If you run a business in Ipswich, Springfield, Toowoomba or anywhere across South East Queensland, you've probably heard the phrase "Essential Eight" thrown around — usually by your professional indemnity insurer, your accountant, your industry accreditor, or that friend who works in IT and won't stop talking about it.
The Essential Eight is the Australian Signals Directorate's (ASD) baseline list of eight cyber security strategies every Australian organisation should implement. It's not a law. It's not a regulation. But it's quietly become the de facto standard that PI insurers, government tenders, large clients and industry bodies use to judge whether your business has its house in order.
This guide explains what the Essential Eight actually is, why it suddenly matters more than it did three years ago, and what each of the eight strategies looks like in practice for a real small or medium business in our region.
Why It Suddenly Matters
Until 2023, the Essential Eight was largely a "Commonwealth government" thing. Most SMBs never heard of it. Then three things happened in fairly quick succession:
1. **PI insurance premiums went vertical.** Cyber-coverage carriers started losing money on payouts and demanded their insureds prove security maturity. The questionnaires they send now read like a watered-down Essential Eight audit. 2. **Big clients pushed it down the supply chain.** If you supply a hospital, a council, an ASX-listed company or a Commonwealth department, your contract probably now references Essential Eight alignment. 3. **The OAIC sharpened its teeth.** Notifiable Data Breach penalties got serious, and the regulator increasingly asks "what controls did you have in place?" — and the Essential Eight is the easiest yardstick to answer.
The upshot: even if you're a 10-person Ipswich accounting practice with no government clients, your insurer probably already cares whether you can answer "yes" to the Essential Eight questions.
The Eight Strategies (Plain English)
1. Application Control Only run software your business has approved. In practice this means application allowlisting on critical workstations — the partner's laptop in your accounting practice, the practice manager's PC in your medical clinic, the finance manager's machine in your construction business.
2. Patch Applications Keep apps like browsers, Office, PDF readers, Java, and your line-of-business software up-to-date — automatically, with a measurable window. ASD's Maturity Level 1 says critical patches inside 2 weeks. ML2 tightens to 2 days.
3. Configure Microsoft Office Macros Macros are still, in 2026, one of the top three vectors for invoice-redirection fraud and ransomware. Disable macros from the internet, only allow macros from trusted locations or signed by trusted publishers.
4. User Application Hardening Disable Flash (yes, still — some legacy systems have it), block ads in browsers (a major malware vector), disable Office content from the internet by default, and turn off old protocols like SMBv1.
5. Restrict Administrative Privileges Most staff don't need to be administrators on their own computer. Reducing this single thing reduces the impact of most malware infections by an order of magnitude. Practically: separate admin accounts from day-to-day accounts, with privileged access reviewed quarterly.
6. Patch Operating Systems Same as patching applications, but for Windows, macOS, Linux and the operating systems on your servers, firewalls and switches.
7. Multi-Factor Authentication By 2026, ASD considers SMS-based MFA inadequate for ML2 — they want phishing-resistant MFA (number matching, FIDO2 keys, passkeys) on every account that touches email, finance systems, remote access, and admin tools. This is the single highest-impact control on the list for most businesses.
8. Regular Backups Daily backups, immutable so ransomware can't delete them, with annual restore drills. The ML2 requirement is that you've actually proven you can restore your business from backup, not just that you have one.
What Maturity Level Should You Aim For?
ASD defines four maturity levels: ML0 (nothing), ML1 (the basics), ML2 (well-defended), ML3 (state-actor resistant).
For most Ipswich SMBs the right answer is **ML1 with a roadmap to ML2 within 12–18 months**. ML3 is for organisations facing nation-state threats — which, frankly, almost no SMB is. PI insurers and most large clients are happy with ML2.
The Practical Path Forward
If you're starting from scratch, we typically deliver an Essential Eight gap analysis as a single project, then turn the highest-impact items into a 90-day roadmap. For most of our [Ipswich](/areas/ipswich-cbd) and [Springfield](/areas/springfield-lakes) clients on our [Pro Managed plan](/pricing), Essential Eight ML1 is built-in baseline. ML2 is part of [Enterprise Care+](/pricing).
The biggest mistake we see businesses make is treating the Essential Eight as a one-off audit. It isn't. It's a continuous discipline. Patches expire, staff change, new apps get added, new threats emerge. Maturity is a moving target, and the only way to maintain it is with someone watching it on your behalf.
If you'd like a free, plain-English Essential Eight assessment of your business, [book a free IT review](/book-review) or call us on 1300 250 319.
