If you've tendered for any Australian government work in the last 12 months — or supplied a business that has — you've probably been asked about your "Essential Eight maturity level". For most Ipswich and SE Queensland businesses we speak to, the framework feels intimidating because it's written for IT teams, not business owners. This guide translates the eight controls into plain English and tells you, realistically, what each one costs to implement.
What is the Essential Eight?
The Essential Eight is a baseline set of cybersecurity controls developed by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate. It's not a law — it's a recommendation — but it's now the de-facto standard for assessing whether an Australian business takes cyber seriously.
There are three maturity levels:
- **Maturity Level 1** — partial implementation; mitigates basic, opportunistic attacks. - **Maturity Level 2** — broader implementation; mitigates targeted attacks from skilled adversaries. - **Maturity Level 3** — full, hardened implementation; mitigates well-resourced, persistent adversaries.
Most SMBs we work with are targeting **ML1** with a roadmap to ML2 over 12–18 months. ML3 is rare outside government and critical infrastructure.
The Eight Controls — What They Mean for an Ipswich SMB
1. Application Control **Plain English:** Only allow approved software to run on company computers.
**What it looks like in practice:** Microsoft Defender Application Control or AppLocker policies that block staff from running unapproved .exe files, scripts, or installers. For most SMBs we deploy this through Microsoft Intune.
**Typical cost:** $1,500–$3,000 setup, then included in your managed IT plan.
2. Patch Applications **Plain English:** Keep your apps (browsers, Office, Adobe, Zoom, etc.) up to date — not eventually, but within 48 hours of a critical patch being released.
**What it looks like in practice:** Automated patching via your RMM tool. We use Datto RMM and N-able N-sight to push patches across all client machines on a schedule.
**Typical cost:** Usually included in a managed IT contract from $99/user/month.
3. Configure Microsoft Office Macro Settings **Plain English:** Block macros in Office documents from running, except for ones digitally signed by trusted publishers.
**What it looks like in practice:** Group Policy or Intune configuration that disables macros for everyone except a small allow-list. Combined with email filtering that strips macro-enabled attachments.
**Typical cost:** $500 setup if you're already on M365 Business Premium.
4. User Application Hardening **Plain English:** Lock down your browser and PDF reader so attackers can't exploit unused features (Flash, Java, certain ads, etc.).
**What it looks like in practice:** Browser policies pushed via Intune. Disable Flash (now end-of-life anyway), block Java in browsers, enforce ad-blocking on company devices.
**Typical cost:** $750–$1,500 one-off configuration.
5. Restrict Administrative Privileges **Plain English:** Don't let everyday users have admin rights on their PC. Reserve admin accounts for specific tasks and protect them with MFA.
**What it looks like in practice:** Standard user accounts for daily work, separate admin accounts for IT tasks, Privileged Access Management (PAM) tooling to elevate access only when needed.
**Typical cost:** This is mostly a *behaviour* change. The technology cost is small ($500–$1,500); the cultural change is the harder part.
6. Patch Operating Systems **Plain English:** Same as #2, but for Windows, macOS, and any servers — within 48 hours for critical patches.
**What it looks like in practice:** Automated Windows Update for Business policies, server patching windows (usually monthly), and emergency out-of-band patching when a Patch Tuesday vulnerability is being actively exploited.
**Typical cost:** Included in managed IT.
7. Multi-Factor Authentication **Plain English:** A password isn't enough. Every login needs a second factor — usually an app on your phone (Microsoft Authenticator, Authy).
**What it looks like in practice:** Conditional Access policies in Microsoft Entra ID (formerly Azure AD) that require MFA for all users, all the time, with stricter rules for risky sign-ins.
**Typical cost:** Free with M365 Business Premium. $500–$1,000 to roll out properly with user training.
8. Regular Backups **Plain English:** Backups, tested, with at least one copy you can't reach from your normal network (so ransomware can't encrypt them).
**What it looks like in practice:** A 3-2-1 backup strategy. We typically deploy Datto SIRIS or Veeam Cloud Connect for clients, with daily backups, weekly test restores, and monthly disaster recovery drills.
**Typical cost:** $4–$15 per protected GB per month for cloud backup, depending on data volumes.
What ML1 Actually Costs an Ipswich SMB
For a typical 25-user SE Queensland business already on Microsoft 365, getting to ML1 across all eight controls usually costs:
- **One-off configuration:** $5,000–$10,000 - **Ongoing managed IT (includes patching, MFA, backups):** $99–$149 per user per month - **Microsoft 365 Business Premium licensing:** ~$33 per user per month
So a 25-user business is looking at roughly $7,500 setup plus $4,000/month all-in to maintain ML1. That's not nothing — but it's also significantly cheaper than a single ransomware incident, which the ACSC pegs at an average of $39,000 for a small business.
How We Help Ipswich Businesses Get There
We've taken multiple Ipswich and Toowoomba clients from "no formal cybersecurity" to ML1 and ML2 over the last two years, including a [Springfield medical clinic](/case-studies/springfield-medical-clinic-cloud-migration) and an [Ipswich accounting firm preparing for federal contract work](/case-studies/ipswich-accounting-firm-essential-eight). The pattern is the same:
1. **Free 30-minute review** to baseline where you are right now. 2. **Documented gap analysis** showing the specific work to reach ML1. 3. **Prioritised 90-day plan** that fixes the highest-risk gaps first. 4. **Ongoing managed IT** that holds the maturity level once it's achieved.
If you've been asked about Essential Eight by a customer, supplier, or government tender — or you just want to know where you stand — [book a free IT review](/book-review) and we'll walk you through it.
---
**Related reading:** - [Take our 2-minute Cyber Risk Quiz](/cyber-quiz) to baseline your current security posture - [See our managed cybersecurity service](/services/cybersecurity) for what ML1 looks like in practice - [Essential Eight Explained for Ipswich Businesses](/blog/essential-eight-explained-for-ipswich-business)
