TL;DR

  • The ACSC Essential Eight is Australia's baseline cybersecurity framework — Maturity Level 1 is designed to stop commodity malware and basic attacks that target SMBs daily [1].
  • Every control can be implemented with 1-2 IT-capable staff using mostly built-in tools and low-cost solutions — no enterprise security team required.
  • Starting with these eight controls reduces your attack surface by an estimated 85% against common threats and positions your business for government supply chain compliance [1].

Small and medium businesses are not small versions of enterprises — they have fewer staff, tighter budgets, and no dedicated security hire. The Australian Cyber Security Centre (ACSC) designed the Essential Eight with exactly this reality in mind. Maturity Level 1 is the starting point: it protects against commodity malware and opportunistic attacks that scan the internet for easy targets [1]. Here is how to implement every control with practical, budget-conscious steps.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

Application Control

What it does: Stops unapproved programs from running. If ransomware lands on a machine, application control prevents it from executing.

3-step path:​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

  1. Inventory what runs. Use Microsoft's free AppLocker (buil t into Windows 10/11 Pro) or the built-in WDAC wizard. On Mac, use Gatekeeper with signed-app-only enforcement.
  2. Create a default-deny policy. Block execution from user-writable folders (%TEMP%, Downloads, %APPDATA%). This single rule stops most malware delivery vectors [2].
  3. Audit for 2 weeks before enforcing. Run in audit-only mode, collect logs, whitelist legitimate business applications, then switch to enforcement.

Budget-friendly tools: AppLocker (free with Windows Pro), WDAC (free with Windows 10/11 Enterprise or Pro with policy config), Gatekeeper (free with macOS).

Patch Applications

What it does: Closes known software vulnerabilities before attackers exploit them.

3-step path:

  1. Enable auto-update everywhere. Browsers (Chrome, Edge, Firefox), PDF readers, Java, and all line-of-business apps. Every piece of software on every endpoint.
  2. Run a monthly inventory. Use a free spreadsheet or Microsoft's built-in wmic product get name,version to list installed software. Cross-reference against vendor release notes.
  3. Prioritise internet-facing apps. Web browsers, email clients, remote access tools, and VPN software get patched within 48 hours of release. The CISA Known Exploited Vulnerabilities catalog confirms that attackers weaponise these within days of disclosure [3].

Budget-friendly tools: Windows Update for Business (free Group Policy setting), Ninite Pro (~$2/endpoint/month for third-party patching), or Action1 (free up to 100 endpoints).

Configure Microsoft Office Macros

What it does: Blocks malicious macros — still one of the top delivery mechanisms for ransomware in Australian SMBs [1].

3-step path:

  1. Block macros from the internet. Group Policy: User Configuration > Administrative Templates > Microsoft Office > Block macros from running in Office files from the Internet. Enable it.
  2. Create a signed-macro-only exception. If accounting needs macros for legitimate spreadsheets, digitally sign them and whitelist the signing certificate.
  3. Add a Mark-of-the-Web banner. Enable Protected View for all files originating from the internet — this is default in Office 365 but worth verifying across all installations.

Budget-friendly tools: Group Policy (free with Windows Server or local policy editor), Microsoft 365 Business Basic ($9.40/user/month for cloud-managed policies).

User Application Hardening

What it does: Removes attack surface from everyday applications — disables Flash, Java in browsers, web ads, and unnecessary Office Object Linking and Embedding features.

3-step path:

  1. Block Flash and Java in browsers. Flash is dead — remove it entirely. Java browser plugin: disable via Group Policy or browser settings. Neither is needed for modern web apps.
  2. Block web ads. Deploy uBlock Origin via browser Group Policy, or use a DNS-level blocker like NextDNS (free tier covers basic filtering).
  3. Disable OLE packages in Office. Group Policy: User Configuration > Administrative Templates > Microsoft Office > Block OLE packages. This stops embedded-object phishing attacks.

Budget-friendly tools: Group Policy (free), NextDNS (free tier for up to 300k queries/month), uBlock Origin (free browser extension).

Restrict Administrative Privileges

What it does: If a user with admin rights clicks a phishing link, the attacker gets admin access. Removing local admin rights is the single highest-impact control for SMBs [2].

3-step path:

  1. Audit who has admin. Run net localgroup administrators on every machine. You will find more than you expect.
  2. Remove local admin from daily-driver accounts. Create a separate admin account for installs and maintenance. Use Microsoft LAPS (free) to manage local admin passwords securely.
  3. Provide a self-service elevation path. Use Make Me Admin (free, open source) to let users temporarily elevate for approved tasks with a time-limited token — this eliminates the "but I need admin for that one thing" pushback.

Budget-friendly tools: Microsoft LAPS (free), Make Me Admin (free, open source), Group Policy (free).

Patch Operating Systems

What it does: Keeps Windows, macOS, and Linux systems current. Operating system vulnerabilities are the most commonly exploited entry point for ransomware operators [3].

3-step path:

  1. Enable automatic updates. Windows Update with active hours configured so reboots don't interrupt work. macOS: System Preferences > Software Update > Automatically keep my Mac up to date.
  2. Set a 7-day patch deadline. Critical and security patches must be applied within seven calendar days of release. Use Windows Update for Business ring deployment for staggered rollout.
  3. Verify, don't assume. Check one endpoint per OS version after each patch cycle. Run winver on Windows or sw_vers on Mac to confirm the build number matches the latest security release.

Budget-friendly tools: Windows Update (free), Windows Update for Business (free with Windows Pro/Enterprise), MDM built into Microsoft 365.

Multi-Factor Authentication (MFA)

What it does: Stops credential-based attacks dead. A stolen password is useless without the second factor. Microsoft research shows MFA blocks 99.9% of account compromise attacks [4].

3-step path:

  1. Enable MFA on everything that holds business data. Email (Microsoft 365, Google Workspace), line-of-business apps, accounting software, banking, cloud storage.
  2. Use app-based authenticators, not SMS. Microsoft Authenticator or Google Authenticator (both free). SMS-based MFA is vulnerable to SIM-swapping — app-based codes or FIDO2 keys are significantly stronger.
  3. Document recovery codes. Print them, store them in a physical safe. The number-one reason SMBs get locked out of MFA is lost recovery codes. Plan for "Monster's phone went for a swim" scenarios.

Budget-friendly tools: Microsoft Authenticator (free), Google Authenticator (free), Authy (free), YubiKey (~$70 one-time for hardware tokens).

Regular Backups

What it does: Makes ransomware a recoverable inconvenience rather than a business-ending event. The ACSC specifically calls out backups as critical for SMB resilience [1].

3-step path:

  1. Follow the 3-2-1 rule. Three copies of data, on two different media types, with one copy offsite (or offline). For a 5-person SMB: one local NAS, one cloud backup, and one disconnected external drive rotated weekly.
  2. Test restores monthly. A backup you haven't tested is not a backup — it is a hope. Pick one random file and restore it to a test location. Document the process.
  3. Use immutable storage for the offsite copy. Cloud providers like Backblaze B2 and Wasabi support object lock, which prevents ransomware from encrypting or deleting backup data even if the attacker has your cloud credentials.

Budget-friendly tools: Veeam Community Edition (free for up to 10 workloads), Backblaze B2 (~$6/TB/month with object lock), Duplicati (free, open source).

FAQ

For a business with 1-2 IT-capable staff working on this part-time, expect 6-12 weeks to reach Maturity Level 1 across all controls. Start with MFA and backups — those take days and deliver immediate protection. Application control and macro hardening take the longest because they require testing before enforcement.

Not for Level 1. The ACSC publishes free implementation guides, assessment tools, and maturity model documentation [1]. Most controls use built-in operating system features. A consultant becomes valuable at Maturity Level 2 and 3 where event logging, application hardening, and incident response capabilities require more specialised configuration.

It is mandatory for federal government agencies and strongly recommended for businesses in the government supply chain. For all other Australian SMBs, it is voluntary but increasingly expected: cyber insurance providers now ask about Essential Eight alignment during underwriting, and many enterprise clients require it as a minimum security standard in vendor agreements.

Prioritise MFA, patching operating systems, regular backups, and restricting administrative privileges. These four controls address the most common attack vectors — stolen credentials, unpatched vulnerabilities, ransomware impact, and privilege escalation — and provide approximately 70% of the protection value of the full framework [1].

Conclusion

The Essential Eight is not compliance paperwork — it is a practical defence framework built for organisations like yours. Every control at Maturity Level 1 targets a real attack vector that criminals use against Australian SMBs every day. You do not need enterprise tools or a dedicated security team. You need someone with administrative access, a few hours per control, and a checklist.

Start with MFA today. Add backups this week. Work through the remaining controls one at a time. Each one reduces the likelihood that your business becomes the next breach statistic.

Ready to move beyond checklists? Visit consult.lil.business for a free 30-minute cybersecurity assessment tailored to your business size and industry.

References

[1] Australian Cyber Security Centre, "Essential Eight Maturity Model," ACSC, Nov. 2023. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight

[2] Australian Signals Directorate, "Strategies to Mitigate Cyber Security Incidents," ASD, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents

[3] Cybersecurity and Infrastructure Security Agency, "Known Exploited Vulnerabilities Catalog," CISA, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[4] A. Weinert, "Your Pa$$word doesn't matter," Microsoft Security Blog, Jul. 2019. [Online]. Available: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter-but-mfa-does/ba-p/731984

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation