The Essential Eight explained: a plain-English guide for business
Australia's Essential Eight cybersecurity controls explained in plain English — what each one does and why your business should care.
Australia has a clear, sensible cybersecurity baseline. Here it is, without the jargon.
The Essential Eight is a set of eight security measures from the Australian Cyber Security Centre (ACSC) that, done well, prevent or limit the large majority of cyber attacks. It is the most practical security baseline any Australian business can work to — and you do not need to be technical to understand it.
The eight controls in plain English
Application control
only approved programs are allowed to run, so malware cannot simply execute.
Patch applications
keep your software updated, because updates close the security holes attackers exploit.
Configure Office macros
restrict the little automated scripts in Office documents that are a common malware delivery method.
User application hardening
switch off risky features in browsers and apps that attackers abuse.
Restrict administrator privileges
limit who has "admin" powers, because those accounts are the keys to everything.
Patch operating systems
keep Windows and your servers updated for the same reason as applications.
Multi-factor authentication (MFA)
require a second proof of identity, so a stolen password alone is not enough to get in.
Regular backups
keep daily, tested, tamper-proof backups so you can recover from ransomware without paying.
Maturity levels: how far up you go
Each control is measured across maturity levels, from Level Zero (not meeting the baseline) up to Level Three (the most robust). Crucially, your overall maturity is set by your weakest control, not your average — because attackers find the weakest link. Most small and medium businesses should aim for Maturity Level One as a solid baseline, moving toward Level Two where the risk or a compliance requirement justifies it.
Why your business should care
Even where it is not legally mandated, the Essential Eight is increasingly expected — by insurers deciding whether to cover you, by larger customers and government before awarding contracts, and by regulators. More to the point, it works: these eight measures stop the attacks that actually happen. It is the difference between hoping you are secure and knowing where you stand.
How to find out where you stand
Start with our free Essential 8 self-assessment for a baseline in minutes, or read about our full Essential 8 service, where we assess your maturity honestly and build a roadmap to lift it.
Frequently asked questions
What is the Essential Eight?
Eight cybersecurity measures from the ACSC — covering application control, patching, macros, application hardening, admin privileges, OS patching, MFA and backups — that prevent or limit most attacks.
Is the Essential Eight mandatory?
It is mandatory for many government entities and increasingly required by insurers and contracts. For most private businesses it is strongly recommended as the baseline.
What maturity level should my business aim for?
Most SMBs should target Maturity Level One as a baseline, moving toward Level Two where risk or compliance requires it.
How is overall maturity calculated?
By your weakest control, because security is only as strong as its weakest point.
Related Key IT services
More insights
Essential Eight in 2026: who's judging you
The Essential Eight hasn't changed since 2023 — but insurers, big clients and government supply…
Read article →RansomwareAustralia's 72-hour ransomware reporting rule
Pay a ransom in Australia and you have 72 hours to report it. From Jan 2026 enforcement applies…
Read article →ScamsThe $25M deepfake phone call
AI voice cloning lets scammers fake your voice to authorise payments. Here's how Melbourne…
Read article →Book your free IT & Cyber Security Review
See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.