ACSC Essential Eight for Small Business: Practical IT Support Checklist 2025

The Essential Eight cuts cyber risk fast with steps you can action this month. This guide shows Brisbane SMEs how to set up Microsoft 365, patch quick and back up right. Plain English, real costs, and tasks you can hand to your team or your IT support.

Key takeaways

• The Essential Eight gives a simple path to lower ransomware and email breach risk.
• Start with patching, MFA and backups; they give the biggest win in weeks.
• Microsoft 365 Business Premium has most tools you need already.
• Plan for storm season: test restores and power protection in Brisbane.
• Track maturity level and lift it quarter by quarter, not all at once.

What is the Essential Eight and core concept

Definition

The ACSC Essential Eight is a set of eight mitigation strategies for cyber security for small business. It covers application control, patch management, Microsoft Office macro settings, user app hardening, admin rights, operating system patches, multi‑factor authentication, and backup and recovery. It uses maturity levels from 0 to 3.

Why it matters

Most Brisbane breaches start with stolen Microsoft 365 logins, old software, or weak backups. The Essential Eight maps straight to those risks. It aligns with ACSC guidelines and helps with insurance and client security questionnaires common in construction, healthcare, and professional services across SEQ.

Quick self‑assessment: your current maturity level

• Level 0: No MFA for email, devices often out of date, backups untested.
• Level 1: MFA on email, monthly patching, daily backups kept offline or offsite.
• Level 2: Admin rights locked down, macros restricted, app hardening in place.
• Level 3: Application control (allow‑list), rapid patching (within 48 hours), regular recovery tests.

How it works and step‑by‑step

Process

Start with high impact controls, then lift maturity in sprints:

• Sprint 1 (2–4 weeks): Turn on MFA, secure Microsoft 365, patch devices, set daily backups.
• Sprint 2 (4–8 weeks): Lock admin rights, harden browsers and PDFs, restrict macros.
• Sprint 3 (8–12 weeks): Deploy application control and tighten patch SLAs (48 hours for critical).
• Quarterly: Test restores, review alerts, remove old accounts and devices.

Step‑by‑step: Application control

• Windows Pro/Enterprise: Use AppLocker or Windows Defender Application Control to allow‑list approved apps.
• Push policies with Intune or Group Policy. Start with audit mode for a week.
• Approve line‑of‑business apps and drivers, block unknown executables and scripts.
• Keep a request process for new software. Review monthly.

Step‑by‑step: Patch applications and operating systems

• Set Windows Update for Business or Intune to auto install updates overnight.
• Patch third‑party apps (Chrome, Adobe, Zoom) with Intune, Winget, or RMM tools.
• Critical patches: within 48 hours. Others: within 14 days.
• Keep an asset list: device name, OS build, last patch date. Report weekly.

Step‑by‑step: Configure Microsoft 365 and MFA

• Licensing: Use Microsoft 365 Business Premium for Defender, Intune and Conditional Access.
• Turn on multi‑factor authentication for all users, including shared mailboxes with delegated users.
• Block legacy protocols (IMAP/POP/SMTP AUTH where not needed).
• Enable Defender for Office 365: Safe Links, Safe Attachments, anti‑phish policies.
• Set Conditional Access: block sign‑ins from risky countries; require compliant device for admin roles.
• Harden OneDrive and SharePoint: limited external sharing, versioning, and ransomware detection alerts.
• Need help? See our Microsoft 365 support.

Step‑by‑step: User access, admin rights and macros

• Admin rights: Standard users day‑to‑day. Create separate admin accounts with MFA and no email.
• Privilege workflows: Just‑in‑time elevation using Intune Endpoint Privilege Management where available.
• Macros: Block macros from the internet; allow only signed macros for trusted finance tools.
• User application hardening: Disable Flash/Java (where present), block untrusted fonts, turn off Office OLE add‑ins you do not use.
• Browser hardening: Turn on SmartScreen/Defender, block third‑party cookies where possible, force auto‑update.

Backups, testing and recovery you can rely on

• 3‑2‑1 rule: Three copies, two media, one offsite or offline.
• Microsoft 365: Retention policies and backups for Exchange, OneDrive, SharePoint, Teams.
• Servers and PCs: Daily image or file backups; keep at least one immutable copy.
• Test: Restore a single file weekly and a full system quarterly.
• Storm prep: Add UPS to key gear; plan for power flickers and brownouts across Brisbane summer.
• See our backup and recovery guidance.

Costs, timelines and who should own each task

• Licences: Microsoft 365 Business Premium about $30–$35 AUD per user/month.
• MFA and Conditional Access: Included in Business Premium. Hardware security keys optional $60–$120 each.
• Backup tools: $4–$12 per user/month for Microsoft 365 data; server image backups vary by storage ($0.15–$0.25/GB/month).
• Setup work: Small firm (10–25 staff) often $1.5k–$6k once‑off depending on devices and legacy systems.
• Timelines: Level 1 in 2–6 weeks; Level 2 in 1–3 months; Level 3 varies with app control testing.
• Owners: Business owner approves policy, office manager handles user comms, IT lead or MSP configures and reports.

Featured answer

The ACSC Essential Eight is a practical set of eight cyber defences for Australian SMEs. Start with MFA, fast patching, and reliable backups. Secure Microsoft 365, lock admin rights, restrict macros, harden user apps, and allow‑list software. Lift maturity step‑by‑step and test recovery regularly.

Common problems in Brisbane

Weather and infrastructure

• Heat and humidity shorten UPS and NAS life. Summer storms trigger power dips that corrupt backups.
• NBN quirks: FTTN pockets in older suburbs like Annerley, Moorooka and parts of Ashgrove drop out under rain. New estates around Springfield and North Lakes can have CG‑NAT issues that affect remote access and backups.
• Older CBD and Fortitude Valley buildings may have patchy grounding; spikes can knock out switches and firewalls.

Tip: Use surge protection and UPS on servers, NAS and routers. Schedule backups outside peak storm hours when possible.

Troubleshooting and quick checks

Short answer

If you use Microsoft 365, turn on MFA for everyone today, run Windows Update, and confirm last night’s backup. Then remove unused accounts and old devices. These four actions cut the most risk fast while you plan the remaining Essential Eight steps.

Quick checks

Safe checks you can do now:

• Open Microsoft 365 admin and confirm MFA status is “Enabled and Enforced” for all users.
• Run Windows Update and update Chrome/Edge, Adobe Reader and Zoom.
• Restore a file from OneDrive/SharePoint and from your NAS or cloud backup.
• Check local admin rights: users should not be admins.
• Open Office Trust Center and confirm macros are blocked from the internet.
• Review mail rules for any auto‑forwarding to personal addresses.
• Review sign‑in logs for unusual countries or times.

Need a policy template and tracking? Create a simple sheet: control, owner, due date, status, last test.

Safety notes and when to call a pro

Red flags

Call a specialist fast if you see mass login failures, inbox rules you did not set, Defender alerts you cannot clear, or backups that fail two days in a row. If data may be exposed, review Notifiable Data Breaches duties and pause risky actions until you have advice.

If ransomware hits, do not rebuild or wipe devices before you collect logs and confirm backups are clean. Isolate, preserve, then recover.

Local insights and examples

Brisbane/SEQ examples

West End creative studios often run Macs plus a Windows file server; we see MFA gaps on shared inboxes. In industrial areas like Rocklea and Acacia Ridge, older PCs run line‑of‑business software that needs careful allow‑listing and patch timing around production.

Professional firms in the CBD and Spring Hill usually have Microsoft 365 Business Premium already; tightening Conditional Access and disabling legacy protocols blocks most phishing takeovers. Bayside offices around Wynnum and Capalaba benefit from UPS and offsite backups due to storm‑related outages.

Across SEQ, we see quick wins by pairing MFA with mail security and better cyber security awareness training. Monthly reports to owners keep momentum and budget on track.

FAQs

Q1: What are the eight controls and which should I do first?

The eight controls are application control, patch applications, configure macro settings, user application hardening, restrict admin privileges, patch operating systems, multi‑factor authentication, and backups. Start with MFA, patching and backups. Then lock admin rights and macros, followed by app hardening and allow‑listing.

Q2: How long does a 20‑person business need to reach Level 1?

Most reach Level 1 in two to six weeks. Week 1 turns on MFA and fixes obvious mail risks. Weeks 2–3 set patching and backups. Weeks 4–6 tidy admin rights, macros and app settings. Older gear or custom apps can add time, especially for allow‑listing.

Q3: Do I need Microsoft 365 Business Premium or is Standard fine?

Business Premium is worth it for Defender, Intune and Conditional Access. These features reduce phishing and help with device compliance and remote wipe. Standard can work with add‑ons, but cost and complexity often end up higher than Premium for SMEs in Brisbane.

Sources and further reading

This guide follows ACSC guidelines, the Essential Eight Maturity Model, and the Australian Government Information Security Manual. It aligns with common insurer questionnaires and basic incident response practice: identify, contain, eradicate, recover, and review. Map your policies to these frameworks and review each quarter.

Wrap‑up and next steps

Pick your next two actions and set a date: turn on MFA for all users and test a full restore. Then build a 90‑day plan to lift your maturity level. If you want hands‑on help and clear reporting in Brisbane, Service:
Business IT Support