The Australian Essential Eight

The Australian Essential Eight
8 ESSENTIAL THE ESSENTIAL EIGHT (ACSC) 1. Application control 2. Patch applications 3. Configure Microsoft Office macros 4. User application hardening 5. Restrict admin privileges 6. Patch operating systems 7. Multi-factor authentication 8. Regular backups Maturity levels: ML 1 ML 2 ML 3 ACSC target: ML 2 for most orgs by 2025

Understand the ACSC’s Essential Eight cybersecurity controls and why they are the baseline for Australian organisations.

The Australian Essential Eight

The Essential Eight is a set of baseline cybersecurity mitigation strategies developed by the Australian Cyber Security Centre (ACSC). Implementing all eight at Maturity Level 2 prevents the vast majority of cyberattacks targeting Australian organisations.

The Eight Mitigations at a Glance

ACSC ESSENTIAL EIGHT — THE BASELINE FRAMEWORK ① Application Control Only approved apps can execute ② Patch Applications Critical patches within 48 hours ③ Macro Settings Block untrusted Office macros ④ User App Hardening Block ads/Flash/Java in browsers ⑤ Restrict Admin Privs Least privilege for all accounts ⑥ Patch OS OS patches within 48 hours (critical) ⑦ Multi-Factor Auth MFA on all remote access & admins ⑧ Regular Backups Daily backups, tested, disconnected/immutable

The Three Maturity Levels

Maturity LevelDescriptionTarget Org
ML1Partly aligned — mitigates opportunistic attacksMinimum baseline
ML2Mostly aligned — mitigates targeted attacksMost organisations
ML3Fully aligned — mitigates sophisticated attacksGovernment, critical infra
The ACSC recommends Maturity Level 2 as the target for most Australian businesses. Most ransomware and targeted attacks would be prevented by a fully implemented ML2.

Why Each Mitigation Matters

â‘  Application Control stops malware from executing. If only approved applications can run, ransomware dropped via phishing cannot launch.
â‘¡ Patch Applications closes known vulnerabilities. Most exploits target vulnerabilities for which patches already exist.
③ Macro Settings blocks one of the most common malware delivery methods — malicious Office documents with embedded macros.
⑤ Restrict Admin Privileges limits what an attacker can do if they compromise an account. An attacker with a standard user account has far less reach than one with admin rights.
⑦ Multi-Factor Authentication protects accounts even when passwords are stolen. This single control stops the majority of credential-based attacks.
✓ Key Point
The Essential Eight is not a once-off project — it is an ongoing programme. Maturity levels should be assessed regularly. The ACSC publishes assessment guidance at cyber.gov.au. Many cyber insurance policies now require evidence of Essential Eight implementation.
⛔ Important
Patch timing is the most commonly failed Essential Eight control. The 48-hour requirement for critical patches is strict — many organisations patch on a monthly cycle, leaving a weeks-long window for attackers to exploit known vulnerabilities. If your organisation is on a monthly patch cycle, this needs to change for critical vulnerabilities.
How would your business score on the Essential Eight?
Cyber insurers and government contracts increasingly expect it — and most attacks it stops are the ones already targeting Australian businesses. Mobile Techs IT Service helps Gold Coast businesses implement the Essential Eight without the enterprise price tag — maturity assessments, application control, automated patching, restricted admin privileges, MFA rollout, and tested backups. Home users welcome too — on-site or remote, anywhere in Australia.