The Essential Eight: What Australian SMBs Actually Need to Know in 2026

If you run IT for an Australian business, the Essential Eight isn’t optional anymore — it’s table stakes. Government contracts, cyber insurance, not being the next breach headline: all roads lead here.

This guide cuts the jargon. What the E8 actually requires, how maturity levels work in practice, and a realistic path to compliance — even if your “security team” is you and an MSP.

The Essential Eight, Briefly

Eight mitigation strategies from the Australian Signals Directorate (ASD), singled out as the most effective baseline controls:

  1. Application control — only approved apps execute
  2. Patch applications — browsers, PDF readers, Office: patched promptly
  3. Configure Office macro settings — block macros from the internet
  4. User application hardening — disable unnecessary features (Flash, ads, Java)
  5. Restrict admin privileges — limit who has admin and what they can do
  6. Patch operating systems — keep current, retire unsupported
  7. Multi-factor authentication — on remote access, privileged actions, sensitive data
  8. Regular backups — maintain and test

Nothing exotic. That’s the point. These address the most common attack vectors — phishing, unpatched vulns, credential theft, ransomware — with proven, practical controls.

Why It Matters More Than Ever

Government contracts: The updated PSPF mandates at least Maturity Level Two for agencies. Sell to government — directly or as a sub — and you’ll be asked to demonstrate your E8 posture.

Insurance: Underwriters aren’t just asking “do you have MFA?” anymore. Many now reference the Essential Eight explicitly. Your maturity level affects premiums and whether you get coverage at all.

The threat landscape: Australia saw a 23% increase in reported cyber incidents in 2025. SMBs were disproportionately hit. Ransomware groups specifically target organisations they perceive as soft.

De facto standard: Even without a private sector mandate, regulators, industry bodies, and boards increasingly reference the E8. Get breached without basic ASD-recommended controls in place? Expect hard questions.

Maturity Levels — What They Actually Mean

Level Zero

You haven’t meaningfully implemented the strategy. Running Windows endpoints without application control? Admin accounts without MFA? You’re here.

Level One

Basic implementation. Most common attack vectors addressed, but gaps against sophisticated threats.

  • Patching internet-facing apps within two weeks
  • MFA on remote access (maybe not all privileged access)
  • Backups exist but aren’t tested regularly

Level Two

Strong implementation — what the Australian Government targets for non-critical systems.

  • Critical vulns patched within 48 hours
  • Phishing-resistant MFA (not SMS)
  • Application control on all workstations and servers
  • Admin privileges tightly scoped with separate accounts
  • Backups tested, stored offline or immutable

Level Three

Highest level. Designed for nation-state-level adversaries. Most SMBs don’t need this.

  • Real-time application control with continuous monitoring
  • Automated patching with near-zero delay
  • Privileged access workstations for all admin tasks
  • Hardware tokens and conditional access

Where Most Australian SMBs Actually Stand

Let’s be honest:

Strategy Typical SMB Maturity
Application control Level 0
Patch applications Level 1
Office macro settings Level 0–1
User application hardening Level 0
Restrict admin privileges Level 0–1
Patch operating systems Level 1
MFA Level 1–2
Regular backups Level 1

MFA is usually strongest because cloud providers pushed it hard. Application control and user application hardening are almost always weakest — they require tooling and policy most SMBs haven’t invested in.

A Practical Path to Level Two

You don’t need to do everything at once.

Phase 1: Quick wins (Weeks 1–4)

MFA everywhere. M365 or Google Workspace? Enforce MFA for all users with Conditional Access. Move admins to phishing-resistant methods (passkeys, FIDO2 keys).

Block macros. Configure Group Policy to block macros in files downloaded from the internet. Policy change, not product purchase.

Audit admin privileges. Find every account with admin rights. Remove admin from daily-use accounts. Create separate admin accounts for IT staff.

Phase 2: Foundations (Months 2–3)

Automate patching. Intune, WSUS, or Automox. Set a 48-hour SLA for critical patches.

Harden user applications. Kill Flash (if somehow still alive), block browser ads via policy, disable unnecessary extensions, block Java and unverified downloads.

Harden backups. 3-2-1 rule. Test restores quarterly. Implement immutable or air-gapped copies against ransomware.

Phase 3: The hard stuff (Months 3–6)

Application control. The most operationally complex strategy. Start with WDAC or AppLocker on a pilot group. Build your approved app baseline. Expect user friction — communicate early and often.

Continuous improvement. Log and monitor to verify controls work. Review and tighten quarterly.

Mistakes That Will Bite You

Treating it as a checkbox exercise. If your application control policy exists on paper but isn’t enforced technically, you’re Level Zero. Documentation without enforcement is decoration.

Skipping the hard strategies. Application control and user application hardening are consistently weakest because they’re hard. They’re in the E8 precisely because they’re effective. Don’t dodge them.

Over-scoping. Aim for Level Two, not Three. L3 is for high-value targets facing APTs. For most SMBs, L2 provides excellent protection without the operational overhead.

Forgetting cloud. The E8 applies to SaaS, cloud servers, and remote endpoints too. Everything in scope.

Not testing backups. An untested backup is a backup that doesn’t exist. Quarterly restore tests. Documented results. No exceptions.

Assessing Where You Stand

Before improving, know your baseline:

  1. Map each strategy to current technical controls
  2. Test controls — not policy existence, but actual enforcement
  3. Document gaps with specific remediation steps
  4. Prioritise by risk and effort

This is where most organisations stall. The ASD publishes detailed guidance, but translating that into “what does this mean for my 50-person company on M365 with a handful of on-prem servers?” takes experience.

🛡️ Assess Your Essential Eight Maturity — Free Tool

Our Essential Eight Gap Assessment walks you through each strategy with practical questions for Australian SMBs. Get a clear maturity rating per strategy and specific improvement recommendations.

Take the free assessment →

Beyond the Baseline

Once you’ve hit Level Two, consider:

  • Security awareness training — your people are still your biggest risk
  • Incident response planning — know what to do when (not if) it happens
  • Security monitoring — detect what gets past prevention. Our Log Source Priority Calculator helps you prioritise
  • Vendor risk management — your security is only as strong as your weakest supplier
  • Stack assessmentSecurity Control Coverage Calculator maps your tools against common attack frameworks

The Bottom Line

The Essential Eight isn’t perfect and it isn’t comprehensive. But it’s the best starting point for Australian businesses that want to meaningfully reduce cyber risk without drowning in framework complexity.

Start with an honest assessment. Knock out the quick wins. Build toward Level Two. And remember — the goal isn’t a perfect compliance score. The goal is making your organisation materially harder to compromise.

Run our free Essential Eight Gap Assessment → — 10 minutes, clear picture, actionable next steps.