Cybersecurity advice for small businesses tends to fall into one of two traps. Either it is so vague it is useless — "use strong passwords, keep software updated" — or it is so technical it assumes you have a dedicated security team to implement it. The ASD Essential Eight sits in neither camp. It is a practical, government-developed framework that tells you exactly what to do and in what order, without requiring you to have a computer science degree to understand it.
This guide explains the Essential Eight in plain English, walks through the maturity levels, and suggests where an Australian small business should start — whether you currently have no cybersecurity baseline at all or you are looking to formalise what you already have in place.
What Is the ASD Essential Eight?
The Essential Eight is a set of eight baseline cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD), the federal government agency responsible for foreign signals intelligence and national cybersecurity. Originally designed for Australian government agencies, the framework has become the de facto standard for cybersecurity guidance across Australian organisations of all sizes — from large enterprises and critical infrastructure operators down to small businesses and sole traders.
The framework is built around three core objectives: preventing malware from being delivered and executed on your systems in the first place; limiting the extent of damage when an incident does occur; and enabling you to recover your data and restore system availability after an attack. Every one of the eight controls addresses one or more of these objectives in a concrete, testable way. That specificity is what makes the Essential Eight genuinely useful — it is not a list of principles but a list of actions.
The Eight Controls — What They Mean in Practice
1. Application Control
Application control means only allowing approved software to run on your computers. Any application that is not on the pre-approved list is blocked automatically before it can execute. For a small business owner, this might sound complicated, but it is increasingly practical with modern endpoint management tools — software platforms that let an IT provider manage all your devices from a central console.
The benefit is significant. Even if an employee clicks on a malicious link or opens a suspicious attachment, the malicious program cannot run if it is not on the approved list. You are cutting off the attack at the point of execution rather than relying on your staff to spot every threat.
2. Patch Applications
Patching simply means keeping your software up to date — in particular, internet-facing applications like web browsers, Microsoft Office, PDF readers, and any other software that regularly connects to external content. The ASD recommends applying patches for critical vulnerabilities within 48 hours of their release.
This control is unglamorous but it is one of the highest-impact things you can do. The overwhelming majority of successful ransomware attacks exploit known vulnerabilities in outdated software — vulnerabilities that already have a fix available. Attackers actively scan for organisations running unpatched versions. Staying current removes a large proportion of their available entry points.
3. Configure Microsoft Office Macro Settings
Macros are small automated programs embedded in Microsoft Office files — spreadsheets, documents, and presentations. They have legitimate uses in some business workflows, but they are also a well-established mechanism for delivering malware via email attachments. The ASD recommends disabling macros by default for most users and only permitting them where there is a genuine, documented business need, and only from trusted, verified locations.
For most small businesses, the majority of staff have no need to run macros at all. Restricting them by default blocks a significant class of attacks without meaningfully affecting day-to-day operations.
4. User Application Hardening
Application hardening means configuring your common software — browsers, PDF readers, Microsoft Office — to disable features that are frequently exploited by attackers. This includes older browser technologies like Flash (now largely obsolete), Java plugins where they are not required, and web advertisements served from untrusted external sources.
Think of it as removing the features that attackers rely on rather than waiting to see if they will be exploited. Most of these features are disabled silently in the background by your IT provider and require no change to how your staff use their computers day to day.
5. Restrict Administrative Privileges
Administrator privileges — often called "admin access" — give a user the ability to install software, change system settings, and access all files on a device. Many small businesses set up computers with everyone as an administrator because it is convenient. This is a significant security risk.
When an account with admin privileges is compromised, an attacker can do far more damage than if they compromise a standard user account. The ASD recommends that admin accounts only be used for administrative tasks, and that staff use separate, lower-privilege accounts for their normal work — checking email, browsing the web, using business applications. Restricting admin access is low-cost to implement and removes a major advantage from anyone who successfully breaches a staff account.
6. Patch Operating Systems
Beyond patching individual applications, the operating system — Windows, macOS, or whichever platform your business runs — also needs to be kept current. The ASD applies the same 48-hour recommendation for critical OS patches as it does for applications. Operating system vulnerabilities are often more serious than application-level vulnerabilities because they can affect every piece of software and every file on the device.
Automating OS updates wherever possible is the most reliable approach. Manual update processes get skipped during busy periods, creating gaps that accumulate over time.
7. Multi-Factor Authentication (MFA)
Multi-factor authentication means requiring a second verification step — typically a one-time code sent to your phone or generated by an authenticator app — in addition to a password when logging in to important systems. This applies most critically to email, cloud storage, remote access tools, and anything accessible from the internet.
MFA is widely regarded as the single most effective control for preventing unauthorised account access. A stolen or guessed password alone is not enough to log in when MFA is enabled. Given how frequently passwords are exposed through data breaches at third-party services, MFA provides a critical safety net even when your staff follow good password practices.
8. Regular Backups
The final control is also the one that determines whether your business survives a serious incident. Regular backups mean copying your important data at consistent intervals, storing those backups separately from your main systems (so that ransomware encrypting your primary files cannot also destroy the backups), and — critically — actually testing that those backups can be restored.
A backup that has never been tested is not a backup in any meaningful sense. Many businesses discover their backup system has been silently failing only when they need it most. A properly maintained, tested, and offsite backup is what allows a business to recover from ransomware without paying the ransom, and to recover from accidental deletion, hardware failure, or any other data loss event without losing weeks of work.
Understanding the Maturity Levels
Each of the eight controls is defined across three maturity levels. Maturity Level 1 is designed to address targeted attacks using common, widely-available techniques — the type of attacks that Australian small businesses face most frequently. Maturity Level 2 addresses more sophisticated adversaries with more targeted methods. Maturity Level 3 addresses adversaries with advanced capabilities and significant resources, typically the concern of government agencies and critical infrastructure operators.
For the vast majority of Australian small businesses, Maturity Level 1 is the right target. Reaching Maturity Level 1 consistently across all eight controls puts you significantly ahead of most organisations in the small business segment — because most small businesses have not addressed all eight controls at any level.
The existence of higher maturity levels should not discourage you from starting. A business that is solid and consistent at Level 1 across all eight controls is far better protected than one that has attempted Level 3 on two controls and left the other six unaddressed. Breadth before depth is the right approach for most small businesses.
Where Should a Small Business Start?
If you are starting from a low baseline, the practical order of priority is as follows.
Begin with MFA. It is fast to implement, requires no specialised tools beyond what most cloud services already support, and has an outsized impact on your exposure to account compromise. Start with your email platform and cloud services — Microsoft 365 and Google Workspace both support MFA natively.
Next, address patching for both applications and operating systems. Automate this wherever your systems allow it. Manual patching processes get skipped during busy periods and create cumulative gaps. Automation removes the reliance on someone remembering.
Restricting administrative privileges is a low-cost, high-benefit change that most IT providers can implement as part of a standard setup review. Most staff simply do not need admin access for their daily work, and removing it is rarely noticed in practice.
If you do not currently have tested, offsite backups — or if you are not certain whether your existing backups actually work — this is your most urgent gap. A working backup is the difference between a recoverable incident and a business-ending one.
Once the above four are in place, turn to application hardening (disabling macros, configuring browsers) and then to application control. The latter is the most complex to implement correctly, but by the time you reach it, the other controls will have substantially reduced your risk profile and you will have a clearer picture of what your environment looks like.
How Managed IT Services Support the Essential Eight
The Essential Eight is not a one-off project. It is an ongoing maintenance commitment. Software needs to be patched continuously as new vulnerabilities are discovered. Backup restores need to be tested on a regular schedule, not just assumed to be working. MFA needs to be enforced for new staff accounts as people join the business. Application control lists need to be updated as your software needs change.
This is precisely why the Essential Eight and managed IT services are a natural fit. A managed IT provider handles these maintenance tasks as part of their ongoing service, monitoring your environment, applying patches, validating backups, and ensuring your controls remain effective rather than degrading quietly over time. For small businesses without internal IT staff, this model makes the Essential Eight genuinely achievable rather than aspirational.
For businesses operating in strata or smart building environments, the cybersecurity considerations extend beyond the office network. The connected systems that manage building access, HVAC, and facilities introduce additional attack surfaces that need to be considered alongside your standard IT controls — a topic covered in depth in Pickle's guide to cyber security for smart buildings.
The Cost of Not Acting
Australian small businesses are targeted by cybercriminals specifically because they are assumed to have weaker defences than larger organisations. The Australian Cyber Security Centre's annual cyber threat reports consistently show that small businesses account for a disproportionate share of ransomware victims, and that the financial impact per incident is often severe relative to business size.
A ransomware attack that encrypts your files and demands payment costs far more than the ransom itself — and paying the ransom does not guarantee recovery. There is the operational downtime while systems are unavailable, the recovery effort, the reputational impact with clients, and in cases where client or personal data is affected, potential obligations under the Privacy Act and the Notifiable Data Breaches scheme.
The Essential Eight exists because the ASD studied which controls actually prevent and limit these incidents in practice. Implementing even the first four controls on the list — MFA, patching, restricting admin privileges, and tested backups — meaningfully reduces your exposure to the attacks that affect Australian small businesses most frequently.
Get a Cybersecurity Baseline Assessment with Pickle
If you are not sure where your business currently sits against the Essential Eight, a managed IT assessment is the right place to start. Pickle works with Australian small businesses and strata environments to establish and maintain cybersecurity baselines aligned with the ASD Essential Eight framework — identifying gaps, prioritising fixes by risk, and handling the ongoing maintenance so that your controls stay effective.
To discuss your cybersecurity baseline, contact Pickle directly:
- Phone: 1300 688 588
- Email: [email protected]
Frequently Asked Questions
Q: Does the ASD Essential Eight apply to small businesses, or is it only for government agencies?
A: The Essential Eight was originally developed for Australian government agencies, but the ASD explicitly recommends it as a cybersecurity baseline for all Australian organisations, including small businesses. It is not a legal requirement for most private businesses, but it is the most widely referenced and practically structured cybersecurity framework available in Australia, and it is designed to be scalable — Maturity Level 1 is achievable for businesses with no dedicated IT staff.
Q: What does "Essential Eight compliance" actually mean for a small business?
A: There is no single official compliance certification for the Essential Eight in the private sector — compliance is not a pass/fail accreditation for most small businesses. In practice, it means assessing your current controls against each of the eight strategies, identifying gaps, and systematically addressing them to reach a target maturity level. Maturity Level 1 across all eight controls is a meaningful and achievable target for most small businesses, and reaching it puts you significantly ahead of the majority of organisations your size.
Q: Which MFA app should my business use?
A: The most widely used and well-supported authenticator apps for small businesses are Microsoft Authenticator and Google Authenticator — both are free, available on iOS and Android, and compatible with most business platforms including Microsoft 365, Google Workspace, and most cloud services. For businesses already in the Microsoft ecosystem, Microsoft Authenticator has the tightest integration. The specific app matters less than ensuring MFA is actually switched on and enforced across all accounts — the method of delivery (app-based codes, push notifications, or hardware tokens) can be refined once the baseline is established.
Q: How often should we test our backups?
A: The ASD recommends testing backups at least quarterly, but for small businesses where the backup system is less mature or was recently set up, monthly test restores are a sensible approach until you have confidence in the system. A backup test means actually restoring a sample of files from the backup and verifying the data is intact — not simply checking that the backup software reports a successful run. Many backup failures are silent: the job completes without error but the data is corrupt or incomplete.
Q: Do we need a managed IT provider to implement the Essential Eight, or can we do it ourselves?
A: Some of the controls — particularly enabling MFA and setting Windows Update to automatic — can be implemented without specialist help. However, implementing and maintaining all eight controls consistently over time, across all devices and user accounts, is difficult for a small business without internal IT expertise. Controls like application control, privilege restriction, and application hardening require careful configuration to avoid disrupting business operations. A managed IT provider brings the tools, processes, and ongoing monitoring that make the Essential Eight sustainable rather than a one-time effort that degrades as your environment changes.