, Office, browsers, Adobe (controls 2 & 6)
  • Replace any Windows 10 machines (Windows 10 hits end of support October 2025)
  • Confirm Office macros from the internet are blocked (control 3)
  • Remove Java, kill any old browser plug-ins (control 4)

Weeks 5-8: Privilege and Process

  • Audit who has admin rights, remove anyone who doesn't need them (control 5)
  • Create separate admin accounts with MFA for users who need them
  • Document the policy (one page, plain English) โ€” required for evidence
  • Perform a test restore from backup to confirm it works

Beyond Day 60: Application Control

Application control (control 1) is the hardest to implement well for a small business. Plan it last, once everything else is solid. For ML1 you can get a long way with Windows Defender Application Control's default rules on Windows 11 Pro and limited execution in user folders.

What We Do for Townsville Clients

As part of our managed IT services, we work clients toward Essential 8 ML1 as a default baseline within the first 90 days, and then maintain it. Specifically:

  • Initial gap assessment against the eight controls (free for prospective clients)
  • Roadmap with realistic timelines and budget per control
  • Implementation โ€” MFA, backups, patching, hardening, admin separation
  • Ongoing monitoring with monthly compliance reports
  • Annual review and re-test

See our cyber security page for our full security offering.

Free Essential 8 Gap Assessment

We'll review your current setup against the eight controls and give you a one-page gap report with cost estimates. No obligation. Worth doing if a customer or insurer has asked, or if you've never had a security review.

Frequently Asked Questions

Is Essential 8 mandatory?

Not legally for most small businesses โ€” yet. But it's increasingly mandatory through procurement contracts, cyber insurance prerequisites, and supply chain requirements. The Privacy Act and Cyber Security Act reforms are likely to make a version of it effectively mandatory in the next few years.

How much does ML1 cost a small business?

If you're starting from scratch with 5โ€“10 staff and Microsoft 365 already in place, expect to spend $5,000โ€“$15,000 in setup and $200โ€“$500/user/year ongoing for managed monitoring and backup. Much of this overlaps with what a well-run small business should be spending on IT anyway.

Can I self-attest to Essential 8?

For internal use and most insurance, yes โ€” you self-assess and self-declare. For government contracts and some industries, formal third-party assessment is required.

How is Essential 8 different from ISO 27001 or NIST?

Essential 8 is much narrower, easier to implement, and Australian. ISO 27001 is a comprehensive management system; NIST is the US-equivalent framework. Essential 8 is what most Australian SMBs should target; ISO 27001 is for larger or more compliance-driven organisations.

We're tiny โ€” 2 people. Do we still need this?

The Essential 8 isn't size-specific. For a 2-person business, you can implement ML1 with very little effort โ€” MFA on Microsoft 365, auto-updates, cloud backup, no shared admin password. We do this for sole traders all the time.

๐Ÿ“ž Free Gap Assessment

One-page Essential 8 review for your business.

๐Ÿ“ž (07) 4767 7243๐Ÿ“ฑ 0408 777 938Book Online

Related Services

Related Articles

Where Do You Stand on the Essential 8? Find Out Free.

One-page gap assessment for Townsville small businesses. No obligation.

Book Assessment โ†’๐Ÿ“ž 0408 777 938