TL;DR

If you run a small or medium business in Australia, Essential Eight Maturity Level 1 is the most practical baseline for reducing common cyber risks without building an enterprise security program. The goal is not perfection; it is to make phishing, ransomware, malicious macros, unpatched software, and stolen passwords much harder to turn into a real business outage.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌

Why Essential Eight Level 1 matters for Australian SMBs

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) designed the Essential Eight to help organisations reduce the most common attack paths. For SMBs with one or two IT-capable staff, Maturity Level 1 is usually the right starting point because it focuses on consistent, repeatable basics rather than complex security engineering.

That matters because most real-world incidents still start with known weaknesses: unpatched systems, over-privileged accounts, weak authentication, and poor recovery readiness. Recent threat reporting continues to show attackers moving quickly on known vulnerabilities and using commodity malware, phishing, and infostealers to hit smaller organisations tha

t assume they are too small to matter. In practice, Level 1 is about getting the fundamentals under control before chasing advanced tooling.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌

The 8-control checklist: what to do first

1. Application control

Stop unauthorised software from running.

  1. Make a list of approved business apps for Windows, macOS, browsers, PDF tools, remote support, and line-of-business software.
  2. Use built-in controls where possible: Microsoft Defender Application Control or AppLocker on supported Windows environments, and device management policies for Macs.
  3. Start small by blocking scripts and unknown executables in common user locations such as Downloads, Temp, and AppData.

Budget-friendly option: Microsoft 365 Business Premium plus Intune can cover a lot for small teams already in the Microsoft stack.

2. Patch applications

Patch internet-facing and user-facing apps fast.

  1. Inventory your key applications: browsers, Microsoft 365 apps, Adobe Reader, Java, VPN clients, accounting software, remote access tools, and browser extensions.
  2. Turn on automatic updates wherever possible and assign one person to review failed updates weekly.
  3. Prioritise applications commonly abused in attacks, especially browsers, Office, PDF readers, collaboration tools, and remote management software.

Budget-friendly option: Ninite Pro, Microsoft Intune, or vendor auto-update features. A simple spreadsheet is still better than no asset register.

3. Configure Microsoft Office macros

Reduce macro-based malware risk.

  1. Block macros from the internet across Word, Excel, and PowerPoint using Microsoft security baselines or Group Policy.
  2. Identify any legitimate macro users, then move them to approved signed macros only.
  3. Train staff that emailed spreadsheets asking them to “Enable Content” should be treated as suspicious by default.

Budget-friendly option: Group Policy for on-prem Windows or Intune configuration profiles for Microsoft 365 tenants.

4. User application hardening

Remove risky features users do not need.

  1. Disable Flash, ads-based legacy plugins, and unnecessary browser features; harden Microsoft Office, web browsers, and PDF readers.
  2. Block browser downloads from untrusted sites and restrict unnecessary scripting where practical.
  3. Standardise on one browser and one PDF reader to make patching, policy, and support easier.

Budget-friendly option: Microsoft Edge with security baselines, Chrome Enterprise policies, and Defender SmartScreen.

How to implement the harder controls without a dedicated security team

5. Restrict administrative privileges

Admin rights should be rare, named, and monitored.

  1. Remove local admin from day-to-day user accounts, including managers and IT generalists.
  2. Create separate admin accounts for administration tasks only, and use them only when needed.
  3. Review privileged accounts monthly and disable shared or stale admin credentials.

Budget-friendly option: Windows LAPS for local admin password management and Entra ID role separation for cloud admin tasks.

6. Patch operating systems

Operating system patching is still one of the highest-value controls.

  1. Enable automatic updates for Windows, macOS, iOS, Android, and network devices where vendor support still exists.
  2. Replace or isolate unsupported systems such as old Windows versions or legacy NAS devices.
  3. Set a simple rule: critical OS patches are reviewed weekly and deployed on a documented schedule.

Budget-friendly option: Windows Update for Business, Intune, Apple Business Manager, or native update services.

7. Multi-factor authentication

MFA should protect the accounts that matter most first.

  1. Turn on MFA for email, Microsoft 365, Google Workspace, VPN, remote desktop gateways, password managers, and finance platforms.
  2. Prefer app-based authenticators or phishing-resistant methods over SMS where possible.
  3. Apply conditional access for admin accounts first, then all staff, then contractors and suppliers with access.

Budget-friendly option: Microsoft Authenticator, Google Authenticator, or built-in MFA from Microsoft 365 Business Premium.

8. Regular backups

Backups are your recovery control when prevention fails.

  1. Back up Microsoft 365 or Google Workspace data, file shares, finance systems, and critical workstation data.
  2. Follow the 3-2-1 principle: three copies, on two media types, with one copy offline or immutable.
  3. Test restores quarterly, including one file restore and one full business-critical system restore.

Budget-friendly option: Veeam, MSP360, Synology Active Backup, or cloud backup services with immutable retention.

A simple 30-day rollout plan for SMB owners

Week 1: Turn on MFA, enable automatic patching, and identify unsupported systems.
Week 2: Remove unnecessary admin rights and block internet-origin macros.
Week 3: Harden browsers, Office, and PDF tools; start application allowlisting in high-risk locations.
Week 4: Verify backups with a restore test and document the eight controls in a one-page checklist owners can review monthly.

For most Australian SMBs, the biggest mistake is treating Essential Eight as a paperwork exercise. Level 1 works when each control has an owner, a review date, and a basic proof point such as “MFA enabled for all users” or “restore test completed this quarter”.

FAQ

Not for every SMB, but it is a widely recognised baseline from the ACSC and often influences insurer, client, and supply-chain expectations. Even where it is not mandatory, it is a sensible minimum standard.

No. Many SMBs can get most of the way there using Microsoft 365 Business Premium, native operating system controls, auto-update settings, and a reliable backup platform.

MFA is usually the fastest high-impact win, especially for email, remote access, and admin accounts. After that, patching and backup verification give strong risk reduction quickly.

Yes, if the scope is kept practical. One internal owner, one checklist, one monthly review, and a trusted external adviser for setup or quarterly validation is often enough for Level 1.

Conclusion

Essential Eight Maturity Level 1 is the right place for many Australian SMBs to start because it focuses on practical controls that reduce common attacks without requiring a large security team. If you assign owners, standardise tools, and verify patching, MFA, admin access, and backups every month, you will be in a much stronger position than most small businesses.

Visit consult.lil.business for a free cybersecurity assessment.

References

  1. Australian Cyber Security Centre: Essential Eight Explained
    https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-explained

  2. Australian Cyber Security Centre: Essential Eight Maturity Model
    https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model

  3. Australian Cyber Security Centre: Strategies to Mitigate Cyber Security Incidents
    https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents

  4. Australian Cyber Security Centre: Implementing Multi-factor Authentication
    https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/multi-factor-authentication

  5. NIST: Guide to Enterprise Patch Management Technologies
    https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation