Essential Eight for Small Business: Where to Start

Most small business owners we speak to know they should care about cyber security. They have read the news, they have had the conversation with their broker, they have seen the clauses in client contracts asking about the Essential Eight. What they do not know is where to begin.

The Essential Eight sounds like something you either do all of or none of. That is not true. You can get most of the benefit from three of them, done well, and build from there.

What the Essential Eight actually is

The Essential Eight is a set of eight mitigation strategies published by the Australian Cyber Security Centre (ACSC). They are not a law, not a certification, and not a product. They are a list of things that, if implemented, would stop the majority of cyber attacks Australian businesses actually face.

The eight strategies are: application control, patching applications, configuring Microsoft Office macros, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups.

Each strategy has three maturity levels. Level One (ML1) is the basic version and is the right target for most businesses starting out. Level Two is stronger. Level Three is for organisations handling highly sensitive data or government contracts. Do not confuse "target ML1" with "do a bad job". ML1 is a real standard that genuinely reduces risk.

The three that matter most

If you only do three, do these.

1. Patch applications and operating systems

More than half of the breaches we investigate at small businesses trace back to a piece of software that had a known security flaw, and a patch that was available, and nobody applied it. Attackers scan for unpatched systems constantly. If your Windows servers or third-party apps are months behind, you are a target of opportunity.

ML1 means applying security patches for internet-facing services within two weeks, and patches for other applications and operating systems within one month. In practice, this means: turn on automatic updates where you can, and for everything else, have a scheduled time each month when someone goes through the update backlog.

2. Multi-factor authentication

MFA is the highest-leverage control you can turn on. Microsoft's own data shows it blocks more than 99% of account takeover attempts. Every piece of business email compromise we have cleaned up started with an account that did not have MFA enabled.

ML1 means MFA on every account that accesses your systems remotely: email, VPN, cloud apps, admin consoles. Use an authenticator app (Microsoft Authenticator, Authy) rather than SMS where possible. SMS-based MFA is better than nothing, but it has been beaten.

3. Daily backups

Ransomware is the threat most small businesses lose sleep over, and backups are the answer. A business with good backups pays no ransom and is back online in a day. A business without them is making a very difficult choice under pressure.

ML1 means backups of important data, software, and configuration settings, at least daily, stored somewhere the attacker cannot reach from a compromised account. That last part matters. If your backups live on the same network or the same cloud admin login as your production data, a determined attacker will delete them before they trigger the ransomware.

Test your restores. Untested backups fail about a quarter of the time, and you do not want to find out during an incident.

Why these three

The rest of the Essential Eight is worth doing. But application control, Office macro hardening, user application hardening, and restricting admin privileges all require more planning, more testing, and more risk of breaking something legitimate. They are worthwhile, and we recommend them, but they are not where you should start.

Patching, MFA, and backups are different. They have well-understood implementations, they rarely break day-to-day work, and together they block the majority of attacks that actually affect small businesses in Australia.

A realistic timeline

If this feels like a lot, it is not as bad as it sounds. A business with 20 staff can reach ML1 on these three in about a month of part-time work: a couple of weeks to roll out MFA to everyone, a week to review and tighten up backups, and ongoing patching as a routine.

The hardest part is usually the first conversation with staff about MFA. Frame it as a one-time setup, not a daily nuisance, and provide one well-written guide. Most complaints disappear within two weeks.

Where to go from here

Once these three are at ML1, the next sensible step is restricting administrative privileges. Most small business Microsoft 365 tenants have too many global admins, and that is the single biggest expansion in your attack surface.

If you are not sure where your business currently stands, that is normal. Half the point of a gap assessment is giving you an honest picture. Our free IT health check includes an Essential Eight assessment: we tell you what you have, what you are missing, and what order to tackle it in. No obligation, no sales pitch.

Learn more about our cybersecurity services