The Essential Eight is the Australian Signals Directorate's (ASD) baseline of eight mitigation strategies that, implemented well, prevent the large majority of cyber incidents Australian organisations actually face. It is published by the Australian Cyber Security Centre (ACSC) and increasingly expected of government suppliers and regulated industries. This guide decodes the eight strategies and the maturity model behind them, then lays out a pragmatic path to Maturity Level Two, which is the right target for most organisations.
What the Essential Eight is (and is not)
The Essential Eight is a prioritised set of technical controls, not a complete security program. It deliberately focuses on the mitigations that block the most common attack techniques: getting malware to run, exploiting unpatched software, and abusing administrative access. It does not cover everything (physical security, awareness training and incident response sit outside it), but it is an exceptionally strong foundation precisely because it concentrates effort where attackers concentrate theirs.
The eight strategies
They group neatly into three goals: prevent malware execution, limit the damage of an incident, and recover from one.
- Application control: only approved executables, libraries, scripts and installers run. This is the single most effective control against malware and also the hardest to implement, so it is worth starting early.
- Patch applications: apply security patches to internet facing and high risk applications quickly, and remove software that is no longer supported.
- Configure Microsoft Office macro settings: block macros from the internet, allow only vetted macros, and log macro activity. Office macros remain a favourite delivery mechanism.
- User application hardening: disable or harden risky features in browsers and productivity apps (Flash and Java in browsers, advertisements, untrusted content) to shrink the attack surface.
- Restrict administrative privileges: grant admin access on a validated need, review it regularly, and keep privileged accounts off email and the internet.
- Patch operating systems: patch the OS on the same risk based timeline as applications, and retire unsupported operating systems.
- Multi factor authentication: require MFA for remote access, privileged actions and important data repositories, increasingly using phishing resistant methods.
- Regular backups: back up data, software and configuration in line with business criticality, store them securely and, crucially, test that you can actually restore.
The maturity model
The ACSC defines four maturity levels (zero through three). They are not about doing more controls but about doing the same eight controls more thoroughly and against more capable adversaries.
- Maturity Level Zero: there are weaknesses in the organisation's overall posture; the control is not meaningfully in place.
- Maturity Level One: mitigations aligned to defending against attackers using commodity, widely available tradecraft. This is the entry baseline.
- Maturity Level Two: aligned to adversaries willing to invest more time and effort, for example actively targeting credentials and using phishing. This is the realistic target for most mid sized organisations.
- Maturity Level Three: aligned to adaptive, well resourced adversaries who chain techniques and adapt to your defences. Appropriate where the impact of compromise is severe.
A vital point that trips people up: the ACSC expects you to implement all eight to the same level before moving up. A patchy mix of some controls at Level Three and others at Level Zero is weaker than a consistent Level Two, because attackers exploit the lowest rung.
A pragmatic path to Level Two
Trying to reach Level Two everywhere at once usually stalls. Sequence the work by impact and effort instead.
Start with the quick, high value wins
MFA, macro configuration and user application hardening are comparatively fast and remove a large share of real risk. Push MFA to phishing resistant methods for privileged and remote access early, block internet sourced macros, and harden browsers. These deliver visible risk reduction while the harder controls are planned.
Get patching onto a real cadence
Both patch application and patch OS need a working asset inventory, a vulnerability scanner, and a process that meets the Level Two timeframes for internet facing systems. Most organisations already patch; the gap is usually consistency, coverage of forgotten assets, and removing end of life software. Fix the process and the maturity follows.
Tighten administrative privileges
Remove standing local admin, separate privileged accounts from day to day accounts, keep admin accounts off email and the web, and review access on a schedule. Just in time elevation and privileged access management make this sustainable rather than a one off cleanup.
Prove your backups
Backups are only as good as your last successful restore. Implement the backup regime, store copies so that an attacker who compromises production cannot also destroy the backups, and actually run restoration tests. Untested backups are a false sense of security that ransomware operators are happy to exploit.
Tackle application control last but deliberately
Application control delivers the most protection and demands the most work, so plan it as a project: inventory what runs, build allowlists, pilot in audit mode, then enforce. Rushing it breaks business applications and burns goodwill, so leave room to do it properly.
Takeaways
The Essential Eight works because it focuses scarce effort on the mitigations that stop the attacks Australian organisations actually suffer. Aim for a consistent Maturity Level Two across all eight rather than an uneven mix, sequence the work from quick wins (MFA, macros, hardening) through patching and privilege restriction to application control, and never trust a backup you have not restored. An honest gap assessment against the maturity model is the right first step, and it usually reveals that you are closer in some areas and further in others than you expected. Basalt Cyber runs Essential Eight assessments and uplift programs for Australian organisations; see our services page for detail.
FAQ
Which maturity level should we target? Most organisations should target Level Two. Level Three is for those where a breach would be catastrophic or who face determined, adaptive adversaries.
Is the Essential Eight enough on its own? It is a strong technical baseline, not a full program. Pair it with awareness, incident response and governance for complete coverage.