Essential Eight Maturity Model: A Practical Guide for Australian SMBs in 2026
The Australian Signals Directorate (ASD) developed the Essential Eight as a baseline. Not aspirational. Not best practice. Baseline.
Yet when I assess Australian SMBs, most are sitting at Maturity Level 0 or 1. They have partial controls, ad-hoc processes, and gaps they don't know about until an incident reveals them.
This guide covers what each maturity level means, what auditors actually look for, and how to get from Level 0 to Level 2 in 90 days.
The Four Maturity Levels
| Level | Description | Typical State |
|---|---|---|
| 0 | No controls implemented | Most SMBs start here |
| 1 | Controls partially implemented, some gaps | Many SMBs think they're here |
| 2 | Controls mostly implemented, some automation | Target for most SMBs |
| 3 | Fully implemented, monitored, tested | Government/enterprise standard |
Level 2 is the sweet spot for SMBs. It provides meaningful protection without enterprise-level resources.
The Eight Strategies (Simplified)
1. Application Control
What it means: Only approved software can run on your systems.
Level 2 target: Application control enforced via policy. All executables blocked unless explicitly allowed.
SMB action: Start with AppLocker on Windows. Block execution from temp folders, user profile directories, and removable media.
2. Patch Applications
What it means: Keep all software up to date.
Level 2 target: Critical patches within 48 hours. Other patches within 2 weeks.
SMB action: Enable automatic updates for browsers, Office, PDF readers, and Java. Use a patch management tool for everything else.
3. Configure Microsoft Office Macro Settings
What it means: Block macros from the internet. Only allow digitally signed macros.
Level 2 target: Macros blocked for all users by default. Digitally signed macros allowed only from trusted publishers.
SMB action: One Group Policy setting. Takes 5 minutes. Blocks the most common initial access vector.
4. User Application Hardening
What it means: Lock down web browsers and email clients.
Level 2 target: Block Flash, Java, web ads, and untrusted content in browsers. Disable unused features in email clients.
SMB action: Deploy uBlock Origin, disable Flash (it's dead, but check), block auto-play media, configure email to block external content.
5. Restrict Administrative Privileges
What it means: Admin accounts are for admin tasks only.
Level 2 target: Separate admin and user accounts. Admin accounts can't browse the web or read email. Privileged access reviewed quarterly.
SMB action: Create separate admin accounts. Don't use admin accounts for daily work. Remove admin rights from standard users.
6. Patch Operating Systems
What it means: Keep your OS current.
Level 2 target: Critical patches within 48 hours. End-of-life operating systems replaced.
SMB action: Enable automatic Windows Update. Replace any machine still running Windows 10 after EOL. Document your patch compliance.
7. Multi-Factor Authentication
What it means: Something you know + something you have.
Level 2 target: MFA on all internet-facing services. MFA on all privileged accounts. MFA on all remote access.
SMB action: Enable MFA on Microsoft 365, VPN, RDP, and any cloud service. Use authenticator apps, not SMS.
8. Regular Backups
What it means: Tested, offline backups you can actually restore from.
Level 2 target: Daily backups. Offline or immutable copies. Tested restoration quarterly.
SMB action: Automate daily backups. Keep one copy offline (not connected to the network). Test restoration monthly. Document the results.
Essential Eight Assessment Kit — $47
Templates, gap analysis worksheets, and maturity level scorecards built specifically for SMBs. Audit-ready documentation in hours, not weeks.
Get the Assessment Kit →The 90-Day Plan to Level 2
Days 1-30: Quick Wins
| Action | Effort | Impact |
|---|---|---|
| Enable MFA everywhere | Low | Critical |
| Block Office macros from internet | Low | Critical |
| Enable automatic OS patching | Low | High |
| Separate admin and user accounts | Medium | High |
| Enable automatic application updates | Low | Medium |
Days 31-60: Build the Foundation
| Action | Effort | Impact |
|---|---|---|
| Configure application control | Medium | High |
| Harden browsers and email | Low | Medium |
| Set up automated daily backups | Medium | Critical |
| Create patch management process | Medium | High |
| Document all controls | Medium | Medium |
Days 61-90: Test and Verify
| Action | Effort | Impact |
|---|---|---|
| Test backup restoration | Low | Critical |
| Review admin access and permissions | Medium | High |
| Run a phishing simulation | Low | High |
| Document incident response plan | Medium | High |
| Self-assess against Essential Eight checklist | Low | Medium |
Why This Matters for Australian Businesses
The Privacy Act reforms are increasing penalties to $50 million per breach. Cyber insurance underwriters require evidence of Essential Eight alignment. Government contracts require it.
Even if none of those apply to you, the Essential Eight protects against the most common attack vectors. It's not theoretical. It's practical defence against real threats.
Bottom Line
You don't need a million-dollar security program. You need the Essential Eight implemented properly. Most of it costs nothing but time and discipline.
Level 2 in 90 days is achievable. Start today.
Need help implementing the Essential Eight for your business? Get in touch.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Microsoft fixed 84 security problems in their software this month
- Two bugs were especially serious because bad guys knew about them before Microsoft could fix them
- One bug lets attackers become bosses of your database; another can crash your apps
- You should update your Windows computers this week
Related: How AI Attacks Now Steal Your Data in 72 Minutes
What Is Patch Tuesday?
Think of Patch Tuesday like a regular check-up at the doctor, but for your computer. Every second Tuesday of the month, Microsoft releases updates that fix security problems in Windows, Office, and other Microsoft software [1].
It's called "Patch Tuesday" because Microsoft "patches" (fixes) holes that bad guys could use to break into your computer.
What Happened in March 2026
This month, Microsoft fixed 84 security problems [2]. That's a lot! Most of these are like small cracks in a wall — not super dangerous on their own, but bad if left unfixed.
Two of these problems were extra serious because bad guys already knew about them before Microsoft could fix them. These are called "zero-days" — zero days between when bad guys found out and when Microsoft could fix them [3].
The Two Big Bugs to Know About
Bug #1: The Database Boss Maker (CVE-2026-21262)
Imagine your business database is like a filing cabinet with different drawers. Most employees can only open certain drawers. The boss can open ALL the drawers.
This bug lets someone who's only supposed to open one drawer suddenly become the boss and open EVERY drawer [4].
Why it's bad: If a bad guy gets into your system (even just a tiny bit), they can use this bug to give themselves full control over your database. They could read, change, or delete your customer records, financial data, or any important information [5].
Who needs to worry: If your business uses Microsoft SQL Server (a program that stores lots of business data), you need to fix this right away.
Bug #2: The App Crasher (CVE-2026-26127)
Imagine your business has a storefront. This bug is like someone having a remote control that can shut your doors and make customers wait outside [6].
It affects programs built with .NET (a tool many businesses use to build applications). A bad guy could crash your apps from anywhere in the world, making your website or tools stop working [7].
Why it's bad: Downtime = lost money. If your online store or booking system goes down, customers can't buy from you.
Who needs to worry: If your business uses applications built with Microsoft .NET, you should update them.
Other Important Fixes
Microsoft also fixed a bug called CVE-2026-25187 that lets someone with basic access become the boss of the entire Windows computer (SYSTEM account) [8]. Think of it like an intern suddenly getting the CEO's keycard.
There's also CVE-2026-26144, which could leak information from Excel files when using Microsoft's AI helper (Copilot) [9]. If your Excel files have sensitive business info, this matters.
Why Privilege Escalation Is Like Promoting the Wrong Person
Most of the bugs fixed this month (55 out of 84!) are called "privilege escalation" [10]. That's a fancy way of saying "promoting someone to a level they shouldn't have."
Here's how it works:
- Bad guy gets into your system somehow (like finding an open window)
- Bad guy uses a privilege escalation bug (like picking a lock to get from the hallway into the CEO's office)
- Bad guy now has full control and can steal, delete, or ransom your data
This is why patching matters — even if you think "why would bad guys target me?" — they use automated tools to find these open doors everywhere.
What You Should Do This Week
1. Update All Windows Computers
For most Windows users, it's easy:
- Click Start → Settings (the gear icon)
- Go to "Windows Update"
- Click "Check for updates"
- Install all updates and restart when asked
This should take 10-30 minutes, depending on your computer.
2. Check With Your IT Person or Vendor
If you have someone managing your computers, ask them:
- "Did we apply the March 2026 Microsoft security updates?"
- "Do we use SQL Server? If so, is it patched for CVE-2026-21262?"
- "Do we have any .NET applications? Are they updated?"
3. Back Up Important Data Before Updating
Before updating critical systems (like servers or computers that run your business):
- Make sure your backups are recent
- Test that you can restore from backups
- Have a plan in case something goes wrong
It's like backing up your phone before updating iOS — just good practice.
Related: Your Backups Are Actually Working — But Ransomware Gangs Just Changed the Rules
Why This Matters for Your Business
Think of computer security like locking up your shop at night. You wouldn't leave the back door open, right?
Unpatched software is like an open door. Bad guys have automated tools that scan the internet looking for open doors. They don't care who you are — they're just looking for easy targets.
The good news: When you update regularly, you're closing those doors. Most automated attacks will move on to easier targets.
FAQ
Set a reminder for next week. Better late than never. But if your computers hold sensitive data (customer info, financial records, passwords), try to update within 7 days for the serious bugs (the two zero-days).
It's rare, but sometimes updates can cause problems. That's why big businesses test updates first. For a small business, just make sure you have backups before updating. If something breaks, you can restore.
These specific updates are for Microsoft software. If your Mac runs Microsoft Office or uses Microsoft .NET applications, you might still need to update those programs. Check with your IT person.
These updates are for computers. Phones (iPhone, Android) have their own update systems. You should update those too, but that's separate from Patch Tuesday.
Microsoft releases updates every month on Patch Tuesday (second Tuesday). Set a reminder to check updates a few days after Patch Tuesday each month. It's a good habit.
Security doesn't have to be complicated. Update regularly, back up your data, and have a plan. That's the foundation. If you want help building a security approach that fits your business, let's talk.
References
[1] Microsoft, "Windows Update Overview," Microsoft Docs, 2026. [Online]. Available: https://docs.microsoft.com/windows/deployment/update/windows-update-overview
[2] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html
[3] Malwarebytes, "What is a Zero-Day Vulnerability?" Malwarebytes Labs, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2025/11/what-is-a-zero-day-vulnerability
[4] National Vulnerability Database, "CVE-2026-21262," NIST, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-21262
[5] Malwarebytes, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Malwarebytes Blog, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities
[6] Security Boulevard, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Security Boulevard, 2026. [Online]. Available: https://securityboulevard.com/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities-2/
[7] Malwarebytes, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Malwarebytes Blog, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities
[8] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html
[9] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html
[10] Satnam Narang, "Patch Tuesday Analysis: March 2026," Tenable, 2026. [Online]. Available: https://www.tenable.com/blog/