Insight

What is the Essential Eight (in plain English)?

The Essential Eight explained in plain English: what each of the ACSC's eight security strategies means, and which ones a small business should start with.

Published

June 11, 2026

Reading time

6
min read
Operate
What is the Essential Eight (in plain English)?

The Essential Eight explained in plain English: what each of the ACSC's eight security strategies means, and which ones a small business should start with.

In this article

The Essential Eight is a set of eight practical security measures published by the Australian Cyber Security Centre (ACSC) to help organisations protect themselves from the most common cyber attacks. Think of it as a baseline checklist: get these eight right and you have blocked the paths criminals use most.

It was designed for organisations of all sizes, and while the full framework is aimed at larger bodies, the ideas behind it are exactly what a small business needs. Here is each of the eight, in plain English, without the jargon.

What are the eight strategies?

The eight strategies fall into three goals: stop attacks from running, limit the damage if one gets through, and recover your data if the worst happens. Here is the plain-English version.

StrategyWhat it actually means
Application controlOnly let approved programs run, so malware can't just launch.
Patch applicationsKeep programs like browsers and PDF readers updated to fix security holes.
Configure Office macrosBlock or limit macros in Office files, a common way malware sneaks in.
User application hardeningTurn off risky features and unneeded browser add-ons.
Restrict admin privilegesOnly give admin access to those who truly need it.
Patch operating systemsKeep Windows and other systems updated.
Multi-factor authenticationRequire a second check beyond a password to log in.
Regular backupsBack up important data daily and test you can restore it.

Do small businesses need all eight?

Not perfectly, and not all at once, but every one of them helps. The framework uses maturity levels from zero to three, and most small businesses do well to reach a solid Maturity Level One across the board. Start with the three that give the most protection for the least effort: multi-factor authentication, patching and backups.

Best practice: For a small business, reaching Maturity Level One on multi-factor authentication, patching and backups blocks the bulk of everyday attacks and is realistic to achieve.

You can see how these fit the bigger picture in our cyber security guide for Australian small business.

A real example of the Essential Eight in action

Say a staff member opens an invoice attachment that turns out to be malware. Application control stops it running. If it somehow runs, restricted admin rights stop it spreading. If it still locks some files, your daily backup means you restore and move on rather than paying a ransom. That is the point: layers, so one mistake is not a disaster.

Note: The Essential Eight works as layers, so its strength is not any single control but the way each one catches what the previous one missed.

Where should a small business start?

Start with MFA, updates and backups, because they cover the most common attacks and cost little. The rest can be layered in over the following months.

Tip: Set operating systems and applications to update automatically, because patching is one of the highest-value controls and the easiest to forget when everyone is busy.
  • Turn on multi-factor authentication for email and key accounts.
  • Set operating systems and apps to update automatically.
  • Put a tested backup in place.
  • Review who has admin rights and trim the list.

The short version: the Essential Eight is the ACSC's baseline checklist of eight controls, and a small business should start with MFA, patching and backups, then build from there.

Frequently asked questions

Who created the Essential Eight?

The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate, created and maintains it. You can read the official version on the cyber.gov.au website.

Is the Essential Eight mandatory?

It is mandatory for many federal government entities, but not for private small businesses. For everyone else it is strongly recommended best practice, and a very good roadmap to follow.

What are the Essential Eight maturity levels?

They are levels zero to three that measure how fully you have implemented each strategy. Most small businesses should aim for a consistent Maturity Level One as a realistic starting target.

Which of the eight is most important?

Multi-factor authentication, regular backups and patching deliver the most protection for the least effort, so start there if you can only do a few.

Not sure which of the eight you have covered? See how our cyber security service works, or take the free business health check.

June 11, 2026
Ryan Pigram
Ready when you are

One partner.
Marketing and technology, run as one.

Tell us where your business is at, and we will tell you where we would start.