Essential Eight Maturity Model Explained for AU SMBs

What the Essential Eight actually is

The essential eight is a set of eight security strategies published by the Australian Signals Directorate (ASD) through its Australian Cyber Security Centre (ACSC). When people ask what is the essential eight, the short answer is this: it is the Australian Government's baseline of practical mitigations that, applied together, stop the bulk of cyber attacks aimed at Australian businesses.

The acsc essential eight grew out of the older "Strategies to Mitigate Cyber Security Incidents". The asd essential eight distils that long list down to the eight controls that deliver the most protection for the least effort. The ASD designed it for Microsoft Windows networks, which covers most Sydney SMBs running Microsoft 365 and on-premises or hybrid environments.

The eight controls in plain English

The essential eight framework is built around eight specific mitigations. Here is what each one means for a real business.

• •Application control, only approved programs run, so a staff member cannot launch ransomware downloaded from an email.
• •Patch applications, keep browsers, Office, PDF readers and other software up to date so you close known holes quickly.
• •Configure Microsoft Office macro settings, block macros from the internet, because malicious macros are a classic way in.
• •User application hardening, disable risky features like Flash, web ads and Java in browsers that attackers exploit.
• •Restrict administrative privileges, limit who holds admin rights, since a compromised admin account does far more damage than a standard one.
• •Patch operating systems, keep Windows and server operating systems current, and retire anything no longer supported.
• •Multi-factor authentication (MFA), require a second factor for logins, especially for email, remote access and anything internet-facing.
• •Regular backups, back up important data and configurations, store them safely, and test that you can actually restore them.

The first six essential eight controls work to prevent attacks. MFA limits how far an attacker can get. Backups let you recover when something slips through. Together they cover prevention, limitation and recovery.

How the maturity model works

Implementing the eight controls runs on a scale rather than a pass or fail. The essential eight maturity model describes how thoroughly you apply each control, using four levels from zero to three. Higher levels mean you can withstand more capable and determined attackers.

The four maturity levels

• •Maturity Level Zero, weaknesses exist in your overall security posture. Most businesses that have never assessed themselves sit here for at least some controls.
• •Maturity Level One, protects against attackers using widely available, off-the-shelf tools and known vulnerabilities. Most Sydney SMBs should target this.
• •Maturity Level Two, protects against attackers willing to invest more time and effort, including more selective phishing and credential theft.
• •Maturity Level Three, protects against adaptive, well-resourced attackers who target a specific organisation. High-risk sectors and larger entities need this.

The model rests on one principle: you implement all eight controls to the same maturity level before moving up. Level Three patching gives you little while your MFA sits at Level Zero, because attackers head straight for the weakest point. The ACSC recommends treating the eight controls as a package and lifting them together.

For most small and medium businesses in Sydney, the sensible goal is to reach Maturity Level One across all eight controls first, prove it holds, then decide whether your risk profile justifies Level Two.

Does your Sydney business need to comply?

It depends on who you work with. The essential eight is mandatory for most non-corporate Commonwealth entities, while the law does not force private businesses to adopt it. Even so, essential eight compliance increasingly shows up in places that affect your revenue.

• •Government and enterprise contracts, tenders and supplier questionnaires frequently ask which maturity level you have reached.
• •Cyber insurance, insurers ask about MFA, backups, patching and admin privileges, and your answers shape both your premium and whether they pay a claim.
• •Larger clients, if you handle their data, their procurement team may require evidence of baseline controls before signing.
• •Privacy obligations, the Privacy Act expects reasonable security steps, and the Essential Eight gives you a widely recognised, defensible baseline.

Even where no contract requires it, the essential eight cyber security baseline is good business hygiene. It targets the attacks Australian SMBs actually face, which is why so many MSPs use it as their starting framework. If you want help mapping it to your environment, our cyber security services are built around exactly this kind of work.

How to assess your current maturity level

You cannot improve what you have not measured, so start with an honest assessment. Work through each of the eight controls and score it against the maturity level definitions the ACSC publishes.

• •Inventory first, list every device, server, application and user account. You cannot patch or control what you do not know exists.
• •Check each control against the definition, for MFA, confirm it is on for all users and all internet-facing services, beyond the obvious ones.
• •Score to the lowest gap, a control sits only at the level where it meets every requirement. One exception drops the whole control.
• •Gather evidence, screenshots, policy configurations and backup restore logs. Insurers and auditors want proof.
• •Reassess regularly, maturity drifts as software changes and staff come and go. Treat it as ongoing work.

A great deal of this maps directly onto Microsoft 365 settings such as Conditional Access, Defender policies and Intune configuration. Getting those settings right takes you a long way toward Level One, and our Microsoft 365 management work focuses on it for Sydney businesses every week.

What it costs an SMB to implement

No single price applies, because the cost depends on where you start, how many staff and devices you have, and which technology you already own. A lot of essential eight work uses capabilities already included in common Microsoft 365 business plans, so much of Maturity Level One comes down to configuration rather than new spending.

For a typical small Sydney business, the realistic costs fall into three buckets: an upfront assessment and remediation project, any licence upgrades or new tooling (for example, application control or improved backups), and ongoing management to keep maturity from slipping. Application control and operating system hardening take the most labour, while MFA and macro settings tend to land as quick wins. Folding the ongoing maintenance into a managed IT arrangement usually works out cheaper and steadier than running a series of one-off projects.

You control cost by getting clear about your target. Most SMBs can reach Level One across all eight controls without a large budget. Chasing Level Three when your risk profile does not call for it is where spending balloons. A short assessment tells you the gap, and from there the investment becomes predictable.

This article reflects best practices as of the publication date. Technology and security recommendations evolve, so verify current guidance with the original sources or our team before you act.