Back to blog
CIO247 Team

Essential Eight in Plain English for SMBs

A practical guide to implementing ACSC Essential Eight cybersecurity controls for small and medium Australian businesses.

Cybersecurity
Essential Eight
ACSC
SMB
Compliance
Essential Eight in Plain English for SMBs

The Australian Cyber Security Centre's (ACSC) Essential Eight isn't just for big enterprises. Small and medium businesses (SMBs) across Australia can—and should—implement these critical cybersecurity controls to protect against the most common cyber threats.

Let's break down each control in plain English and show you how to get started, regardless of your technical background or budget.

What is the Essential Eight?

The Essential Eight is a prioritised list of cybersecurity mitigation strategies developed by the ACSC. These controls are designed to make it much harder for attackers to compromise your systems, even if they manage to get past your first line of defence.

Think of it as your cybersecurity checklist—eight fundamental things every Australian business should do to stay secure.

The Eight Controls (In Order of Priority)

1. Application Control

What it is: Only allowing approved applications to run on your computers.

Why it matters: Prevents malicious software from executing, even if it gets onto your system.

For SMBs:

  • Start with Windows AppLocker (included with Windows Pro)
  • Create an approved software list
  • Block execution from common attack vectors like email attachments and downloads

Quick win: Configure your antivirus to use application control features—most modern solutions include this.

2. Patch Applications

What it is: Keep all software up-to-date with the latest security patches.

Why it matters: Most successful attacks exploit known vulnerabilities that already have patches available.

For SMBs:

  • Enable automatic updates for operating systems
  • Use patch management tools like Windows Update for Business
  • Prioritise patching for internet-facing applications (web browsers, email clients)
  • Aim to patch within 48 hours for critical vulnerabilities

Quick win: Turn on automatic updates for Windows, Office, and web browsers across all devices.

3. Configure Microsoft Office Macro Settings

What it is: Restrict how macros (automated scripts) can run in Office documents.

Why it matters: Malicious macros are a common way attackers gain initial access to your network.

For SMBs:

  • Block macros from the internet
  • Only allow macros from trusted locations
  • Use Group Policy or Microsoft 365's security defaults

Quick win: In Office, go to File > Options > Trust Center > Trust Center Settings > Macro Settings and select "Disable all macros with notification."

4. User Application Hardening

What it is: Configure applications to be more secure by disabling unnecessary features.

Why it matters: Reduces the attack surface by turning off components that attackers commonly exploit.

For SMBs:

  • Disable Adobe Flash (it's being phased out anyway)
  • Configure web browsers to block untrusted plugins
  • Disable PowerShell for standard users
  • Block ads and malicious websites with DNS filtering

Quick win: Install uBlock Origin on all company web browsers and configure DNS filtering with OpenDNS or similar service.

5. Restrict Administrative Privileges

What it is: Only give admin rights to people who absolutely need them, and only when they need them.

Why it matters: Limits damage if an account gets compromised—attackers can't install software or access sensitive areas.

For SMBs:

  • Create separate admin accounts for IT tasks
  • Use standard user accounts for daily work
  • Implement "just-in-time" admin access
  • Regularly review who has admin rights

Quick win: Remove admin rights from all user accounts except dedicated IT administrators.

6. Patch Operating Systems

What it is: Keep Windows, macOS, and other operating systems updated with security patches.

Why it matters: Operating system vulnerabilities can give attackers complete control over devices.

For SMBs:

  • Enable automatic updates for all operating systems
  • Use Windows Update for Business for centralized management
  • Test critical patches in a small group before widespread deployment
  • Maintain an inventory of all devices and their patch status

Quick win: Verify automatic updates are enabled on all company devices and schedule monthly patch reviews.

7. Multi-Factor Authentication (MFA)

What it is: Requiring more than just a password to log into systems—usually a code from your phone or an authenticator app.

Why it matters: Even if passwords are stolen, attackers can't access accounts without the second factor.

For SMBs:

  • Enable MFA on all cloud services (Microsoft 365, Google Workspace, etc.)
  • Use authentication apps rather than SMS where possible
  • Require MFA for remote access (VPN, remote desktop)
  • Consider conditional access policies

Quick win: Enable MFA on your Microsoft 365 or Google Workspace admin accounts immediately.

8. Regular Backups

What it is: Keeping secure, offline copies of your important data that you can restore if needed.

Why it matters: Ensures business continuity even if you're hit by ransomware or other destructive attacks.

For SMBs:

  • Follow the 3-2-1 rule: 3 copies of data, 2 different media types, 1 offsite
  • Use cloud backup services with versioning
  • Test restore procedures regularly
  • Keep some backups offline or immutable

Quick win: Set up automated cloud backup for critical business files using services like OneDrive, Google Drive, or dedicated backup solutions.

Getting Started: Your 90-Day Plan

Days 1-30: Quick Wins

  • Enable automatic updates everywhere
  • Turn on MFA for cloud accounts
  • Configure Office macro settings
  • Start regular backups

Days 31-60: Build the Foundation

  • Implement application control
  • Review and restrict admin privileges
  • Set up DNS filtering
  • Create an asset inventory

Days 61-90: Fine-Tune and Monitor

  • Harden applications further
  • Implement patch management processes
  • Test backup and recovery procedures
  • Document your security configurations

Don't Try to Do Everything at Once

The Essential Eight can seem overwhelming, but remember: some protection is better than no protection. Start with the controls that give you the biggest security improvement for the least effort.

Focus on getting Maturity Level 1 across all eight controls before trying to achieve higher maturity levels. This pragmatic approach will deliver real security improvements without overwhelming your team or budget.

Getting Help

If this feels like too much to tackle alone, that's completely normal. Many SMBs benefit from working with cybersecurity professionals who understand Australian requirements and can help implement the Essential Eight in a way that fits your business.

The key is to start somewhere—every control you implement makes your business more secure than it was yesterday.

Need help implementing Essential Eight for your Australian business? Contact CIO247 for a consultation tailored to your specific needs and budget.

Published on January 15, 2024

Continue reading

ISO 27001 Readiness in 90 Days: A Pragmatic Path

How Australian businesses can prepare for ISO 27001 certification with a focused, practical approach that delivers results.

Jan 10, 2024

Modern M365 Hardening for Hybrid Teams

Essential Microsoft 365 security configurations for Australian businesses with remote and hybrid workforces.

Jan 05, 2024