The Essential Eight, in plain English for your business.
The eight controls your cyber insurer, your enterprise clients and your auditor keep asking about. Here is what each one means, and the first thing to do about it. No jargon, no sign-up.
Eight controls, one honest baseline.
The Essential Eight is the Australian Cyber Security Centre’s set of eight mitigation strategies. Done together, they stop the overwhelming majority of attacks businesses actually face. There are four maturity levels (0 to 3). For most businesses, getting cleanly to Maturity Level One is the right first target, and it is more achievable than it looks. Work top to bottom, tick what you already have, and start a conversation about the rest.
The eight, in priority order.
Ordered for a small firm by impact and effort, not by the official numbering. The first three close the most common doors for the least money.
Multi-factor authentication
A password alone is not a lock. Turn on MFA for Microsoft 365 or Google Workspace, remote access, and anything holding client data. Start with: enforce MFA for every user, administrators first.Regular backups
If ransomware hits tonight, what do you restore from tomorrow? Keep recent, tested, offline or immutable backups of client files and email. Start with: confirm a backup exists, then actually test a restore.Patch applications
Browsers, PDF readers, your practice-management suite. Attackers use known holes in out-of-date software. Start with: turn on automatic updates and patch internet-facing apps within two weeks.Patch operating systems
Windows, macOS and any servers, kept current. An unsupported version is an open door nobody is guarding. Start with: enable automatic OS updates and retire anything past end-of-support.Restrict administrative privileges
Day-to-day work should not run as an administrator. Fewer admins means fewer keys to the kingdom. Start with: list who holds admin rights and remove the ones who do not need them.Application control
Only approved software runs. This stops the random download and the malicious attachment before they ever execute. Start with: know what is installed, then block what should not run.Configure Microsoft Office macros
Macros in documents are a classic way malware gets in. Start with: block macros from the internet, and allow only signed ones where the business genuinely needs them.User application hardening
Switch off the risky extras: block web ads and untrusted code in browsers, and lock down settings users do not need. Start with: harden browsers and remove software nobody uses.This checklist is a plain-English starting point aligned to the ACSC Essential Eight, not a formal assessment or legal advice. The free Cyber Check shows where your domain stands today on the external-facing items.
Know where you stand. Then close the gaps.
Run the free Cyber Check to see your external posture in a minute, or talk it through with us. We size the uplift to your business, and eligible businesses can part-fund a security check through the government cyber health-check rebate.