The Essential Eight in 2026: What's Changed and What SMBs Are Still Getting Wrong

---

Introduction: The Attack That Cost More Than the Business Was Worth

Picture this. A three-person accounting firm in regional New South Wales. One shared admin password across all workstations. No MFA. Software last patched during the previous federal election. A ransomware crew finds them on a Friday afternoon, encrypts everything by Saturday morning, and demands $40,000 in cryptocurrency.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

The firm paid. Then paid again to clean up the mess. Then paid a third time when their clients found out

and took their business elsewhere.

The total bill? More than the firm's annual profit.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

Here's the brutal truth: every single thing that happened to that firm was preventable. Not just theoretically — preventable with controls that the Australian Cyber Security Centre (ACSC) has been publishing for free since 2017. Controls that are not complicated. Controls that do not require a full-time security team.

They're called the Essential Eight. And in 2026, there is simply no excuse for an Australian business not knowing what they are.

This post is going to break the Essential Eight down in plain English, tell you what's actually changed in 2026, and — most importantly — tell you where Australian SMBs keep screwing it up and how to stop.

No fluff. Let's go.

---

What Is the Essential Eight and Why Does It Exist?

The Essential Eight is a set of eight cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD), published and maintained by the Australian Cyber Security Centre (ACSC). Think of ASD as Australia's version of the NSA — the signals intelligence agency. When they publish a security framework, it's not marketing material. It's distilled knowledge from watching, tracking, and responding to real attacks against real Australian organisations [1].

The framework first appeared in 2017 as part of the broader "Strategies to Mitigate Cyber Security Incidents" — a list of 37 mitigation strategies. The Essential Eight are the top eight from that list. Not the eight that look good in a PowerPoint. The eight that data shows actually stop attackers.

The goal is simple: make your systems expensive enough to attack that criminals go pick on someone else. Most cybercriminals are not sophisticated nation-state hackers. They're running automated tools looking for easy targets. The Essential Eight raises the bar enough that opportunistic attacks — which represent the overwhelming majority of what hits Australian SMBs — bounce off [2].

The Maturity Level System

The framework uses four maturity levels:

• Maturity Level 0: You're not doing the thing. You're wide open.
• Maturity Level 1: You're implementing the basics. You'd survive a script kiddie, probably.
• Maturity Level 2: You're doing it well and can prove it. Most organised cybercriminals will move on.
• Maturity Level 3: You're operating against sophisticated, targeted attacks. Government-level threats.

For most SMBs, the goal is Maturity Level 1 as a floor, with a plan to reach Maturity Level 2 within 12–24 months. Anything above that is generally reserved for organisations handling sensitive government data or operating critical infrastructure [3].

---

What's New in 2026: The Rules Are Getting Stricter

The framework itself — the eight controls — hasn't changed. But how organisations are expected to prove compliance has shifted significantly heading into 2026.

Evidence Over Policy Documents

In previous years, an organisation could show an auditor a policy document that said "we patch within 48 hours" and largely get credit for it. Not anymore.

The ACSC has moved toward an evidence-based maturity model. If you claim Maturity Level 1 for patch management, you need to show:

• Patch cycle logs
• Timestamps
• Change management records
• Exception documentation

"We have a policy" is no longer sufficient. "Here is the patch log for the last six months" is [4].

Cloud Environments Are Now in Scope

A significant gap in the original Essential Eight guidance was that it was designed primarily for on-premises Windows environments. As SMBs have migrated to Microsoft 365, Google Workspace, AWS, and Azure, the original framework left significant grey areas.

In updated 2025/2026 ACSC guidance, cloud environments are explicitly addressed. This means:

• Microsoft 365 conditional access policies count toward MFA requirements
• Cloud storage backup configurations are now assessed against backup controls
• SaaS application configurations fall under user application hardening [5]

If your business runs primarily in the cloud — and most do in 2026 — the Essential Eight still applies. You just need to understand how the controls map to your cloud environment.

Maturity Level 2 Is Becoming the Expected Baseline for Mid-Sized Businesses

The signals coming from the ACSC are clear: for organisations handling sensitive customer data, providing managed services, or operating as SaaS platforms, Maturity Level 2 is moving from "aspirational" to "expected." Cyber insurers are already adjusting premiums based on E8 maturity, and some government procurement contracts now require demonstrable Essential Eight compliance [4].

For small businesses, Maturity Level 1 remains the realistic and acceptable starting point. But the trend is clear: the floor is rising.

AI-Generated Code and New Attack Surfaces

The ACSC has also flagged AI-generated code as a new consideration. As development teams use tools like GitHub Copilot and other AI coding assistants, code quality and security review processes need to account for AI-generated vulnerabilities that may not follow secure coding patterns. This affects application control and patching controls in particular — you can't control what you haven't reviewed [6].

---

The Eight Controls, Explained in Plain English

Let's break down each control with an ELI10 analogy so anyone in your organisation can understand why it matters.

1. Application Control

What it is: Only pre-approved software can run on your systems. If it's not on the list, it doesn't run.

ELI10 analogy: Imagine your computer is a nightclub with a bouncer. Only people on the VIP list get in. Ransomware tries to walk up to the door — bouncer says no. Done.

What it looks like in practice: Using Windows Defender Application Control (WDAC), AppLocker, or equivalent tools to create an allowlist of approved applications. Nothing outside the list executes, even if someone accidentally downloads something nasty.

Why SMBs skip it: It sounds complicated and they're worried about breaking legitimate software. In practice, starting with a blocklist (blocking known-bad) and gradually moving to an allowlist is a reasonable approach.

2. Patch Applications

What it is: Keep all your software up to date. Promptly.

ELI10 analogy: Software vulnerabilities are like leaving your front door unlocked. Patches lock the door. Every day you delay patching is another day the door sits open with a sign saying "robbers welcome."

What it looks like in practice: The ACSC recommends patching internet-facing applications within 48 hours for critical vulnerabilities, and within two weeks for everything else. At Maturity Level 1, this means having a documented patch process and sticking to it [1].

Why SMBs skip it: "We'll get to it." Then they don't. Then they get breached.

3. Configure Microsoft Office Macros

What it is: Restrict which macros (automated scripts inside Office documents) are allowed to run.

ELI10 analogy: A macro is like a set of instructions hidden inside a Word document. "Open this document, run the script, install ransomware." Configuring macros means you decide which instructions are allowed — and by default, the answer is "almost none."

What it looks like in practice: Disable macros by default across your organisation. If specific macros are required for business processes, sign them with a trusted certificate and allow only those signed macros to run. Everything else: blocked.

Why SMBs skip it: Finance teams using Excel automation panic. The solution is proper signed macros — not leaving everything wide open.

4. User Application Hardening

What it is: Remove or disable features in common applications that attackers love to exploit. Browser plugins, Java, Flash, ad networks — anything that's a common attack vector and isn't needed for work.

ELI10 analogy: Your browser is like a Swiss Army knife. Most features are useful. But some of those features — the ones attackers exploit — are like leaving a loaded weapon on your desk. Hardening means putting those away.

What it looks like in practice: Disable Flash (already mostly dead), restrict browser extensions to approved lists, disable PDF Reader JavaScript execution, block ads and malicious content at the browser level. In a Microsoft 365 environment, this maps to Defender for Endpoint policies and browser configuration via Intune.

Why SMBs skip it: Nobody thinks about it until a browser extension turns out to be malware.

5. Restrict Administrative Privileges

What it is: Only give people admin rights if they absolutely need them. And even then, they should use a standard account for day-to-day work and an admin account only when required.

ELI10 analogy: Being an admin on a computer is like having the master key to every room in a building. Would you hand the master key to every employee? Of course not. So why does everyone in your office have admin access to their laptops?

What it looks like in practice: Audit who has admin rights. Revoke admin rights from user accounts that don't need them. Create separate admin accounts for IT staff that are only used for administrative tasks — not for checking emails or browsing the web. Implement Privileged Access Workstations (PAWs) at higher maturity levels.

Why SMBs skip it: "It's easier to just give everyone admin." Yes. It's also easier to just leave your office unlocked. Convenience is not a security strategy.

6. Patch Operating Systems

What it is: Keep your Windows, macOS, Linux, iOS, and Android systems up to date with security patches.

ELI10 analogy: Same as patching applications, but for the house itself rather than the furniture inside it. An unpatched operating system is a house with structural cracks — attackers can push right through.

What it looks like in practice: Enable automatic updates for operating systems. At Maturity Level 1, critical vulnerabilities must be patched within one month. At Maturity Level 2, within two weeks. Decommission operating systems that are no longer supported (yes, that means finally retiring Windows 10 machines) [1].

Why SMBs skip it: Legacy software that only runs on old operating systems. The answer is virtualisation or replacement — not running an unsupported OS on your live network.

7. Multi-Factor Authentication (MFA)

What it is: Require a second proof of identity beyond a password. A code from an app, a hardware key, a fingerprint — anything that means a stolen password alone isn't enough to get in.

ELI10 analogy: Your password is like a key. MFA is like a key plus a fingerprint scanner. A thief can steal your key. They can't steal your fingerprint (at least, not easily). Even if your password is leaked, MFA stops the attacker at the door.

What it looks like in practice: Enable MFA on every account that has it available — email, banking, cloud services, VPNs, anything externally accessible. At Maturity Level 1, this means internet-facing services. At Maturity Level 2, this extends to all privileged accounts. At Maturity Level 3, phishing-resistant MFA (hardware keys or passkeys) is required for everything [3].

Why SMBs skip it: "It's annoying." Being locked out of your email by a criminal who changed your password is more annoying. Enable MFA.

8. Regular Backups

What it is: Take regular, tested backups of your data and systems. Store them somewhere that ransomware can't reach. Verify they actually work by regularly testing restoration.

ELI10 analogy: Backups are your save game. If ransomware hits and encrypts everything, a good backup means you load from your last save and lose a day of work instead of losing the entire game. A bad backup — one you never tested — is a save file that's actually corrupted. You won't know until you need it most.

What it looks like in practice: Daily backups of critical data. Backups stored in a separate location that your production environment cannot write to (offline or immutable). Quarterly restoration tests to verify the backup actually works. At Maturity Level 2, you're testing restoration at least annually with documented results [1].

Why SMBs skip it: They have backups. They just haven't tested them. This is the biggest failure mode in the category — backups that exist but have never been verified.

---

Where SMBs Are Actually Failing: An Honest Assessment

Here's the uncomfortable reality. According to the ACSC's Annual Cyber Threat Report and independent assessments of SMB security posture across Australia, most small and medium businesses aren't even at Maturity Level 1 [7].

The specific failure patterns:

1. Patch lag is measured in months, not days. The ACSC requirement at ML1 is 48 hours for critical patches on internet-facing systems. Most SMBs patch whenever someone remembers, which averages out to "almost never." Unpatched vulnerabilities are the entry point for the majority of ransomware attacks on Australian businesses.

2. Admin accounts everywhere. Walk into almost any Australian SMB and you'll find that the person who manages the company Instagram is also a local administrator on their laptop. This isn't malicious — nobody told them it was dangerous. But it means a single phishing email can give an attacker god-mode access to the entire network.

3. MFA is enabled on personal email but not on business systems. SMB owners who would never dream of running their Gmail without MFA are running their business email — which contains sensitive client data, financial records, and signed contracts — with just a password. Often the same password they use for everything else.

4. Backups exist in theory. "We back up to an external drive." Okay. When did you last test restoring from it? "…" The backup that exists but has never been tested is security theatre. It feels safe without providing safety.

5. Macro controls are at the default "warn but allow" setting. The default Microsoft Office macro setting for many deployments is to warn the user that a macro is present and ask if they want to run it. Attackers have spent years crafting convincing warnings. "Enable content to view this invoice." One click. Ransomware.

6. No documentation of any of it. Even organisations doing the right things often can't prove it. No patch logs, no exception registers, no restoration test records. Without documentation, there's no maturity — just hope.

---

How to Get Started Without a Full-Time Security Team

The good news: the Essential Eight doesn't require a dedicated security team to implement at Maturity Level 1. It requires prioritisation and about 20–30 hours of focused work spread across 90 days.

Here's a realistic 90-day plan for an SMB starting from scratch:

Week 1–2: Assessment and Quick Wins

Start by finding out where you actually stand. The ACSC publishes a free self-assessment tool at cyber.gov.au. Go through it honestly. The results will be uncomfortable. That's fine — the point is to know the truth [8].

Quick wins that cost nothing and can be done immediately:

• Enable MFA on every business email account right now. Today. This alone stops most account takeover attacks.
• Run Windows Update on every machine. Patch what's patchable.
• Audit who has admin rights. Make a list.

Week 3–6: Structural Changes

• Remove admin rights from accounts that don't need them. Create dedicated admin accounts for IT management tasks.
• Configure Microsoft 365 (or Google Workspace) security baselines. Both platforms have free security configuration guides. Follow them.
• Set up your backup solution properly. Daily automated backups to a cloud location that's separate from your production environment. Schedule a restoration test.

Week 7–12: Process and Documentation

• Document your patch process. Even a simple "check for updates every Tuesday, apply critical patches within 48 hours" written down and followed is Maturity Level 1.
• Review and restrict browser extensions. Remove anything that isn't essential.
• Configure macro settings in Microsoft Office. Disable macros by default. If you need specific macros, sign them.
• Run your first restoration test from backup. Document the result.

Tools That Help (Most Are Free or Low-Cost)

• Microsoft Secure Score: Built into Microsoft 365. Shows your security posture and recommendations.
• ACSC Essential Eight Assessment Tool: Free from cyber.gov.au.
• CIS Benchmarks: Free configuration hardening guides for Windows, macOS, Microsoft 365.
• Veeam Community Edition: Free backup software for small environments.
• Cloudflare's free plan: Adds DNS-level filtering and some protection against malicious content.

When to Call for Help

If your business handles sensitive data — medical records, financial data, legal documents, client PII — don't DIY the entire thing. A few hours of professional cybersecurity consulting will save you far more in the long run than a breach will cost you.

The ACSC maintains a list of IRAP-assessed assessors who can perform Essential Eight assessments. For SMBs not yet ready for a full assessment, a gap analysis consultation is usually sufficient to build a credible roadmap [9].

---

Frequently Asked Questions

The Bottom Line

The Essential Eight has been publicly available, free, and clearly documented since 2017. In 2026, Australian businesses are still getting breached because of vulnerabilities these controls would have prevented. That's not a technology problem. It's a prioritisation problem.

The ACSC's expectation is rising. Cyber insurers' expectations are rising. Your clients' expectations are rising. And the sophistication of attacks on Australian SMBs is not going down.

Maturity Level 1 is not a stretch goal. It's the bare minimum for any business that can't afford to lose a week of operations to ransomware — which is every business.

Start with MFA. Fix your patches. Test your backups. Document everything. That's 80% of the way to Maturity Level 1, and it will prevent the majority of attacks that Australian SMBs face.

If you want help building a practical, no-nonsense Essential Eight roadmap that fits your actual business (not a theoretical enterprise), that's exactly what the consulting practice is for.

---

Work With lilMONSTER

Ready to stop treating security as a "we'll get to it" item and start treating it like the business function it is?

The consulting practice at lil.business offers practical cybersecurity advice built for Australian SMBs — not enterprise frameworks watered down to fit, but ground-up guidance that accounts for your actual constraints, your actual team, and your actual risk profile.

Book a free 30-minute consultation →

No sales pitch. Just an honest conversation about where you stand and what's worth doing first.

---

---

Get Your Essential Eight Assessment Kit

The self-assessment is a starting point. To get audit-ready documentation that you can hand to your insurer, board, or enterprise clients, you need the templates.

The Essential Eight Assessment Kit gives you:

• Gap analysis worksheets for all 8 controls across all 4 maturity levels
• Evidence collection templates that satisfy ACSC assessment criteria
• A remediation priority matrix (highest-impact fixes first)
• ISO 27001 alignment mapping (kill two compliance birds with one stone)

👉 Download for $47

FAQ

References

[1] Australian Signals Directorate (ASD), "Essential Eight Maturity Model," Australian Cyber Security Centre, updated 2025. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model

[2] Australian Signals Directorate (ASD), "Strategies to Mitigate Cyber Security Incidents," Australian Cyber Security Centre, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cyber-security-incidents

[3] Australian Signals Directorate (ASD), "Essential Eight," Australian Cyber Security Centre, 2025. [Online]. Available: https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight

[4] Australian Cyber Security Centre (ACSC), "ACSC Annual Cyber Threat Report 2023–2024," Australian Government, Canberra, 2024.

[5] Australian Signals Directorate (ASD), "Cloud Security Guidance," Australian Cyber Security Centre, 2025. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/cloud-services

[6] National Institute of Standards and Technology (NIST), "Secure Software Development Framework (SSDF) Version 1.1," NIST Special Publication 800-218, U.S. Department of Commerce, Gaithersburg, MD, 2022.

[7] Australian Cyber Security Centre (ACSC), "Small Business Cyber Security Guide," Australian Government, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/resources/small-business-cyber-security-guide

[8] Australian Signals Directorate (ASD), "Essential Eight Assessment Process Guide," Australian Cyber Security Centre, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-assessment-process-guide

[9] Australian Signals Directorate (ASD), "Information Security Registered Assessors Program (IRAP)," 2025. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/assessment-and-evaluation-programs/irap

[10] Department of Home Affairs, "Protective Security Policy Framework (PSPF)," Australian Government, updated 2024. [Online]. Available: https://www.protectivesecurity.gov.au/policies/cyber-security

[11] R. Lemos, "Ransomware hits Australia harder as government tightens cyber standards," MIT Technology Review, Jan. 2025.

[12] Centre for Internet Security (CIS), "CIS Controls Version 8," CIS Benchmarks, 2023. [Online]. Available: https://www.cisecurity.org/controls/v8