What Essential Eight Maturity Level Does Your Business Need?

What the Essential Eight is

The Essential Eight is a set of eight cyber security strategies published by the Australian Signals Directorate. It was designed to help organisations protect themselves against the most common types of cyber attacks.

The framework covers things like keeping software up to date, restricting who has admin access, using multi-factor authentication, and making sure backups work. None of it is new or radical. Most of it is the kind of work a competent IT provider should already be doing for you.

The reason it matters now is that insurers, clients and regulators are increasingly using the Essential Eight as a benchmark. If someone asks whether your business is "Essential Eight compliant", they are asking whether you have implemented these eight strategies to a recognised standard.

The framework is not prescriptive about how you implement it. It sets the outcome and lets you decide how to get there based on your size, your industry, and the systems you run.

The 3 maturity levels and what they mean for your business

Each of the eight strategies can be implemented at one of three maturity levels. Level 1 is the baseline. Level 2 is where most well-managed businesses should be operating. Level 3 is designed for organisations facing sophisticated, targeted threats.

The maturity levels are not a ranking system. They are a way of matching your defences to the threats your business is most likely to face. A 40-person accounting firm in Melbourne does not need the same level of hardening as a federal government agency.

For most professional services businesses with 50 to 500 staff, Level 2 is the target. It covers the controls that insurers and clients are asking about, without requiring the kind of investment that only makes sense for high-risk government or defence environments.

Why most professional services businesses don't need Maturity Level 3

Level 3 is built for organisations that expect to be targeted by well-resourced, persistent attackers. Think intelligence agencies, critical infrastructure, and defence contractors.

If your business provides legal, accounting, wealth management or financial planning services, the threats you face are opportunistic, not targeted. Attackers are scanning the internet for weak spots. They are not sitting in a room building custom exploits for your specific business.

Implementing Level 3 when Level 2 is appropriate is expensive, disruptive, and adds friction to daily operations without meaningfully reducing your risk. Any provider who pushes Level 3 without a clear reason should be asked to explain who they think is specifically targeting your business and why.

How to do an Essential Eight self-assessment in under an hour

You do not need a consultant to understand where you stand. Start with the ASD's Essential Eight Maturity Model and work through each of the eight strategies one at a time.

For each strategy, ask your IT provider (or yourself, if you manage IT internally) three questions. Are we doing this? At what level? And where is the evidence?

Patching is a good example. Are your applications and operating systems being patched within the timeframes the framework specifies? Can your provider show you a report that proves it? If the answer to either question is no, you have found your first gap.

Write down where you land on each of the eight. You will end up with a simple grid that shows which strategies are at Level 1, which are at Level 2, and which are not being done at all. That grid is worth more than most 30-page audit reports.

If you find gaps, do not panic. Every business has gaps. The point of the assessment is to know where they are so you can close them in order of priority rather than guessing.

What Essential Eight Maturity Level 2 looks like in practice

At Level 2, your business is patching applications and operating systems within a defined timeframe, typically within two weeks of a patch being released, or 48 hours for critical vulnerabilities. Multi-factor authentication is enabled on every externally facing system. Admin privileges are tightly restricted and reviewed regularly.

Backups are automated, stored offline or in immutable storage, and tested on a schedule. Microsoft Office macros are disabled for users who do not need them. Application control restricts what software can run on your machines.

In practice, Level 2 means your business can answer "yes" to most of the questions a cyber insurer will ask on a renewal questionnaire. It also means you can pass the due diligence checks that larger clients are now running on their professional advisers.

This is the level a reputable managed IT provider will be working towards with you. If your current provider has not raised the Essential Eight with you, it is worth asking them why.

When to bring in outside help and what it should cost

If your IT is managed internally and nobody on the team has done an Essential Eight assessment before, outside help makes sense. The same applies if your current managed IT provider cannot explain where you sit on the maturity model.

A standalone Essential Eight assessment for a business with 50 to 200 staff typically takes one to two weeks and costs between $5,000 and $15,000 depending on complexity. That should include a written report, a gap analysis, and a prioritised remediation plan.

Be cautious of providers who quote a fixed price without asking about your environment first. The cost should reflect the number of users, the number of systems, and how much of the work has already been done by your existing provider.

The assessment itself is not the expensive part. The value is in knowing exactly where you stand, so you can make informed decisions about what to fix first and what can wait.