What is the Essential Eight, and does a small business need it?
The ACSC’s 8 mitigation strategies, explained for a 1–30 staff business — which to actually do, and when formal compliance is overkill.
The Essential Eight is the ACSC’s set of 8 baseline mitigation strategies; here is what a small business should take from it:
- The 8 strategies — application control, patch applications, configure Office macros, user application hardening, restrict admin privileges, patch operating systems, multi-factor authentication, and regular backups.
- The high-value three — MFA, patching, and tested backups are achievable without IT staff and block a disproportionate share of small-business incidents; the other 5 lean on managed Windows fleets.
- Maturity levels are a ladder for IT departments — the framework expects all 8 strategies at a consistent level (0 to 3), which assumes resources a 1–30 staff business does not have.
- SMB1001 is the small-business fit — its 5 graduated tiers certify the same basics without the Essential Eight’s all-or-nothing maturity model.
Formal Essential Eight compliance is only worth chasing when a contract or regulator requires it in writing; otherwise it is a reading list, not a project.
The Essential Eight is the ACSC's list of 8 mitigation strategies that, applied together, block most of the attacks that actually hit Australian organisations. You almost certainly do not need formal maturity-level compliance unless a contract or regulator demands it — but the 8 underlying ideas are worth knowing, and a few of them are the highest-value security work a small business can do. This page explains what the 8 are, what the maturity levels mean, which ones a 1–30 staff business can realistically run, and where SMB1001 certification, tier by tier is the better fit than chasing Essential Eight maturity. It is the natural companion to what cybersecurity a small business actually needs.
What the Essential Eight actually is
The ACSC Essential Eight is a set of 8 baseline mitigation strategies. The thinking behind it is blunt: most successful attacks reuse a small number of techniques, so if you shut those techniques down, you stop most attacks without trying to defend against everything. Here are the 8, in plain terms.
Application control. Only let approved programs run on your machines, so malware a staff member accidentally downloads cannot execute. This is the hardest of the 8 to run without IT staff.
Patch applications. Keep the software on your devices — browsers, PDF readers, Office, anything internet-facing — up to date, because attackers exploit known holes that patches have already fixed.
Configure Microsoft Office macros. Block or restrict macros, the little embedded scripts in Office documents that are a classic delivery method for malware in email attachments.
User application hardening. Turn off the risky features in everyday software — Flash is gone, but the principle covers browser plugins, ads and other attack surface you do not need.
Restrict administrative privileges. Most staff should use accounts that cannot install software or change system settings. Admin rights are the keys to the building; hand out fewer of them.
Patch operating systems. Same idea as patching applications, applied to Windows, macOS and your phones — keep the OS current so known vulnerabilities get closed.
Multi-factor authentication. Require a second factor — an app prompt or a code — on top of the password, so a stolen password alone does not get an attacker in. (What multi-factor authentication is, in one paragraph.)
Regular backups. Keep backups of your important data, test that you can restore from them, and keep a copy that ransomware cannot reach. A backup you have never restored is a hope, not a control.
Read the list again and notice something: 3 of these — patching, MFA and backups — are things any business can do this quarter with no consultant. The other 5 lean towards organisations with managed Windows fleets and someone to administer them.
Maturity levels, briefly
The Essential Eight is not pass/fail. The ACSC defines 4 maturity levels for each of the 8 strategies, and the model is meant to be applied as a whole — you sit at the level your weakest strategy reaches.
Maturity Level 0 means the strategy is not meaningfully in place — gaps an attacker can walk through. (Maturity Level 0 through 3 in detail.)
Maturity Level 1 is the baseline: defends against attackers using widely available, off-the-shelf techniques — the opportunistic end of the spectrum. For most small organisations, Level 1 is the only level worth discussing.
Maturity Level 2 steps up to attackers willing to invest more effort and time — more targeted, better-resourced. This is where the controls start assuming real IT administration.
Maturity Level 3 targets adversaries who are adaptive and well-resourced, the kind that pick a specific target and stay on it. This is a posture for organisations with something genuinely valuable to defend and a security team to defend it.
The important thing to take from this section: maturity levels are a ladder built for organisations that have an IT function to climb it. The framework explicitly expects you to implement all 8 strategies to a consistent level. For a 6-person business, hitting even uniform Level 1 across all 8 is a real project — and usually not the right one.
What it means for a 1–30 staff business
Here is the honest read. The median Australian small business website scores grade F on Red Bridge Cyber's Security category* — and the businesses behind those sites are nowhere near Essential Eight Maturity Level 1, nor do they need to be. Chasing formal compliance is not the lever. Doing the high-value ideas is.
Sort the 8 by what a small business can actually run, and the picture is clear.
Do these now — they are the high-value three. Multi-factor authentication, patching (applications and operating systems), and tested backups. These three are achievable without IT staff, and they block a disproportionate share of what goes wrong at this scale. MFA on your email and key cloud apps is the single best hour you will spend; turning on automatic updates is mostly switching a setting; a tested backup is the difference between a bad week and a closed business.
Do these where you can. Restricting admin privileges is realistic — give staff standard accounts and keep admin for when it is needed. Configuring Office macros is realistic if your team uses Office and someone can set the policy. User application hardening is partly automatic now that browsers have killed the worst legacy plugins.
These need IT support. Application control is genuinely hard to run well without managed devices and an administrator — it is the strategy small businesses most often skip, and reasonably so. Achieving and maintaining uniform maturity across all 8, with the logging and review the levels require, is the part that assumes resources a small business does not have.
So the small-business answer is not "adopt the Essential Eight" or "ignore it". It is: take MFA, patching and backups straight off the list and do them properly, borrow the admin-privileges and macro ideas where you can, and do not lose sleep over formal maturity levels unless someone is paying you to hit them.
Essential Eight vs SMB1001
The Essential Eight and SMB1001 are not competitors solving the same problem — they are aimed at different-sized organisations. The Essential Eight is a mitigation framework with maturity levels built for organisations with IT departments. SMB1001 is a tiered certification standard built specifically for small and medium businesses that want to prove they have the basics in place.
The practical differences matter. SMB1001 has 5 graduated tiers, so a micro-business can certify at an entry tier and step up over time, rather than facing the Essential Eight's all-or-nothing expectation of all 8 strategies at a consistent level. Its lower tiers are self-attested by a director, with pricing closer to a software subscription than an audit. And it covers the same ground in spirit — MFA, backups, updates, staff awareness — without assuming a managed Windows fleet. For a business whose technology is a website, cloud email and some laptops, SMB1001 maps to reality; the Essential Eight maps to an IT department you do not have. The tier-by-tier walkthrough sets out which tier a tender or customer is likely asking for.
None of this means the Essential Eight is wrong for you to understand. The 8 ideas are sound at any size. It is the formal maturity-level compliance — the auditing, the uniform implementation, the evidence — that is built for a different kind of organisation.
When you actually need formal compliance
There is a real set of small organisations that genuinely need Essential Eight compliance, and they share one property: a contract or regulator requires it in writing.
The clearest case is government and defence supply. If you tender for federal or some state government work, the request may specify Essential Eight Maturity Level 1 (or higher) as a condition, because the ACSC framework is the default authority across Australian government. If you supply the defence sector, your contracts will reference the ISM and may require DISP membership for small business, which carries its own security obligations layered on top. Larger enterprise customers running a vendor-risk process sometimes ask the same — a security questionnaire that names the Essential Eight and wants evidence against it.
In those cases, formal compliance is not overkill — it is the specific thing your contract demands, and you bring in help to reach it and prove it. For everyone else, the framework is a reading list, not a project. Understand the 8 ideas, do the high-value three properly, certify to SMB1001 if a customer needs proof, and spend the rest of your attention on the basics most businesses are still missing. You can see where your own public-facing surface sits against the Australian small-business baseline with our scan — the part of the picture that is visible from outside, measured the same way for every business.