What the Essential Eight is

The Essential Eight is a set of eight cyber security strategies published by the Australian Signals Directorate. It was designed to help organisations protect themselves against the most common types of cyber attacks.

The framework covers things like keeping software up to date, restricting who has admin access, using multi-factor authentication, and making sure backups work. None of it is new or radical. Most of it is the kind of work a competent IT provider should already be doing for you.

The reason it matters now is that insurers, clients and regulators are increasingly using the Essential Eight as a benchmark. If someone asks whether your business is “Essential Eight compliant”, they usually mean whether you have implemented the Essential Eight to a recognised maturity level and can provide evidence of that implementation.

The framework is prescriptive about the outcomes and requirements expected at each maturity level but organisations still need to decide how best to implement those controls based on their environment, systems, risk and exceptions.

The three target maturity levels and what they mean for your business

Each of the eight strategies is assessed against the target maturity levels from Level One to Level Three. Level One is the baseline. Level Two is where many well-managed professional services businesses should be aiming. Level Two is designed for organisations facing sophisticated, targeted threats.

The maturity levels are not a ranking system. They are a way of matching your defences to the threats your business is most likely to face. A 40-person accounting firm in Melbourne may not need the same level of hardening as a federal government agency but the right target should still be based on the firm’s data, clients, systems and contractual obligations.

For most professional services businesses with 50 to 500 staff, Level Two is often the target. It covers the controls that insurers and clients are asking about, without requiring the kind of investment that only makes sense for high-risk government or defence environments.

Why most professional services businesses may not need Maturity Level Three

Level Three is built for organisations that may face well-resourced, persistent attackers. This can include businesses connected to government, defence, critical infrastructure, sensitive commercial work or high-value targets.

If your business provides legal, accounting, wealth management or financial planning services, the threats you face are often opportunistic and semi-targeted. Attackers scan the internet for weak spots but they can also go after businesses that work with their real target. That makes professional services firms an attractive entry point.

Level Three has its place. It may be appropriate for businesses with higher risk profiles, regulatory obligations, government or enterprise contracts, or a realistic chance of being specifically targeted. But if Level Two is the right fit, jumping to Level Three can add cost, disruption and unnecessary friction. Any provider recommending Level Three should be able to explain exactly why the uplift is needed.

How to do an Essential Eight self-assessment in under an hour

You do not need a consultant to understand where you stand. Start with the ASD's Essential Eight Maturity Model and work through each of the eight strategies one at a time.

For each strategy, ask your IT provider (or yourself, if you manage IT internally) three questions. Are we doing this? At what level? And where is the evidence?

Patching is a good example. Are your applications and operating systems being patched within the timeframes the framework specifies? Can your provider show you a report that proves it? If the answer to either question is no, you have found your first gap.

Write down where you land on each of the eight. You will end up with a simple grid that shows which strategies are at Level One, which are at Level Two, and which are not being done at all. That grid is worth more than most 30-page audit reports.

If you find gaps, do not panic. Every business has gaps. The point of the assessment is to know where they are so you can close them in order of priority rather than guessing.

What Essential Eight Maturity Level Two looks like in practice

At Level Two, your business is patching applications and operating systems within a defined timeframe, typically within two weeks of a patch being released, or 48 hours for critical vulnerabilities. Multi-factor authentication is enabled on every externally facing system. Admin privileges are tightly restricted and reviewed regularly.

Backups are automated, stored offline or in immutable storage, and tested on a schedule. Microsoft Office macros are disabled for users who do not need them. Application control restricts what software can run on your machines.

In practice, Level Two means your business can answer "yes" to most of the questions a cyber insurer will ask on a renewal questionnaire. It also means you can pass the due diligence checks that larger clients are now running on their professional advisers.

This is the level a reputable managed IT provider will be working towards with you. If your current provider has not raised the Essential Eight with you, it is worth asking them why.

When to bring in outside help and what it should cost

If your IT is managed internally and nobody on the team has done an Essential Eight assessment before, outside help makes sense. The same applies if your current managed IT provider cannot explain where you sit on the maturity model.

A standalone Essential Eight assessment for a business with 50 to 200 staff typically takes one to two weeks and costs between $5,000 and $15,000 depending on complexity. That should include a written report, a gap analysis, and a prioritised remediation plan.

Be cautious of providers who quote a fixed price without asking about your environment first. The cost should reflect the number of users, the number of systems, and how much of the work has already been done by your existing provider.

The assessment itself is not the expensive part. The value is in knowing exactly where you stand, so you can make informed decisions about what to fix first and what can wait.

If you are not sure where your business sits today, start with a simple Essential Eight review. You do not need to fix everything at once. You need a clear view of the gaps, the risks, and the order they should be addressed.