Insight
The Essential Eight explained in plain English: what each of the ACSC's eight security strategies means, and which ones a small business should start with.
The Essential Eight explained in plain English: what each of the ACSC's eight security strategies means, and which ones a small business should start with.
The Essential Eight is a set of eight practical security measures published by the Australian Cyber Security Centre (ACSC) to help organisations protect themselves from the most common cyber attacks. Think of it as a baseline checklist: get these eight right and you have blocked the paths criminals use most.
It was designed for organisations of all sizes, and while the full framework is aimed at larger bodies, the ideas behind it are exactly what a small business needs. Here is each of the eight, in plain English, without the jargon.
The eight strategies fall into three goals: stop attacks from running, limit the damage if one gets through, and recover your data if the worst happens. Here is the plain-English version.
| Strategy | What it actually means |
|---|---|
| Application control | Only let approved programs run, so malware can't just launch. |
| Patch applications | Keep programs like browsers and PDF readers updated to fix security holes. |
| Configure Office macros | Block or limit macros in Office files, a common way malware sneaks in. |
| User application hardening | Turn off risky features and unneeded browser add-ons. |
| Restrict admin privileges | Only give admin access to those who truly need it. |
| Patch operating systems | Keep Windows and other systems updated. |
| Multi-factor authentication | Require a second check beyond a password to log in. |
| Regular backups | Back up important data daily and test you can restore it. |
Not perfectly, and not all at once, but every one of them helps. The framework uses maturity levels from zero to three, and most small businesses do well to reach a solid Maturity Level One across the board. Start with the three that give the most protection for the least effort: multi-factor authentication, patching and backups.
Best practice: For a small business, reaching Maturity Level One on multi-factor authentication, patching and backups blocks the bulk of everyday attacks and is realistic to achieve.
You can see how these fit the bigger picture in our cyber security guide for Australian small business.
Say a staff member opens an invoice attachment that turns out to be malware. Application control stops it running. If it somehow runs, restricted admin rights stop it spreading. If it still locks some files, your daily backup means you restore and move on rather than paying a ransom. That is the point: layers, so one mistake is not a disaster.
Note: The Essential Eight works as layers, so its strength is not any single control but the way each one catches what the previous one missed.
Start with MFA, updates and backups, because they cover the most common attacks and cost little. The rest can be layered in over the following months.
Tip: Set operating systems and applications to update automatically, because patching is one of the highest-value controls and the easiest to forget when everyone is busy.
The short version: the Essential Eight is the ACSC's baseline checklist of eight controls, and a small business should start with MFA, patching and backups, then build from there.
The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate, created and maintains it. You can read the official version on the cyber.gov.au website.
It is mandatory for many federal government entities, but not for private small businesses. For everyone else it is strongly recommended best practice, and a very good roadmap to follow.
They are levels zero to three that measure how fully you have implemented each strategy. Most small businesses should aim for a consistent Maturity Level One as a realistic starting target.
Multi-factor authentication, regular backups and patching deliver the most protection for the least effort, so start there if you can only do a few.
Not sure which of the eight you have covered? See how our cyber security service works, or take the free business health check.
Tell us where your business is at, and we will tell you where we would start.