The ACSC Essential Eight for small business.
Plain English. What it means. What to do first.
Australia’s government-recommended cyber security baseline — explained for a business owner, not a security architect. Which of the eight controls matter most, what maturity level you actually need, and what it costs to get assessed.
The ACSC Essential Eight is the Australian government’s recommended set of cyber security controls for all Australian organisations. Published by the Australian Cyber Security Centre (ACSC), it is built on the observation that most cyber incidents — ransomware, account compromise, data theft — exploit a small number of well-understood vulnerabilities that these eight controls directly address.
For Australian small businesses, the Essential Eight matters for three reasons: it is the right framework for the Australian threat environment, it maps directly to Microsoft 365 and Azure security controls, and it is increasingly asked for by cyber insurers and larger business clients conducting supplier due diligence checks.
The three maturity levels — which one does your business need?
The Essential Eight uses a maturity model with three levels. Most Australian small businesses should target Maturity Level 1 first. Here is what each means in practice:
Reaching Maturity Level 1 across the Essential Eight blocks over 85% of the common attacks targeting Australian small businesses. It is the right first target — not because the other levels don’t matter, but because the marginal risk reduction drops significantly once ML1 is achieved.
All eight controls explained — for a business owner
Prevents unapproved software from running on your computers. Stops most malware delivery methods — because malware is software, and if it can’t run, it can’t cause damage. More complex to implement than other controls but extremely effective.
Keep all software current — especially internet-facing applications like browsers, Office, PDF readers, and plugins. Unpatched software is the single most common way attackers gain initial access to a business. Most exploits target vulnerabilities that have had patches available for months.
Block or restrict macros in Microsoft Office files. Macros in Word and Excel documents are one of the primary delivery mechanisms for malware via email attachments. Most small businesses have no legitimate need for macros from external sources.
Configure browsers to block Flash, Java, and ads. Reduces exposure from malicious web content — drive-by downloads and malvertising that can install malware simply by visiting a compromised website.
Only give admin access to people who genuinely need it — and only for the specific systems they administer. Admin accounts are the highest-value target for attackers. In most small businesses, 3–5 accounts have Global Admin in Microsoft 365 when 1–2 would be appropriate.
Keep Windows and macOS current. Internet-facing systems (anything accessible from outside your network) need patching within 48 hours of a critical patch release. Internal systems within two weeks.
Require a second verification step — usually the Microsoft Authenticator app — for all cloud accounts, especially Microsoft 365. MFA blocks 99.9% of automated credential-based attacks. If you implement nothing else, implement MFA. It is free in all M365 plans.
Maintain tested, offline or immutable backups of important business data. The primary defence against ransomware — if you can restore from backup, you do not need to pay a ransom. Backups must be tested regularly; an untested backup is not a real backup.
Which controls matter most for Microsoft 365 users
If your business primarily runs on Microsoft 365 — email, Teams, SharePoint, OneDrive — then controls 2, 3, 5, and 7 are the most immediately applicable and deliver the highest reduction in risk for the effort involved.
A specialist ACSC Essential Eight assessment reviews your current maturity level across all eight controls, identifies the gaps, and gives you a prioritised remediation roadmap — what to fix first, and why.
General IT support keeps systems running. Essential Eight compliance requires deliberate configuration of specific security controls. Your IT provider may manage your Microsoft 365 without ever reviewing admin privileges, disabling legacy authentication, or formally assessing macro policy. These require security-focused work — not IT support work.
What an Essential Eight assessment covers and what it costs
- Review of current maturity level across all eight controls — typically 0 or 1 for businesses that have never been assessed
- Microsoft 365 tenant configuration review — MFA status, admin roles, legacy auth, macro policy, external sharing
- Azure environment assessment if applicable — identity, storage, role assignments, threat protection
- Prioritised gap report — findings ordered by risk level with recommended remediation steps
- Framework-aligned documentation suitable for cyber insurance and client due diligence requests
- Debrief call with findings explained in plain English and a roadmap your team can act on
SecureLoop — ACSC Essential Eight Assessments for Australian Business
SecureLoop is a Brisbane-based cyber security consultancy delivering ACSC Essential Eight assessments for Australian small and medium businesses. Fixed-price security audits from $900. Cloud security consulting from $1,200. Delivered in 2–5 business days.
They serve businesses across Brisbane, Gold Coast, Sunshine Coast, and all of Australia remotely. No lock-in contracts. No hourly billing. Every assessment includes a plain-English risk report and a prioritised remediation roadmap.
Get your ACSC Essential Eight assessment
Fixed price from $900. Delivered in 2–3 business days. Plain-English report with a prioritised fix list. Book a free 30-minute call first — no obligation.
Book free call → Security audit service