ACSC Essential Eight Explained for Australian Small Business (2026)

What is the ACSC Essential Eight?

The ACSC Essential Eight is a set of baseline cyber security strategies published by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). It was designed to protect organisations against the most common cyber threats targeting Australian businesses and government.

It covers eight specific controls across three maturity levels. Maturity Level 1 is the baseline that every business should be working towards. Maturity Levels 2 and 3 are for organisations with higher risk profiles — finance, healthcare, legal, and government contractors.

The government mandates Essential Eight compliance for Commonwealth entities. For private businesses, it is not legally required — but it is increasingly expected by clients, insurers, and supply chain partners. Cyber insurance providers now frequently ask for Essential Eight attestation before issuing policies.

The eight controls explained in plain English

1. Application control

What it means: Only approved software can run on your devices. Unapproved applications — including malicious ones — are blocked automatically.

For a small business: In Microsoft 365 with Intune, you can configure app control policies that prevent users from installing unapproved software. For most SMBs, a practical approach is managing a short list of approved applications and using endpoint protection to block everything else.

2. Patch applications

What it means: Critical software vulnerabilities must be patched within 48 hours. Non-critical patches applied within two weeks.

For a small business: Enable automatic updates on all devices and business applications. This is the control most businesses are behind on — and one of the most exploited gaps.

3. Configure Microsoft Office macro settings

What it means: Block macros from internet-sourced files. Only allow signed macros from trusted sources.

For a small business: In Microsoft 365 admin centre, you can configure macro settings across your tenant in about 20 minutes. This single change blocks a huge category of ransomware delivery vectors.

4. User application hardening

What it means: Block web browser features that attackers exploit — Flash, Java, PDF readers from web pages, and unnecessary browser extensions.

For a small business: Use Microsoft Edge or Chrome with enterprise policies deployed through Intune. Configure browsers to block Flash and Java, disable auto-run of PDF content, and restrict browser extensions to an approved list.

5. Restrict administrative privileges

What it means: People should only have the access they need to do their job. Admin accounts should not be used for day-to-day work.

For a small business: This is one of the highest-impact, lowest-cost controls. Separate admin accounts from user accounts. Require MFA for all admin access. Review who has admin permissions in your Microsoft 365 tenant — most businesses discover 3–4 accounts with Global Admin that should have been restricted years ago.

6. Patch operating systems

What it means: Critical OS patches within 48 hours. Non-critical within 30 days. Unsupported operating systems must not be used.

For a small business: Windows 11 with automatic updates enabled handles this. The critical check is whether any devices are running Windows 10 past its October 2025 end-of-life date — those need to be upgraded or removed from the network.

7. Multi-factor authentication

What it means: MFA required for all users accessing internet-facing services, particularly email, cloud storage, and remote access.

For a small business: This is the single highest-impact control. MFA blocks 99.9% of automated credential attacks. Enable it in Microsoft 365 admin centre for every account. This takes about an hour to configure across a 10-person team and has immediate, measurable impact.

8. Regular backups

What it means: Important data backed up daily. Backups stored offline or off-site. Restoration tested at least annually.

For a small business: Microsoft 365 includes some built-in retention, but it is not a full backup solution. Use a dedicated M365 backup service to take daily snapshots of your email, SharePoint, and Teams data. Store at least one backup copy that cannot be deleted by ransomware.

What maturity level should a small business target?

How to actually get started

1. Enable MFA for all users today. This is free in Microsoft 365 Business Basic and above. Do it this week — it is the highest-impact single action you can take.
2. Check who has admin access. Log into Microsoft 365 admin centre. Go to Users > Active Users. Filter by admin roles. Remove admin from anyone who does not need it.
3. Enable automatic updates. Check every device your team uses. Ensure Windows Update is not paused and Office apps are on auto-update.
4. Set up a backup for M365. Your email and SharePoint data is not fully backed up by Microsoft. Get a third-party M365 backup solution running.
5. Book a formal assessment. A professional Essential Eight gap assessment gives you a clear picture of where you stand and tells you exactly what to prioritise next.