The Australian Signals Directorate’s Essential Eight is the most widely referenced cyber security framework in Australia. But in our experience, it’s also one of the most widely misunderstood.

What the Essential Eight actually is

The Essential Eight is a prioritised set of eight mitigation strategies designed to make it significantly harder for attackers to compromise your systems. It was developed by the ASD based on their intelligence about real-world threats — not theoretical ones.

The eight strategies are:

  1. Patch applications — Keep software up to date to close known vulnerabilities
  2. Patch operating systems — Same principle applied to the OS itself
  3. Multi-factor authentication — Require more than just a password
  4. Restrict administrative privileges — Limit who can make system-wide changes
  5. Application control — Only allow approved applications to run
  6. Restrict Microsoft Office macros — Block a common malware delivery mechanism
  7. User application hardening — Lock down browser and application settings
  8. Regular backups — Ensure you can recover from a ransomware attack

The maturity level question

Here’s where most organisations get confused. The Essential Eight has four maturity levels — 0, 1, 2, and 3 — and the common assumption is that everyone needs to reach Maturity Level 3.

That’s not true.

The right maturity level for your organisation depends on the adversaries most likely to target you. For most small to medium businesses, Maturity Level 2 represents a meaningful and proportionate target. Maturity Level 3 is designed to defend against sophisticated, nation-state level threats.

What we see in practice

When we conduct Essential Eight assessments, the most common gaps we find are:

  • MFA that isn’t applied consistently — it’s enabled for email but not for other critical systems
  • Patch management that looks good on paper — but critical applications are weeks or months behind
  • Backups that have never been tested — organisations assume they work until they need them and find out they don’t

None of these are difficult to fix. But they require someone to actually look, actually test, and actually follow through.

Getting started

If you’re not sure where your organisation sits against the Essential Eight, an assessment is the right first step. Not a checkbox exercise — a genuine review of your environment that tells you where you are, where you need to be, and what it will realistically take to get there.

That’s exactly what we do. Get in touch if you’d like to talk it through.