Essential Eight in 2026: What Australian SMBs Actually Need to Do

The Australian Signals Directorate's Essential Eight has been around since 2017 — but in 2026, it's no longer a 'nice to have'. Cyber insurers are asking for it. Government contracts require it. Investors and boards are starting to expect it. And yet most Australian SMBs still treat it as something that happens to bigger organisations.

What the Essential Eight actually is

It's eight specific security controls, ranked by how effectively they prevent the most common attack types. They were developed by the Australian Cyber Security Centre (ACSC) based on real incident data — not theory. Each control is rated at Maturity Level 1, 2 or 3 depending on how rigorously it's implemented.

Most SMBs need ML1 as a baseline. Government suppliers typically need ML2. ML3 is for high-value targets and critical infrastructure.

The eight controls, briefly

→Application control — only approved software can execute

→Patch applications — browsers, Office, PDF readers patched within 48h

→Configure macros — Microsoft Office macros blocked or restricted by default

→User application hardening — browser extensions, Flash, Java locked down

→Restrict admin privileges — admin accounts used only when required

→Patch operating systems — OS patches applied within 48h (ML2) or 2 weeks (ML1)

→Multi-factor authentication — enforced for email, remote access, admin

→Regular backups — tested, offline or offsite, restorable within 12 hours

The controls most businesses are missing

In our experience reviewing Australian SMB environments, the most commonly missed controls are patching, MFA and admin privilege restriction — not because they're difficult, but because they've been deprioritised to avoid disruption.

Most businesses say: 'We'll do patching when things are quieter.' But patching doesn't work that way. Vulnerabilities don't wait for a quiet week. The businesses that get hit are the ones that kept deferring.

Why it matters more in 2026

✓Cyber insurance: most policies now require evidence of ML1 controls

✓Government contracts: many tenders now include Essential Eight as a prerequisite

✓Capital raises: investors and due diligence processes increasingly ask about security posture

✓Client contracts: professional services, legal and accounting firms are being asked by their own clients

✓Incident recovery: businesses without documented controls face longer, more expensive recoveries

What implementation actually looks like

The implementation approach matters as much as the controls themselves. Too many IT providers 'align to Essential Eight' on paper — meaning they tick boxes in a spreadsheet — without actually changing anything in the environment.

A proper implementation using the Microsoft stack (which most Australian SMBs already have) looks like this:

✓Microsoft Intune deployed — all devices enrolled, policies applied

✓Patch policies configured — automated, out of hours, staged ring rollout

✓MFA enforced via Conditional Access — not optional, not per-user

✓Admin accounts separated from daily-use accounts

✓Microsoft Defender baseline applied — not just installed

✓Backup policy documented, tested restore confirmed

Essential Eight is not a one-time project. It's a baseline you maintain. The first implementation gets you to ML1. Staying there requires ongoing management — which is why we include compliance reporting in every managed support plan.

// NOT SURE WHERE YOU STAND?

Get a free IT & security check.

We identify the gaps and tell you exactly what to fix first.

Book a Free Discovery Call →

RELATED SERVICES:

Essential Eight Compliance Patch Management Cybersecurity & Risk