TL;DR

The Australian Signals Directorate's Essential Eight is a baseline cyber security framework that blocks roughly 85% of common attacks at Maturity Level 1 alone. This checklist walks your 1-2 person IT team through all eight controls with concrete three-step implementation paths and free or low-cost tool recommendations. If your business handles any sensitive data — customer records, financials, health information — Maturity Level 1 is the minimum viable defence.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌

Why Maturity Level 1 Matters Now

The ACSC's Essential Eight framework [1] isn't theoretical. In 2025 alone, CISA's Known Exploited Vulnerabilities catalogue grew by nearly 20%, adding 245 vulnerabilities — 24 of them linked to ransomware campaigns [2]. Attackers exploit unpatched systems, weak macros, and missing MFA daily. A 15-year-old Microsoft Office PowerPoint flaw from 2009 is still delivering successful payloads in active campaigns [3].

Australian SMBs are not too small to target. You are targets precisely because you are likely under-defended. Maturity Level 1 is designed for organisations that may not have a dedicated security hire — it is achievable with generalist IT staff and modest budgets.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌

‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌

The Eight Controls: Your Level 1 Checklist

1. Patch Applications

Keep internet-facing and widely used applications patched within 48 hours of critical updates. Browsers, Office suites, PDF readers, and Java are the highest priority.

3-step implementation:

  1. Inventory all third-party software across every endpoint. Use Lansweeper (free tier covers up to 25 devices) or pdq.com's PDQ Inventory (free version available).
  2. Enable automatic updates for browsers (Chrome, Firefox) and Microsoft 365 apps via Intune or Group Policy.
  3. Assign someone to check Microsoft Patch Tuesday releases monthly and verify critical patches applied within 48 hours. Subscribe to the ACSC Alert Service [1] for Australian-specific advisories.

Budget tools: Microsoft Intune (included in Microsoft 365 Business Premium), WSUS (free, built into Windows Server), Lansweeper Free.

2. Patch Operating Systems

Unpatched operating systems remain the single most exploited attack surface. Level 1 requires critical patches within 48 hours for internet-facing systems.

3-step implementation:

  1. Audit all OS versions — retire anything no longer receiving security updates (Windows 10 reaches end of support in October 2025; plan now).
  2. Enable automatic Windows Update on all endpoints via Group Policy or Intune. Set deadline of 2 days for critical patches.
  3. For servers, maintain a test environment. Apply patches there first, then production within 48 hours. Document patch status in a simple spreadsheet or free ticketing tool like osTicket.

Budget tools: Windows Update for Business (free with Windows licensing), Ubuntu Pro (free for personal/small use, covers up to 5 machines).

3. Configure Microsoft Office Macro Settings

Macros remain a primary delivery mechanism for malware. Level 1 requires macros blocked from the internet, allowed only from trusted locations with digital signatures.

3-step implementation:

  1. Open Group Policy Management — navigate to User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings.
  2. Set "Disable all macros except digitally signed macros" across all endpoints. Block macros entirely for finance and HR teams that don't need them.
  3. For any legitimate macro-dependent workflows, create a trusted network location and require digital signing with an internal certificate authority.

Budget tools: Group Policy (free with Active Directory), Microsoft 365 Admin Centre macro policies (included in Business Premium).

4. User Application Hardening

Level 1 means blocking web content in emails, restricting browser plugins, and hardening PDF readers.

3-step implementation:

  1. Configure email gateways to block executable attachments (.exe, .js, .vbs, .cmd). If using Microsoft 365, enable Safe Attachments in Defender.
  2. Disable or restrict browser extensions enterprise-wide via Chrome Browser Cloud Management (free) or Firefox Group Policy templates.
  3. Configure Adobe Acrobat Reader to disable JavaScript and Enhanced Security enabled. Use the free Adobe Customization Wizard to push settings.

Budget tools: Microsoft Defender for Office 365 (included in Business Premium), Chrome Browser Cloud Management (free), Adobe Customization Wizard (free).

5. Restrict Administrative Privileges

Level 1 requires separate admin accounts, admin accounts excluded from email and web browsing, and privileged access validated before granting.

3-step implementation:

  1. Audit all accounts with local admin rights. Remove admin access from every daily-use account — create separate ".admin" accounts for privileged tasks.
  2. Configure User Account Control to "Always Notify" on all endpoints. Block admin accounts from receiving email and accessing the web via proxy or firewall rules.
  3. Implement LAPS (Local Administrator Password Solution — free from Microsoft) to randomise and manage local admin passwords across all machines.

Budget tools: Microsoft LAPS (free), Windows Privileged Access Workstations (no additional cost), CyberArk Endpoint Privilege Manager (for larger budgets).

6. Multi-Factor Authentication

MFA is non-negotiable. Level 1 requires MFA for all remote access, all privileged accounts, and all important data repositories.

3-step implementation:

  1. Enable MFA on every Microsoft 365 account immediately — start with admin accounts, then roll out to all users within 2 weeks.
  2. Deploy a free authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS-based MFA, which is vulnerable to SIM swapping.
  3. For VPN and remote desktop access, enforce MFA at the gateway. If using Windows Server, deploy NPS with Azure MFA extension (free with Azure AD).

Budget tools: Microsoft Authenticator (free), Duo Free (up to 10 users), Azure AD MFA (included in Microsoft 365 Business Premium).

7. Daily Backups

Level 1 requires daily backups of important data, stored offline or in a segmented network location, with regular restoration testing.

3-step implementation:

  1. Identify critical data — customer records, financials, intellectual property, configuration files. Map where it all lives.
  2. Implement the 3-2-1 rule: 3 copies, 2 different media types, 1 offsite. Use Veeam Community Edition (free for up to 10 workloads) for automated daily backups.
  3. Test restoration monthly. Document the test: what was restored, how long it took, whether data was intact. This documentation is your evidence of compliance.

Budget tools: Veeam Community Edition (free), restic (open source), Bacula Community (open source), AWS S3 Glacier (cheap offsite, under $5/month for most SMBs).

8. Application Control

Level 1 requires preventing execution of unapproved executables, scripts, installers, and DLLs. This is the hardest control but Windows Defender Application Control (WDAC) makes it achievable.

3-step implementation:

  1. Start with audit mode — deploy WDAC or AppLocker policies in "audit only" mode for 30 days. This logs what would have been blocked without disrupting users.
  2. Review the audit logs to identify all legitimate applications your business needs. Build an allowlist based on real usage, not assumptions.
  3. Switch to enforcement mode on a test group first. Roll out department by department. Document every exception and review quarterly.

Budget tools: Windows Defender Application Control (free, built into Windows 10/11 Enterprise and Education), AppLocker (free with Windows Server), Microsoft Intune for policy deployment.

FAQ

Is Maturity Level 1 enough for my business?

Level 1 is the baseline, not the ceiling. If your business handles health records, financial data, or government contracts, you should target Level 2 or 3. Level 1 blocks most opportunistic attacks — targeted adversaries require deeper controls.

How long does Level 1 implementation take for a 20-person business?

With focused effort and no legacy complexity, 4-8 weeks. MFA and patching can be deployed in week one. Application control and macro hardening take longer due to testing. Budget 3 months if your IT staff are part-time.

Do I need external help to implement the Essential Eight?

Not necessarily for Level 1. Most controls are achievable with generalist IT knowledge and the free tools listed above. However, application control and privilege management benefit from expert guidance. A focused consultation is cheaper than recovering from a ransomware incident.

What if we use Macs, not Windows?

The Essential Eight applies regardless of platform. Substitute Microsoft-specific tools with macOS equivalents: Jamf Now (free for up to 3 devices) for patch management and application control, and macOS built-in Gatekeeper and XProtect for hardening. MFA and backups are platform-agnostic.

Conclusion

Maturity Level 1 is not aspirational — it is the absolute minimum for any Australian business operating in 2026. The threat landscape does not care about your company size. Attackers automated their campaigns years ago. A 15-year-old PowerPoint vulnerability is still weaponised because patching lags behind exploitation across businesses of every size.

Start with MFA and patching this week. Those two controls alone block the majority of initial access vectors. Then work through the remaining six controls over the following 8-10 weeks. Document everything. Test restorations. Review quarterly.

The Essential Eight is a journey, not a destination — but Level 1 is where the journey begins, and it begins today.

Need help implementing the Essential Eight? Visit consult.lil.business for a free cybersecurity assessment tailored to Australian SMBs.

References

  1. Australian Cyber Security Centre — Essential Eight
  2. CISA Known Exploited Vulnerabilities Catalog
  3. RSI Security — CISA KEV Latest Vulnerabilities and Critical Infrastructure Risks
  4. SecurityOnline — CVE Watchtower: Weekly Threat Intelligence Briefing April 2026

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation