Essential Eight Maturity Model: A Practical Guide for Australian SMBs in 2026
The Australian Signals Directorate (ASD) developed the Essential Eight as a baseline. Not aspirational. Not best practice. Baseline.
Yet when I assess Australian SMBs, most are sitting at Maturity Level 0 or 1. They have partial controls, ad-hoc processes, and gaps they don't know about until an incident reveals them.
This guide covers what each maturity level means, what auditors actually look for, and how to get from Level 0 to Level 2 in 90 days.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
The Four Maturity Levels
| Level | Description | Typical State |
|---|---|---|
| 0 | No controls implemented | Most SMBs start here |
| 1 | Controls partially implemented, some gaps | Many SMBs think they're here |
| 2 | Controls mostly implemented, some automation | Target for most SMBs |
| 3 | Fully implemented, monitored, tested | Government/enterprise standard |
Level 2 is the sweet spot for SMBs. It provides meaningful protection without enterprise-level resources.
The Eight Strategies (Simplified)
1. Application Control
What it means: Only approved software can run on your systems.
Level 2 target: Application control enforced via policy. All executables blocked unless explicitly allowed.
SMB action: Start with AppLocker on Windows. Block execution from temp folders, user profile directories, and removable media.
2. Patch Applications
What it means: Keep all software up to date.
Level 2 target: Critical patches within 48 hours. Other patches within 2 weeks.
SMB action: Enable automatic updates for browsers, Office, PDF readers, and Java. Use a p
Free Resource
Free Essential Eight Checklist
Know exactly where your business sits against the ACSC Essential Eight. A practical self-assessment checklist for SMBs.
Download Free Checklist →3. Configure Microsoft Office Macro Settings
What it means: Block macros from the internet. Only allow digitally signed macros.
Level 2 target: Macros blocked for all users by default. Digitally signed macros allowed only from trusted publishers.
SMB action: One Group Policy setting. Takes 5 minutes. Blocks the most common initial access vector.
4. User Application Hardening
What it means: Lock down web browsers and email clients.
Level 2 target: Block Flash, Java, web ads, and untrusted content in browsers. Disable unused features in email clients.
SMB action: Deploy uBlock Origin, disable Flash (it's dead, but check), block auto-play media, configure email to block external content.
5. Restrict Administrative Privileges
What it means: Admin accounts are for admin tasks only.
Level 2 target: Separate admin and user accounts. Admin accounts can't browse the web or read email. Privileged access reviewed quarterly.
SMB action: Create separate admin accounts. Don't use admin accounts for daily work. Remove admin rights from standard users.
6. Patch Operating Systems
What it means: Keep your OS current.
Level 2 target: Critical patches within 48 hours. End-of-life operating systems replaced.
SMB action: Enable automatic Windows Update. Replace any machine still running Windows 10 after EOL. Document your patch compliance.
7. Multi-Factor Authentication
What it means: Something you know + something you have.
Level 2 target: MFA on all internet-facing services. MFA on all privileged accounts. MFA on all remote access.
SMB action: Enable MFA on Microsoft 365, VPN, RDP, and any cloud service. Use authenticator apps, not SMS.
8. Regular Backups
What it means: Tested, offline backups you can actually restore from.
Level 2 target: Daily backups. Offline or immutable copies. Tested restoration quarterly.
SMB action: Automate daily backups. Keep one copy offline (not connected to the network). Test restoration monthly. Document the results.
Essential Eight Assessment Kit — $47
Templates, gap analysis worksheets, and maturity level scorecards built specifically for SMBs. Audit-ready documentation in hours, not weeks.
Get the Assessment Kit →The 90-Day Plan to Level 2
Days 1-30: Quick Wins
| Action | Effort | Impact |
|---|---|---|
| Enable MFA everywhere | Low | Critical |
| Block Office macros from internet | Low | Critical |
| Enable automatic OS patching | Low | High |
| Separate admin and user accounts | Medium | High |
| Enable automatic application updates | Low | Medium |
Days 31-60: Build the Foundation
| Action | Effort | Impact |
|---|---|---|
| Configure application control | Medium | High |
| Harden browsers and email | Low | Medium |
| Set up automated daily backups | Medium | Critical |
| Create patch management process | Medium | High |
| Document all controls | Medium | Medium |
Days 61-90: Test and Verify
| Action | Effort | Impact |
|---|---|---|
| Test backup restoration | Low | Critical |
| Review admin access and permissions | Medium | High |
| Run a phishing simulation | Low | High |
| Document incident response plan | Medium | High |
| Self-assess against Essential Eight checklist | Low | Medium |
Why This Matters for Australian Businesses
The Privacy Act reforms are increasing penalties to $50 million per breach. Cyber insurance underwriters require evidence of Essential Eight alignment. Government contracts require it.
Even if none of those apply to you, the Essential Eight protects against the most common attack vectors. It's not theoretical. It's practical defence against real threats.
Bottom Line
You don't need a million-dollar security program. You need the Essential Eight implemented properly. Most of it costs nothing but time and discipline.
Level 2 in 90 days is achievable. Start today.
Need help implementing the Essential Eight for your business? Get in touch.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Oracle found a serious security problem in some of its business software [1].
- The problem lets hackers break in without needing a password or login [2].
- Oracle released an emergency fix (called a "patch") that businesses need to install right away [3].
- If your business uses Oracle software, check with your IT person immediately.
What Happened?
Think of Oracle Identity Manager like a digital key card system for a big office building. It controls who gets into which rooms and what they're allowed to do once inside [4].
Imagine if someone discovered that the lock on the front door was broken — not just a little bit broken, but so broken that anyone could walk in without a key card. They wouldn't need to steal anyone's key card. They wouldn't need to trick an employee into opening the door. They could just walk right in [5].
That's what happened with Oracle's software. A security problem (called CVE-2026-21992) was discovered in Oracle Identity Manager and Oracle Web Services Manager that lets attackers do exactly that — break in without any password or permission [6].
Why This Is a Big Deal
It's Like Leaving the Front Door Unlocked
This security problem is rated 9.8 out of 10 on the severity scale — that's "Critical," the highest level [7]. Here's why it's so serious:
- No password needed: Attackers don't need to steal or guess any login credentials [8].
- No tricking required: Attackers don't need to send fake emails or trick employees into clicking anything [9].
- Remote access: Attackers can break in from anywhere on the internet — they don't need to physically be at your office [10].
- Total control: Once inside, attackers can see everything, change anything, or shut the whole system down [11].
It's Happened Before
Here's the scary part: This isn't the first time Oracle has had this exact problem.
In November 2025, another security problem (called CVE-2025-61757) in the same software was being used by hackers to break into real businesses [12]. The U.S. government's cybersecurity agency (CISA) was so worried that they ordered all federal agencies to fix it immediately [13].
Now there's a new problem (CVE-2026-21992) that's almost identical — and it's just as dangerous [14].
What Software Is Affected?
Your business might be affected if you use any of these Oracle products:
Oracle Identity Manager
This is software that helps businesses manage user accounts and permissions [15]. It's commonly used by:
- Big companies with lots of employees who need different access levels
- Healthcare organizations (hospitals, clinics)
- Banks and financial companies
- Government agencies
- Any business with strict security rules
Oracle Web Services Manager
This software helps protect web services and APIs — the ways different computer systems talk to each other [16]. Here's the tricky part: This software gets installed automatically with other Oracle software, so you might have it without even knowing [17].
How to Check If You're Affected
If your business uses Oracle software, ask your IT person or managed service provider:
- Do we use Oracle Fusion Middleware?
- Do we use Oracle Identity Manager?
- What version of Oracle software are we running?
If you're not sure, it's safer to assume you might be affected until you know for certain.
What Your Business Should Do Right Now
1. Ask Your IT Person to Check
If you have an IT team or a managed service provider (a company that handles your technology), contact them immediately. Ask:
- "Do we use Oracle Identity Manager or Oracle Web Services Manager?"
- "Are we affected by CVE-2026-21992?"
- "When can we install the security patch?"
2. Install the Emergency Patch
Oracle has released a free security patch that fixes the problem [18]. It's called an "emergency patch" because it's so important — Oracle released it outside their normal schedule [19].
Your IT person can download the patch from Oracle's website and install it on your systems. This should be done as soon as possible — not next week, not after the holidays, but now [20].
3. Upgrade Old Software
If your business is running an old, unsupported version of Oracle software, you won't be able to get the patch [21]. You'll need to:
- Upgrade to a supported version first
- Then install the security patch
It's like trying to fix a broken lock on a door that's so old the manufacturer doesn't make parts for it anymore. You need to replace the whole lock, not just repair it.
4. Check for Signs of Trouble
Because hackers have used similar security problems to break into businesses before, it's smart to check if anything suspicious has happened recently [22]. Ask your IT person to:
- Check system logs for unusual activity
- Look for any new user accounts that nobody remembers creating
- Review who has been accessing the system and when
If something looks wrong, don't ignore it. Call a cybersecurity professional immediately.
Why This Matters (Even If You Don't Use Oracle)
You might be thinking: "We don't use Oracle software. Why should we care?"
Here's why this matters for every business:
Your Vendors Might Use Oracle
Many cloud services, software providers, and other vendors use Oracle infrastructure behind the scenes. If one of your vendors gets hacked through this Oracle problem, your data could be stolen too [23].
Think of it like this: If you leave your house key with a neighbor and their house gets burglarized because they left their door unlocked, your key (and your house) could be at risk too.
The Lesson Applies to All Software
The big lesson here isn't just about Oracle — it's about keeping all software updated [24].
When any software company (Microsoft, Apple, Adobe, anyone) releases an emergency security patch, it means there's a serious problem that hackers could exploit. Installing updates promptly is one of the most effective ways to protect your business [25].
Patching Saves Money
According to Absolute Security's 2026 report, businesses that don't keep their software updated lose hundreds of billions of dollars every year from cyberattacks and downtime [26]. That's money that could have been saved with timely updates and better security practices.
What Is a "Patch" Anyway?
Think of a software patch like a repair notice for your car.
When a car manufacturer discovers a safety problem — say, the brakes might fail in certain conditions — they send a notice to car owners. The notice says: "Bring your car in, and we'll fix it for free." You take the car to the mechanic, they install the new part, and now your car is safe again [27].
Software patches work the same way:
- The software company (Oracle, Microsoft, etc.) discovers a security problem
- They create a fix (the "patch")
- They release the patch and tell customers to install it
- Your IT person installs the patch on your systems
- Now your software is secure again
The difference is that with car recalls, you might have weeks or months to bring in your car. With emergency software patches like CVE-2026-21992, you should install them immediately — hackers are looking for unpatched systems right now [28].
How lilMONSTER Helps Businesses Stay Safe
At lilMONSTER, we help businesses protect themselves from security problems like CVE-2026-21992. Here's how:
We Find What Needs Fixing
We scan your systems to find out what software you're running and which ones need security updates [29].
We Prioritize What Matters Most
Not every security problem is an emergency. We help you focus on the ones that are most dangerous to your business — so you're not wasting time on minor issues while critical ones go unfixed [30].
We Make Sure Updates Actually Get Installed
Many businesses intend to install updates but never get around to it. We verify that patches are deployed correctly and nothing was missed [31].
We Watch for Attackers
We monitor your systems for signs that someone is trying to break in — and we catch them early, before they can do damage [32].
The Bottom Line
CVE-2026-21992 is a serious security problem that needs immediate attention if your business uses Oracle software. Here's what to remember:
- Check if you're affected: Ask your IT person about Oracle Identity Manager and Web Services Manager
- Install the patch: Do it as soon as possible — this is an emergency fix
- Upgrade old software: If you're running unsupported versions, upgrade first
- Watch for trouble: Check for signs that someone may have already broken in
Most importantly: Software updates aren't optional. They're one of the most important ways to keep your business safe from hackers [33].
Worried your business might be affected by CVE-2026-21992 or other security vulnerabilities? Book a free consultation with lilMONSTER. We'll help you understand your risks and protect what you've built.
FAQ
CVE-2026-21992 is a security flaw in some Oracle software that lets hackers break in without needing a password or login — like leaving a front door unlocked [34].
You should check if your vendors or service providers use Oracle, because a breach at their company could affect your data too. Also, the lesson applies to all software: install security updates promptly [35].
Ask your IT person or managed service provider: "Do we use Oracle Fusion Middleware, Identity Manager, or Web Services Manager?" They can check your systems and tell you [36].
If your business uses the affected Oracle software and you don't install the patch, hackers could break into your systems, steal data, or cause your systems to crash. Similar problems have been used in real attacks [37].
Immediately. This is an emergency patch, which means it's critical. Don't wait — ask your IT person to install it as soon as possible [38].
References
[1] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[2] Oracle, "Security Alert Advisory - CVE-2026-21992," Oracle, March 2026. [Online]. Available: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
[3] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[4] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[5] NVD, "CVE-2026-21992 Detail," National Vulnerability Database, March 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-21992
[6] Oracle, "Security Alert Advisory - CVE-2026-21992," Oracle, March 2026. [Online]. Available: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
[7] NVD, "CVE-2026-21992 Detail," National Vulnerability Database, March 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-21992
[8] NVD, "CVE-2026-21992 Detail," National Vulnerability Database, March 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-21992
[9] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[10] SecurityOnline, "Critical 9.8 CVSS Flaw Exposes Oracle Identity Manager to Total Takeover," SecurityOnline, March 2026. [Online]. Available: https://securityonline.info/critical-9-8-cvss-flaw-exposes-oracle-identity-manager-cve-2026-21992
[11] SecurityOnline, "Critical 9.8 CVSS Flaw Exposes Oracle Identity Manager to Total Takeover," SecurityOnline, March 2026. [Online]. Available: https://securityonline.info/critical-9-8-cvss-flaw-exposes-oracle-identity-manager-cve-2026-21992
[12] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[13] CISA, "CISA Adds One Known Exploited Vulnerability to Catalog," CISA, November 21, 2025. [Online]. Available: https://www.cisa.gov/news-events/alerts/2025/11/21/cisa-adds-one-known-exploited-vulnerability-catalog
[14] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[15] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[16] Oracle, "Security Alert Advisory - CVE-2026-21992," Oracle, March 2026. [Online]. Available: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
[17] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[18] Oracle, "Security Alert Advisory - CVE-2026-21992," Oracle, March 2026. [Online]. Available: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
[19] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[20] Oracle, "Security Alert Advisory - CVE-2026-21992," Oracle, March 2026. [Online]. Available: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
[21] Oracle, "Security Alert Advisory - CVE-2026-21992," Oracle, March 2026. [Online]. Available: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
[22] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[23] lilMONSTER, "Vendor Breach Supply Chain Security SMB Guide 2026," lil.business, 2026. [Online]. Available: /blog/vendor-breach-supply-chain-security-smb-guide-2026
[24] Absolute Security, "The Downtime Era is Now: Cyber Incidents and AI Enabled Attacks are Driving $400 Billion in Downtime Losses Annually," Absolute Security, March 23, 2026. [Online]. Available: https://www.absolute.com/press-releases/cybercriminals-have-open-access-to-enterprise-pcs-76-days-per-year-according-to-new-research-from-absolute-security
[25] Absolute Security, "The Downtime Era is Now: Cyber Incidents and AI Enabled Attacks are Driving $400 Billion in Downtime Losses Annually," Absolute Security, March 23, 2026. [Online]. Available: https://www.absolute.com/press-releases/cybercriminals-have-open-access-to-enterprise-pcs-76-days-per-year-according-to-new-research-from-absolute-security
[26] Absolute Security, "The Downtime Era is Now: Cyber Incidents and AI Enabled Attacks are Driving $400 Billion in Downtime Losses Annually," Absolute Security, March 23, 2026. [Online]. Available: https://www.absolute.com/press-releases/cybercriminals-have-open-access-to-enterprise-pcs-76-days-per-year-according-to-new-research-from-absolute-security
[27] Oracle, "Security Alert Advisory - CVE-2026-21992," Oracle, March 2026. [Online]. Available: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
[28] Oracle, "Security Alert Advisory - CVE-2026-21992," Oracle, March 2026. [Online]. Available: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
[29] lilMONSTER, "Patch Smarter, Not Harder: The 1% Rule for SMB Cybersecurity," lil.business, 2026. [Online]. Available: /blog/patch-smarter-not-harder-1pct-rule-smb-cybersecurity-2026
[30] lilMONSTER, "Patch Smarter, Not Harder: The 1% Rule for SMB Cybersecurity," lil.business, 2026. [Online]. Available: /blog/patch-smarter-not-harder-1pct-rule-smb-cybersecurity-2026
[31] lilMONSTER, "Patch Smarter, Not Harder: The 1% Rule for SMB Cybersecurity," lil.business, 2026. [Online]. Available: /blog/patch-smarter-not-harder-1pct-rule-smb-cybersecurity-2026
[32] lilMONSTER, "Incident Response Guide for SMBs," lil.business, 2026. [Online]. Available: /blog/incident-response-guide-smb
[33] Absolute Security, "The Downtime Era is Now: Cyber Incidents and AI Enabled Attacks are Driving $400 Billion in Downtime Losses Annually," Absolute Security, March 23, 2026. [Online]. Available: https://www.absolute.com/press-releases/cybercriminals-have-open-access-to-enterprise-pcs-76-days-per-year-according-to-new-research-from-absolute-security
[34] NVD, "CVE-2026-21992 Detail," National Vulnerability Database, March 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-21992
[35] lilMONSTER, "Vendor Breach Supply Chain Security SMB Guide 2026," lil.business, 2026. [Online]. Available: /blog/vendor-breach-supply-chain-security-smb-guide-2026
[36] Oracle, "Security Alert Advisory - CVE-2026-21992," Oracle, March 2026. [Online]. Available: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
[37] Help Net Security, "Oracle issues emergency fix for pre-auth RCE in Identity Manager (CVE-2026-21992)," Help Net Security, March 23, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992
[38] Oracle, "Security Alert Advisory - CVE-2026-21992," Oracle, March 2026. [Online]. Available: https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
This post is for informational purposes and does not constitute legal or compliance advice. If your business uses Oracle software, consult with your IT team or a qualified cybersecurity professional to assess your risk and plan your response.
Keep your business safe from critical vulnerabilities. Book a consultation with lilMONSTER to build security practices that protect what you've built.
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.