The Australian Cyber Security Centre's Essential Eight isn't just for federal departments. For a 20-person Geelong office, it's the difference between sleeping at night and finding out on a Monday morning that someone has encrypted everything.
What the Essential Eight is, in plain English
Eight controls. Each one closes off a common attack path. Together, they stop something like 95% of what we see actually happen to small businesses.
The controls cover application allowlisting, patching applications, configuring Microsoft Office macros, hardening user applications, restricting admin privileges, patching operating systems, multi-factor authentication, and regular backups. None of them are exotic. All of them quietly get skipped.
Why "we're too small to be a target" is wrong
Attackers don't pick targets. They run automated scans against everything connected to the internet, looking for a known vulnerability or a leaked password. The 30-person accounting firm in Newtown is exactly as attractive as the 3,000-person enterprise in Melbourne — because the attacker doesn't care, they care that something is vulnerable.
If you process payments, handle personal data, or use a computer, you're a target.
Where to actually start
Two things will move the needle more than anything else: multi-factor authentication on every account, and tested, off-site backups. Do those two and you've killed the two most common ways small businesses get hurt.
From there, work through the rest of the eight in order of impact for your business. We can help you assess where you are and what to do next — at no charge for an initial review.
What the Essential Eight actually is
The Essential Eight is a set of eight practical controls published by the Australian Cyber Security Centre to help organisations defend against the most common cyber threats. They cover application control, patching applications, configuring Office macros, hardening user applications, restricting administrative privileges, patching operating systems, multi-factor authentication and regular backups. None are exotic. Together they stop the overwhelming majority of attacks that actually reach Australian small businesses.
Why "too small to be a target" is the wrong mindset
Attackers rarely choose targets by name. They scan the internet automatically for any system with a known weakness or a leaked password, then exploit whatever they find. To that automation, a twenty-person Geelong firm is exactly as attractive as a large enterprise. The good news is the reverse is also true: the same eight controls that protect a big organisation protect a small one, and they are well within reach of any business prepared to implement them properly.
Where to start, and how we help
If you do nothing else, enable multi-factor authentication everywhere and make sure your backups are tested and off-site. Those two alone close the most common routes to harm. From there, the remaining controls are best worked through in order of impact. We run an Essential Eight assessment that shows where you sit against each control, then close the gaps under a managed plan so the posture is maintained rather than set once and forgotten.
Maturity is a journey, not a switch
The Essential Eight is measured in maturity levels, which is a helpful reminder that security is built up over time rather than switched on once. A business can start at a basic level across all eight controls and strengthen each as budget and need allow. What matters is steady, deliberate progress and keeping the controls maintained as systems change. We map your current maturity, agree a realistic target, and maintain it under a managed plan so the posture improves and then holds, rather than being assessed once and quietly drifting backwards.