The Essential Eight is a set of baseline cybersecurity controls developed by the Australian Signals Directorate (ASD) based on analysis of real-world attack data. It was originally designed for government agencies, but in 2026 it has become the de facto benchmark referenced by cyber insurers, enterprise clients, and government procurement.
If you're applying for cyber insurance, bidding on government contracts, or onboarding large enterprise clients, you will be asked about your Essential Eight maturity level. Maturity Level 1 (ML1) is now the minimum expectation for most commercial relationships.
The Essential Eight isn't theoretical. Each control was chosen because it stops specific attack types that are actively being used against Australian businesses.
Prevents unauthorised software from executing on endpoints. If a user is tricked into downloading malware, application control stops it from running โ regardless of whether antivirus detects it.
Many businesses rely on antivirus to catch malware after it runs. Application control prevents it from running in the first place. The two are complementary, not substitutes.
Internet-facing and productivity applications (browsers, Office, PDF readers, Java) must be patched within defined timeframes. Most breaches exploit known vulnerabilities with available patches.
Microsoft Office macros are a primary delivery mechanism for malware. Attackers send Word or Excel files with malicious macros โ when the user enables them, the attack executes.
Most businesses don't need macros. For the few that do (typically finance teams with Excel-based reports), signed macro policies allow legitimate use while blocking malicious ones.
Restricts features in applications that attackers exploit โ particularly browsers and Office applications.
Browser hardening is the highest-value action here. Enterprise browser policies deployed via Intune restrict which extensions can be installed and enforce safe browsing settings across all managed devices.
Admin accounts are the highest-value target in any attack. An attacker who compromises an admin account can do everything: create new accounts, disable security tools, exfiltrate data, and deploy ransomware across the entire environment.
Most businesses have their IT administrator's daily email account as a global admin. If that account is phished, the attacker gets full control of the Microsoft 365 tenant.
The same patching principles that apply to applications apply to operating systems. Ransomware and worms routinely exploit known OS vulnerabilities.
End-of-life operating systems (Windows 10, Server 2012) do not receive security patches. If your environment includes end-of-life OS versions, this control cannot be met until those systems are upgraded or replaced.
MFA must be enforced โ not just available โ for all internet-facing services, especially email, remote access, and cloud portals.
Backups must be tested, offsite, and protected from encryption.
De4sec provides structured Essential Eight implementation for Australian SMBs โ from gap assessment through to ML1 compliance with documentation.
De4sec provides hands-on implementation, not just advice. Book a free discovery call โ we assess your environment at no cost, no obligation.
