TL;DR

If you run a small or medium business in Australia, Essential Eight Maturity Level 1 is the most practical baseline for reducing common cyber risks without building an enterprise security program. The goal is not perfection; it is to make phishing, ransomware, malicious macros, unpatched software, and stolen passwords much harder to turn into a real business outage.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌

Why Essential Eight Level 1 matters for Australian SMBs

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) designed the Essential Eight to help organisations reduce the most common attack paths. For SMBs with one or two IT-capable staff, Maturity Level 1 is usually the right starting point because it focuses on consistent, repeatable basics rather than complex security engineering.

That matters because most real-world incidents still start with known weaknesses: unpatched systems, over-privileged accounts, weak authentication, and poor recovery readiness. Recent threat reporting continues to show attackers moving quickly on known vulnerabilities and using commodity malware, phishing, and infostealers to hit smaller organisations that assume th

ey are too small to matter. In practice, Level 1 is about getting the fundamentals under control before chasing advanced tooling.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌

The 8-control checklist: what to do first

1. Application control

Stop unauthorised software from running.

  1. Make a list of approved business apps for Windows, macOS, browsers, PDF tools, remote support, and line-of-business software.
  2. Use built-in controls where possible: Microsoft Defender Application Control or AppLocker on supported Windows environments, and device management policies for Macs.
  3. Start small by blocking scripts and unknown executables in common user locations such as Downloads, Temp, and AppData.

Budget-friendly option: Microsoft 365 Business Premium plus Intune can cover a lot for small teams already in the Microsoft stack.

2. Patch applications

Patch internet-facing and user-facing apps fast.

  1. Inventory your key applications: browsers, Microsoft 365 apps, Adobe Reader, Java, VPN clients, accounting software, remote access tools, and browser extensions.
  2. Turn on automatic updates wherever possible and assign one person to review failed updates weekly.
  3. Prioritise applications commonly abused in attacks, especially browsers, Office, PDF readers, collaboration tools, and remote management software.

Budget-friendly option: Ninite Pro, Microsoft Intune, or vendor auto-update features. A simple spreadsheet is still better than no asset register.

3. Configure Microsoft Office macros

Reduce macro-based malware risk.

  1. Block macros from the internet across Word, Excel, and PowerPoint using Microsoft security baselines or Group Policy.
  2. Identify any legitimate macro users, then move them to approved signed macros only.
  3. Train staff that emailed spreadsheets asking them to “Enable Content” should be treated as suspicious by default.

Budget-friendly option: Group Policy for on-prem Windows or Intune configuration profiles for Microsoft 365 tenants.

4. User application hardening

Remove risky features users do not need.

  1. Disable Flash, ads-based legacy plugins, and unnecessary browser features; harden Microsoft Office, web browsers, and PDF readers.
  2. Block browser downloads from untrusted sites and restrict unnecessary scripting where practical.
  3. Standardise on one browser and one PDF reader to make patching, policy, and support easier.

Budget-friendly option: Microsoft Edge with security baselines, Chrome Enterprise policies, and Defender SmartScreen.

How to implement the harder controls without a dedicated security team

5. Restrict administrative privileges

Admin rights should be rare, named, and monitored.

  1. Remove local admin from day-to-day user accounts, including managers and IT generalists.
  2. Create separate admin accounts for administration tasks only, and use them only when needed.
  3. Review privileged accounts monthly and disable shared or stale admin credentials.

Budget-friendly option: Windows LAPS for local admin password management and Entra ID role separation for cloud admin tasks.

6. Patch operating systems

Operating system patching is still one of the highest-value controls.

  1. Enable automatic updates for Windows, macOS, iOS, Android, and network devices where vendor support still exists.
  2. Replace or isolate unsupported systems such as old Windows versions or legacy NAS devices.
  3. Set a simple rule: critical OS patches are reviewed weekly and deployed on a documented schedule.

Budget-friendly option: Windows Update for Business, Intune, Apple Business Manager, or native update services.

7. Multi-factor authentication

MFA should protect the accounts that matter most first.

  1. Turn on MFA for email, Microsoft 365, Google Workspace, VPN, remote desktop gateways, password managers, and finance platforms.
  2. Prefer app-based authenticators or phishing-resistant methods over SMS where possible.
  3. Apply conditional access for admin accounts first, then all staff, then contractors and suppliers with access.

Budget-friendly option: Microsoft Authenticator, Google Authenticator, or built-in MFA from Microsoft 365 Business Premium.

8. Regular backups

Backups are your recovery control when prevention fails.

  1. Back up Microsoft 365 or Google Workspace data, file shares, finance systems, and critical workstation data.
  2. Follow the 3-2-1 principle: three copies, on two media types, with one copy offline or immutable.
  3. Test restores quarterly, including one file restore and one full business-critical system restore.

Budget-friendly option: Veeam, MSP360, Synology Active Backup, or cloud backup services with immutable retention.

A simple 30-day rollout plan for SMB owners

Week 1: Turn on MFA, enable automatic patching, and identify unsupported systems.
Week 2: Remove unnecessary admin rights and block internet-origin macros.
Week 3: Harden browsers, Office, and PDF tools; start application allowlisting in high-risk locations.
Week 4: Verify backups with a restore test and document the eight controls in a one-page checklist owners can review monthly.

For most Australian SMBs, the biggest mistake is treating Essential Eight as a paperwork exercise. Level 1 works when each control has an owner, a review date, and a basic proof point such as “MFA enabled for all users” or “restore test completed this quarter”.

FAQ

Not for every SMB, but it is a widely recognised baseline from the ACSC and often influences insurer, client, and supply-chain expectations. Even where it is not mandatory, it is a sensible minimum standard.

No. Many SMBs can get most of the way there using Microsoft 365 Business Premium, native operating system controls, auto-update settings, and a reliable backup platform.

MFA is usually the fastest high-impact win, especially for email, remote access, and admin accounts. After that, patching and backup verification give strong risk reduction quickly.

Yes, if the scope is kept practical. One internal owner, one checklist, one monthly review, and a trusted external adviser for setup or quarterly validation is often enough for Level 1.

Conclusion

Essential Eight Maturity Level 1 is the right place for many Australian SMBs to start because it focuses on practical controls that reduce common attacks without requiring a large security team. If you assign owners, standardise tools, and verify patching, MFA, admin access, and backups every month, you will be in a much stronger position than most small businesses.

Visit consult.lil.business for a free cybersecurity assessment.

References

  1. Australian Cyber Security Centre: Essential Eight Explained
    https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-explained

  2. Australian Cyber Security Centre: Essential Eight Maturity Model
    https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model

  3. Australian Cyber Security Centre: Strategies to Mitigate Cyber Security Incidents
    https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents

  4. Australian Cyber Security Centre: Implementing Multi-factor Authentication
    https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/multi-factor-authentication

  5. NIST: Guide to Enterprise Patch Management Technologies
    https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final

TL;DR

  • Hackers are using AI like a super-coach — it helps them attack faster and smarter. Defenders are mostly stuck running old plays [1].
  • Almost every security team thinks they can spot ransomware, but about half the time, they spot it too late to stop the damage [1].
  • Company leaders and boards are paying attention now — 97% of boards are asking what the plan is [1].
  • There are real steps any business can take today to catch up and close the gap.

What's Going On? (The Sports Analogy)

Imagine two basketball teams. The attacking team just hired an incredible AI coaching staff that studies every defender's moves, finds weaknesses in seconds, and draws up perfect plays on the fly [1][7]. The offense is scoring almost every possession.

The defending team? Same playbook from a couple years ago. Their coach is good, but human-speed — not AI-speed [1].

That's what's happening in cybersecurity right now. A survey of 100 top security leaders found that 78% say AI has made hackers more dangerous, but only 6% say AI has helped their defenses [1]. That's a 13-to-1 scoring advantage for the bad guys.

If Defenders Know Ransomware Is Coming, Why Does It Still Work?

Here's the weird part: 99% of security leaders say they're confident they can spot ransomware. But when you ask what happened during their last attack, 49% admit they caught it too late [1]. It's like a goalie who says "I can see every shot" but still lets half of them in.

A big reason is that defenders are relying on tools — mostly called EDR (endpoint detection and response) — that were built for a slower game. Ninety-eight percent of teams use EDR, but only 25% actually trust it to stop today's attacks [1]. Meanwhile, hackers are finding and exploiting software weaknesses twice as fast as last year — going from 71 major exploited flaws to 146 in just one year [2].

As one security expert put it: "Predictive lead time is a thing of the past" [2]. In other words, defenders used to have weeks to prepare. Now they have days, sometimes hours.

Why Are Company Bosses Getting Involved?

This used to be just an IT problem. Not anymore. 97% of company boards are now asking about ransomware defense [1]. Almost two-thirds rank it a top-three business problem [1].

Why? Because 89% of affected companies said ransomware disrupted their actual business operations [1] — lost revenue, angry customers, real damage. When that happens, the board wants answers [3].

How Can Your Team Catch Up?

The good news: you don't have to accept being outscored. Here's how businesses are closing the gap:

  1. Upgrade the playbook. Stop relying only on old defensive tools. Add AI-powered security that can keep up with AI-powered attacks [6][8].
  2. Guard the keys, not just the doors. Hackers target passwords and user accounts more than network walls now. Use strong multi-factor authentication for everyone [3].
  3. Patch fast. When software companies release fixes for security holes, install them in days — not weeks. Most attacks start from holes that already have patches available [2].
  4. Test your backups for real. Having backups isn't enough. Practice restoring them under pressure so you know they actually work [3].
  5. Make it a team effort from the top. The CEO and board need to own ransomware defense, not just the IT team. Set real goals and review them regularly [1][3].

FAQ

The ransomware gap is the difference between how ready companies think they are and how ready they actually are. A survey found that almost all security leaders feel confident about catching ransomware, but about half the time they catch it too late to stop it from causing damage [1].

AI helps hackers write better attack code, find weaknesses in defenses faster, and send more convincing fake emails — all at a speed that humans can't match on their own. It's like giving a sports team an AI coach that never sleeps and knows every opponent's weakness [1][7].

EDR stands for "endpoint detection and response." It's software that watches your computers and devices for signs of attack. It's still important, but it was built for a slower kind of threat. Today's AI-powered attacks can slip past it, which is why only 25% of security leaders trust it to stop modern ransomware [1].

Start with identity — make sure every account in your company uses strong multi-factor authentication and only has access to what it actually needs. Most ransomware attacks in 2026 start with stolen or weak credentials, not by breaking through firewalls [3].

Want Help Getting Your Defense Up to Speed?

At lil.business, we help small and mid-size businesses build ransomware defenses that actually work — not just on paper, but when it counts. We'll help you figure out where you stand and what to fix first.

Book a free consultation →

References

[1] Halcyon, "The Ransomware Gap in the AI Era," PRNewswire, Mar. 18, 2026. [Online]. Available: https://www.prnewswire.com/news-releases/302717461.html

[2] Rapid7, "2026 Global Threat Landscape Report," GlobeNewsWire, Mar. 18, 2026. [Online]. Available: https://markets.businessinsider.com/news/stocks/rapid7-2026-global-threat-landscape-report-shows-exploited-high-and-critical-severity-vulnerabilities-surged-105-as-attack-timelines-collapsed-1035941348

[3] D. Pehar, "Ransomware In 2026: Why Prevention Is Now A Board-Level Discipline," Forbes, Mar. 9, 2026. [Online]. Available: https://www.forbes.com/councils/forbestechcouncil/2026/03/09/ransomware-in-2026-why-prevention-is-now-a-board-level-discipline-not-an-it-project/

[6] CrowdStrike, "CrowdStrike At GTC Makes The Case For AI Native Security," Forbes, Mar. 19, 2026. [Online]. Available: https://www.forbes.com/sites/tonybradley/2026/03/19/crowdstrike-at-gtc-makes-the-case-for-ai-native-security/

[7] Flashpoint, "2026 Global Threat Intelligence Report," Homeland Security Today, Mar. 11, 2026. [Online]. Available: https://www.hstoday.us/subject-matter-areas/cybersecurity/2026-global-threat-intelligence-report-highlights-rise-in-agentic-ai-cybercrime/

[8] Zscaler, "ThreatLabz 2026 AI Security Report," CIO, Mar. 11, 2026. [Online]. Available: https://www.cio.com/article/4143912/ai-the-default-enterprise-accelerator-key-insights-from-the-threatlabz-2026-ai-security-report-2.html

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation