The ACSC Essential Eight Explained for Small Business

If you've spent any time reading about cyber security for Australian businesses, you've probably come across the term "Essential Eight." It sounds technical — maybe even a little intimidating. But the ACSC's Essential Eight is one of the most practical and useful cyber security frameworks available, and it's been specifically designed to help organisations of all sizes improve their defences without needing a dedicated IT security team. Here's what it actually means for your small business, in plain English.

What Is the Essential Eight?

The Essential Eight is a set of eight mitigation strategies published by the Australian Cyber Security Centre (ACSC) — the part of the Australian Signals Directorate (ASD) responsible for helping Australian organisations stay secure online. The ACSC developed the Essential Eight by analysing real cyber incidents and identifying the controls that, if implemented, would have prevented or significantly limited the damage in the vast majority of cases.

In other words, it's not theoretical — it's based on what actually works against the attacks that are actually happening to Australian businesses right now.

The eight strategies are grouped into three objectives: preventing malware delivery and execution, limiting the extent of cyber incidents, and recovering data and systems after an incident.

The Eight Strategies, Explained Simply

1. Application Control

What it means: Only allow approved, known-good programs to run on your computers. Everything else is blocked by default.

Why it matters: Many attacks work by tricking users into running malicious software. Application control stops unknown programs from executing, even if a user accidentally clicks on something dangerous.

For small business: Full application control can be complex to implement, but even basic measures — like ensuring staff don't have administrator rights and can't install software themselves — provide meaningful protection.

2. Patch Applications

What it means: Keep all your software up to date by applying security patches promptly. For high-risk vulnerabilities, within 48 hours; for others, within two weeks.

Why it matters: Software vulnerabilities are one of the most common ways attackers get into systems. When a vendor releases a patch, they're effectively announcing that a vulnerability exists — attackers immediately start looking for unpatched systems to exploit.

For small business: Enable automatic updates on all software where possible — your operating system, browsers, Office applications, and any other software you use regularly. Don't click "remind me later" on update prompts.

3. Configure Microsoft Office Macro Settings

What it means: Disable or tightly control macros in Microsoft Office documents (Word, Excel, etc.). Only allow macros from trusted, verified sources.

Why it matters: Malicious macros embedded in Office documents are a very common attack method — particularly via phishing emails. When a victim opens the document and enables the macro, malware installs itself.

For small business: In Microsoft 365 or Office settings, disable macros by default. Only enable them for specific, trusted files from known sources. Most businesses can operate perfectly well without macros at all.

4. User Application Hardening

What it means: Configure your applications (particularly web browsers) to block risky content like Flash (now obsolete), Java in browsers, and malicious web content.

Why it matters: Web browsers are one of the primary ways malware enters systems. Blocking unnecessary browser features and plugins reduces the attack surface.

For small business: Use a modern, up-to-date browser (Chrome, Edge, Firefox). Enable pop-up blocking. Consider using browser extensions like uBlock Origin to block malicious ads and scripts.

5. Restrict Administrative Privileges

What it means: Limit who has administrator-level access to your systems and accounts. Admin accounts should only be used for admin tasks — not for everyday browsing and emailing.

Why it matters: If an attacker compromises an administrator account, they can do far more damage than if they compromise a standard user account. Limiting admin access limits the blast radius of any attack.

For small business: Most staff should use standard (non-admin) accounts day-to-day. Have a separate administrator account used only when you need to install software or change settings. Never use your admin account for general work.

6. Patch Operating Systems

What it means: Keep your operating system (Windows, macOS, iOS, Android) up to date with the latest security patches. Replace operating systems that are no longer supported by the vendor.

Why it matters: Like application patching, OS-level vulnerabilities are heavily exploited. An unpatched operating system is a known entry point for attackers.

For small business: Enable automatic updates for Windows or macOS. Stop using end-of-life operating systems — Windows 10 reaches end of support in October 2025. If you have old computers running outdated software, upgrading is a genuine security investment.

7. Multi-Factor Authentication (MFA)

What it means: Require a second form of verification beyond just a password to log in to important accounts. This might be a code sent to your phone, an authenticator app, or a physical security key.

Why it matters: Passwords alone are not sufficient protection. They get stolen, guessed, or leaked in data breaches constantly. MFA means that even if an attacker has your password, they still can't get in without that second factor.

For small business: Enable MFA on every service that supports it, starting with your email, banking, accounting software (Xero, MYOB), cloud storage, and any other system containing sensitive information. Authenticator apps like Microsoft Authenticator or Google Authenticator are free and easy to use.

8. Regular Backups

What it means: Back up your important data regularly. Store at least one backup offline or in a separate location that isn't accessible from your main network. Test that you can actually restore from your backups.

Why it matters: Ransomware attacks — where criminals encrypt your files and demand payment — can be devastating. If you have clean, tested backups, you can recover without paying. Backups also protect against accidental deletion, hardware failure, and natural disasters.

For small business: Follow the 3-2-1 backup rule: three copies of your data, on two different types of media, with one stored offsite (cloud backups count). Services like Backblaze, Microsoft Azure Backup, or even an external hard drive stored at home (rotated regularly) can work. Crucially — test your restores. A backup you've never tested is a backup you can't rely on.

The Maturity Model: You Don't Have to Do Everything at Once

The ACSC's Essential Eight uses a maturity model with four levels (Maturity Level Zero through Three). You don't need to achieve Level Three immediately — or ever, for most small businesses. The goal is to progress over time, starting with the most impactful controls.

For most small businesses, reaching Maturity Level One across all eight strategies would represent a substantial improvement over where they currently sit. That means: MFA is on, software is being patched, macros are disabled, admin access is limited, and backups are happening and tested.

Where to Start

If you're feeling overwhelmed, prioritise in this order:

1. MFA first — it has the highest impact per unit of effort and is often free to implement
2. Backups second — it limits the worst-case scenario of a ransomware attack
3. Patching third — enable automatic updates across all systems
4. Then tackle administrative privileges and macro settings

Full guidance on all eight strategies is available free at cyber.gov.au.

Key Takeaways

• The Essential Eight is Australia's recommended baseline cyber security framework, developed by the ACSC based on real incidents.
• The eight strategies are: application control, patch applications, configure macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.
• You don't need to implement everything at once — the maturity model lets you improve progressively.
• For most small businesses, starting with MFA, backups, and patching delivers the greatest risk reduction for the least effort.
• Full free guidance is available at cyber.gov.au.

Want to see how your business currently measures up against the Essential Eight? The free assessment at flagged.com.au benchmarks your business against the ACSC's framework and gives you a clear, prioritised action plan — no technical knowledge required.