In This Guide
The ACSC Essential Eight is the most cost-effective set of cyber controls an Aussie small business can implement. Done well, it stops most ransomware, phishing and business-email compromise attempts before they cause damage. This guide walks Brisbane SMEs from CBD professional services through to Logan trades and West End cafes through every control — what it does, who it stops, what it costs, and a 30/60/90-day rollout plan.
Most Brisbane SMEs we audit are sitting at Maturity Level 0 on at least four of the eight controls. The good news: getting to Maturity Level 1 usually takes 4-8 weeks and a few thousand dollars when you have the right Microsoft 365 plan and a methodical roll-out.
Eight mitigation strategies built by the Australian Signals Directorate (ASD) and recommended by the Australian Cyber Security Centre (ACSC). They are: application control, patching applications, configuring Office macros, user application hardening, restricting admin privileges, patching operating systems, multi-factor authentication, and regular backups.
What is the Essential Eight?
The Essential Eight is a baseline of eight cyber security mitigation strategies published by the Australian Cyber Security Centre. It is mandatory for many Australian Government departments and now widely used by Australian SMEs as the practical floor for cyber risk reduction.
Each strategy targets a specific class of attack:
- Application control — only approved apps can run, blocking malware
- Patch applications — close known vulnerabilities in browsers, Office and PDF readers
- Configure Microsoft Office macros — block macros from internet sources
- User application hardening — block Java, Flash, ads in browsers
- Restrict admin privileges — fewer admins, fewer breach paths
- Patch operating systems — Windows, macOS, Linux up to date
- Multi-factor authentication — one of the highest-impact controls
- Regular backups — and tested restores
Why It Matters for Brisbane SMEs
The Office of the Australian Information Commissioner reported a record number of notifiable data breaches in 2024-2025. Brisbane sectors most often impacted include health practices in Spring Hill and Chermside, accounting and legal firms in the CBD and Fortitude Valley, and trades operations across Logan and Ipswich.
Three reasons it matters:
- Privacy Act & Notifiable Data Breaches scheme — fines now reach $50 million for serious breaches; covers any business with personal data, not only those over $3M turnover
- Cyber insurance — most insurers now ask whether you have MFA, patching cadence and offline backups before they will renew
- Real-world losses — average BEC fraud loss in Australia is now around $50,000; ransomware downtime averages 8-21 days
The Eight Controls Explained
Walked through plainly, with the Brisbane SME flavour:
1. Application control
Only approved applications run. Implemented through Microsoft Defender Application Control, AppLocker or Intune policies. Stops drive-by ransomware that slips past antivirus.
2. Patch applications
Browsers, Office, Adobe Reader, Java, Zoom — patched within 48 hours of a critical CVE, two weeks for non-critical. Most SMEs use Microsoft Intune Autopatch, Action1, or NinjaOne for visibility.
3. Configure Microsoft Office macros
Macros from the internet blocked by default in Microsoft 365 (since 2022). Confirm group policy is in place; whitelist signed macros only where Excel-heavy finance teams need them.
4. User application hardening
Disable Flash, Java, OLE for non-essential users. Block ads at DNS level (e.g. CleanBrowsing or Cloudflare Gateway). Reduces drive-by infection paths.
5. Restrict admin privileges
Standard users have standard accounts. Admins use a separate, MFA-protected admin account with just-in-time elevation through Microsoft Entra Privileged Identity Management.
6. Patch operating systems
Windows 10/11, macOS, Linux servers patched within two weeks of release. Critical CVEs within 48 hours. Use Intune, Jamf, or Action1.
7. Multi-factor authentication
Number-matching MFA on every cloud and email account. Microsoft Authenticator or hardware FIDO2 keys (Yubikey). SMS as a fallback only.
8. Regular backups
3-2-1 rule: 3 copies, 2 different media, 1 off-site. Microsoft 365 cloud backup (Datto, Spanning, Veeam Cloud Connect). Test restores quarterly.
Maturity Levels (0-3) Demystified
Level 0
Weaknesses present in your security posture. Most SMEs start here on at least 3 of 8 controls.
Level 1
Targets opportunistic attackers using widely-known tools. Realistic floor for most SMEs.
Level 2
Targets attackers willing to invest more time. Sensible for finance, legal, health practices.
Level 3
Targets adaptive attackers and APTs. Required for many government contracts.
For most Brisbane SMEs (5-50 staff), Maturity Level 1 across all eight is the realistic 12-month target. Level 2 is the 24-month plan if you handle health, finance or legal data.
Priority Order for SMEs
If you do nothing else this quarter, do these three controls — they block the largest share of real-world attacks for the lowest implementation effort:
- Multi-factor authentication everywhere
Microsoft 365, Xero, MYOB, Dropbox, anything with company data. Number-matching MFA on the Authenticator app, not SMS. - Tested offline backups
Cloud-to-cloud backup of M365 data plus an immutable on-prem copy. Test a real restore quarterly. - Patch applications & OS within two weeks
Browsers, Office, Windows updates. Most ransomware uses unpatched vulnerabilities six months old.
30/60/90-Day Rollout Plan
Days 1-30: Wins
- Enable MFA for every user and admin (number-matching only)
- Set up Microsoft 365 cloud-to-cloud backup
- Confirm Windows Update for Business is on every device
- Block Office macros from the internet via group policy
- Document who has admin rights — and revoke unused
Days 31-60: Tighten
- Roll out Microsoft Intune (or equivalent) for device compliance
- Enable Conditional Access — block legacy authentication
- Implement Defender for Endpoint or comparable EDR
- Run a phishing simulation; remediate any exposed users
Days 61-90: Mature
- Application allow-listing on managed endpoints (AppLocker / WDAC)
- Just-in-time admin via Microsoft Entra PIM
- Quarterly restore tests documented
- Cyber insurance review with new controls
Microsoft 365 Makes Most of This Easy
Most Brisbane SMEs already pay for Microsoft 365. The real question is which plan:
| M365 Plan | Per User / Month | Essential Eight Coverage |
|---|---|---|
| Business Basic | ~$11 | MFA only — limited security |
| Business Standard | ~$22 | MFA + basic anti-phishing — minimum recommended |
| Business Premium | ~$33 | Most Essential Eight controls included — recommended floor |
| Microsoft 365 E3 / E5 | ~$55-90 | Full Essential Eight + advanced threat protection |
Best value: M365 Business Premium gives you Conditional Access, Intune, Defender, and AIP for around the cost of two flat whites a week per user. We rebuild most Brisbane SME licensing onto Premium during a security audit.
Storm Season Backup Tips for SEQ
Brisbane storm season (October-March) regularly knocks out power, fries unprotected NAS units, and corrupts on-prem backups. We have walked into Logan and Ipswich offices the morning after lightning where the server, the backup NAS, and the UPS were all fried in one strike.
- Cloud-first backups for M365 and on-prem servers (Datto, Veeam Cloud Connect, Acronis)
- UPS on any on-prem server (1500VA min) with surge protection
- Immutable copies — backups that cannot be encrypted by ransomware (Datto, Veeam, S3 Object Lock)
- Quarterly restore drills — never trust an untested backup
What It Costs in Brisbane
| Service | Effort | Cost |
|---|---|---|
| Initial security audit (1-2hr onsite + report) | Half day | From $410 |
| Essential Eight gap assessment (4hr) | Half day | From $820 |
| Microsoft 365 hardening (per tenant) | 1-2 days | $410-$820 |
| MFA rollout (varies by user count) | 2-6 hours | $205-$615 |
| Managed security plan | Ongoing | From $99/user/month |
| Onsite hourly rate | — | $205/hr |
| Remote hourly rate | — | $125/hr |
Quick win: Enabling number-matching MFA on Microsoft 365 takes one admin under 30 minutes and stops over 99% of credential-stuffing attacks. Do it this week.
Common mistake: Treating the Essential Eight as a one-off project. It is a living posture — patches keep coming, staff keep changing, and attackers adapt. Build it into a monthly cadence or a managed service plan.
Need an Essential Eight Assessment?
Half-day onsite assessment, full report, action plan and pricing — across Greater Brisbane.
Book a Security Audit — From $410Half-day audit, M365 hardening, MFA rollout, documented controls and a 90-day plan. ACSC-aligned templates, Privacy Act mapping, cyber-insurance friendly. From $1,640 for SMEs under 25 staff.