TL;DR

The ACSC Essential Eight is Australia's baseline cybersecurity framework, and Maturity Level 1 is the entry point every SMB should target. This guide walks through all eight controls with a practical 3-step implementation path for each, using budget-friendly tools suitable for businesses with one or two IT-capable staff and no dedicated security hire. Start here, patch the obvious gaps, and build from there.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌

Why Essential Eight Matters for Your SMB

The Australian Cyber Security Centre (ACSC) developed the Essential Eight as a prioritised set of mitigation strategies. Maturity Level 1 is designed to stop commodity threats — the automated attacks, phishing campaigns, and opportunistic ransomware that hit businesses regardless of size. If your business has 5–200 staff, manages customer data, or relies on email and cloud apps to operate, Maturity Level 1 is your minimum viable security posture.

The eight controls fall into two categories: preventing malware from running, and limiting the damage when something slips through. Let's tackle them one by one.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌

‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌

Preventing Malware Execution (Controls 1–4)

1. Application Control

Stop unapproved programs from running. At Maturity Level 1, this means blocking executables from user-writable folders (Downloads, Temp, AppData) and preventing unauthorised scripts.

3-Step Path:

  1. Inventory what runs: Use built-in tools — AppLocker on Windows 10/11 Pro (included with your licence) or Microsoft Defender Application Control. No extra cost.
  2. Create a baseline rule: Block execution from %USERPROFILE%\Downloads, %TEMP%, and %APPDATA%. These are the most common malware drop zones.
  3. Test with audit-only mode first: Enable AppLocker in "Audit Only" mode. Run for one week. Review Event Viewer logs (Event ID 8003–8006) to identify legitimate apps that need allowlisting before switching to enforcement.

Budget-friendly tools: AppLocker (built into Windows Pro), WDAC (built-in), or ThreatLocker (paid, ~$15/endpoint/month if budget allows).

ACSC reference: Implementing Application Control

2. Configure Microsoft Office Macros

Macros are the #1 malware delivery vehicle in phishing attacks. At ML1, block macros from the internet and only allow digitally signed macros from trusted sources.

3-Step Path:

  1. Block internet-sourced macros via GPO or Intune: Set the policy "Block macros from running in Office files from the Internet" — this is a single checkbox in the Office Administrative Template. [1]
  2. Disable 'Enable All Macros' as an option: Users should not be able to override the block with a button click.
  3. Identify any legitimate macro needs: Survey your finance and operations teams. If macros are essential, set up a trusted location network share for those specific files.

Budget-friendly tools: Group Policy (Windows Server, or use Local Group Policy Editor on individual machines), Microsoft 365 Business Premium Intune policies ($30.80/user/month — also covers email security, device management, and MFA enforcement).

3. User Application Hardening

Lock down the apps attackers love to exploit: web browsers, Office, PDF readers. Block Flash, Java, ads, and unnecessary web content.

3-Step Path:

  1. Block Flash and Java: Both are dead technologies. Remove Java Runtime if installed. Flash is end-of-life.
  2. Enable click-to-play for plugins: Set browsers to require user approval before running any plugin content.
  3. Install an ad blocker: uBlock Origin (free) deployed via browser policy across your fleet. Ads are a common malware delivery vector through malvertising.

Budget-friendly tools: Group Policy ADMX templates for Chrome/Edge (free), uBlock Origin (free), Microsoft Edge security baseline (free download from Microsoft).

4. Restrict Administrative Privileges

Every user running as admin is a breach waiting to happen. At ML1, users have separate admin accounts and only use privileged access for specific tasks.

3-Step Path:

  1. Audit current admin accounts: Run net localgroup administrators on each machine. Identify everyone who runs as local admin day-to-day.
  2. Create dedicated admin accounts: Each IT-capable staff member gets a standard user account for daily work and a separate _admin account for system changes. Strip admin rights from all other users.
  3. Implement LAPS (Local Administrator Password Solution): Ensure the built-in Administrator account has a unique, rotated password per machine. Free with Active Directory or Microsoft Intune.

Budget-friendly tools: Active Directory (Windows Server), Microsoft 365 Business Premium (Intune + LAPS), or free alternatives like JumpCloud (free tier up to 10 users).

Limiting the Impact (Controls 5–8)

5. Patch Applications

Applications are the #1 entry point for attackers. The CISA Known Exploited Vulnerabilities (KEV) catalogue consistently shows actively exploited bugs in enterprise apps like Oracle EBS, Microsoft SMB clients, and CMS platforms — often with CVSS scores of 9.8. Patching must happen within 48 hours of release for internet-facing apps. [3]

3-Step Path:

  1. Enable automatic updates everywhere: Browsers, PDF readers, Office, Zoom. Every app that offers auto-update gets it turned on.
  2. Inventory your third-party apps: Use a free tool like Action1 (free for up to 200 endpoints) or PDQ Deploy to see what's installed across your fleet.
  3. Set a monthly patch cadence: Schedule patching for the second Tuesday of each month (day after Patch Tuesday). Internet-facing apps get 48-hour SLAs. Everything else within 30 days.

Budget-friendly tools: Action1 (free up to 200 endpoints), PDQ Deploy (free tier), Chocolatey (free), Microsoft Intune (included in Business Premium).

6. Patch Operating Systems

Same urgency, same cadence. Attackers reverse-engineer patches within hours of release. If an exploit is in the CISA KEV catalogue, it's already being used in the wild. [2]

3-Step Path:

  1. Configure Windows Update for automatic installation: Set active hours for reboot windows that won't disrupt work.
  2. Cover mobile and network devices: Your phones, routers, and switches need updates too. Enable automatic updates on all iOS and Android devices. Set a monthly calendar reminder to check router firmware on vendor sites.
  3. Verify patching, don't assume: Spot-check 2–3 machines after each patch cycle. Run winver on Windows or check Settings > About. Patches that "failed silently" are common.

Budget-friendly tools: Windows Update for Business (Intune-configured, part of Business Premium), WSUS (free with Windows Server).

7. Multi-Factor Authentication (MFA)

MFA is the single highest-impact control you can implement. It stops 99.9% of account compromise attacks according to Microsoft research. At ML1, MFA is required for all internet-facing services.

3-Step Path:

  1. Start with email and identity: Enforce MFA on Microsoft 365, Google Workspace, and any identity provider. These are the keys to your kingdom.
  2. Extend to critical SaaS apps: Accounting software (Xero, MYOB), CRM, payroll, banking portals. Every app holding sensitive data gets MFA.
  3. Use phishing-resistant methods where possible: FIDO2 security keys (YubiKey, ~$75 each for admins) or number-matching in Microsoft Authenticator. Avoid SMS-based MFA where alternatives exist — SIM-swapping attacks are rising.

Budget-friendly tools: Microsoft Authenticator (free), Google Authenticator (free), YubiKey 5 Series (~$75 per key for critical admin accounts).

8. Regular Backups

The last line of defence. If ransomware encrypts everything, backups are how you recover without paying. At ML1, you need offline or immutable backups tested at least monthly.

3-Step Path:

  1. Follow the 3-2-1 rule: Three copies of data, two different media types, one copy off-site (or offline).
  2. Use a cloud backup service: Backblaze Business Backup (~$10/computer/month, unlimited data), Veeam Community Edition (free up to 10 workloads) to a NAS or external drive, or Microsoft 365 Backup for cloud data.
  3. Test restoration monthly: Pick a random file every month. Restore it. Time it. Document it. A backup you haven't tested is not a backup — it's a wish.

Budget-friendly tools: Veeam Community Edition (free), Backblaze (~$10/endpoint/month), Synology NAS with Hyper Backup, or Windows Server Backup (built-in).

FAQ

Q: How long does it take to reach Maturity Level 1? A: For a small business with 20–50 staff and one IT-capable person, expect 3–6 months working part-time. Start with MFA (week 1), then patching (weeks 2–4), then the remaining controls over the following months. You don't need everything on day one — just steady progress.

Q: Do I need to hire a cybersecurity specialist? A: Not for ML1. The ACSC designed it to be achievable with existing IT staff or an MSP. If you have nobody technical on staff, engage a managed IT provider familiar with the Essential Eight. Expect to pay $150–$300 per user per month for a fully managed service.

Q: Is the Essential Eight mandatory for Australian businesses? A: It is mandatory for federal government agencies and non-corporate Commonwealth entities. For private businesses, it is strongly recommended but not legally required. However, your cyber insurance provider will almost certainly ask about Essential Eight controls at renewal — and may deny coverage if you're not working toward them.

Q: What comes after Maturity Level 1? A: Maturity Level 2 targets sophisticated adversaries and adds event logging, stricter application control, and formal incident response. ML3 targets state-sponsored actors. Most SMBs should aim for ML1 as their baseline and selectively adopt ML2 controls where practical.

Conclusion

Maturity Level 1 is not about perfection — it's about making your business a harder target than the next one. Commodity attackers look for easy wins: unpatched systems, admin-rights-everywhere setups, and organisations without MFA. Implementing these eight controls puts you ahead of most Australian SMBs.

Start today. Pick one control — MFA is the highest-impact starting point — and implement it this week. Document what you've done. Move to the next. The Essential Eight is a journey, and Maturity Level 1 is the first step.

Need help getting started? Visit consult.lil.business for a free cybersecurity assessment. We'll map your current posture against the Essential Eight and give you a prioritised remediation plan — no obligation, no jargon.

References

  1. ACSC Essential Eight Maturity Model — Official maturity model documentation from the Australian Cyber Security Centre.
  2. CISA Known Exploited Vulnerabilities Catalog — Live catalogue of actively exploited vulnerabilities, updated weekly. Essential for prioritising patches.
  3. ACSC Strategies to Mitigate Cyber Security Incidents — The full mitigation strategies documentation including detailed implementation guidance for each Essential Eight control.
  4. CISA KEV 2025 Update: Five Exploited CVEs Demand Immediate Patching — Analysis of actively exploited vulnerabilities added to the KEV catalogue in late 2025, with real-world exploitation confirmed.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation