The Essential Eight Controls, Explained Simply
The ACSC's eight mitigation strategies in plain English. What each one is, why it matters, and what putting it in place actually looks like for a small Australian business.
The short version
- What it is: The Essential Eight is the Australian Signals Directorate's baseline set of eight mitigation strategies that, together, block the most common ways small businesses get attacked.
- The eight, grouped: Some strategies prevent attacks landing, some limit the damage if one does, and some help you recover. They're designed to work as a set, not a pick-and-mix.
- Where to start: Maturity Level One is the realistic baseline; the ACSC's advice is to get all eight to the same level before pushing any one of them higher.
- Be honest about effort: A few of the eight are an afternoon's work; others need a named owner and an ongoing routine, so treat it as a programme rather than a one-off tick-box.
If you run a small Australian business, you’ve probably heard the term “Essential Eight” thrown around by an IT provider, an insurer, or a tender document, and been left wondering what it actually asks of you. This guide walks through the eight essential eight controls in plain English: what each one is, why it matters, and what “doing it” looks like day to day.
The good news is that the Essential Eight isn’t a mountain of jargon. It’s eight practical things the Australian Signals Directorate (ASD) recommends every organisation put in place, because together they stop the overwhelming majority of common attacks. Some take an afternoon. A few need a named owner and an ongoing habit. None of them require you to be technical to understand.
What is the Essential Eight?
The Essential Eight is the ASD’s baseline set of eight mitigation strategies (published by the Australian Cyber Security Centre, the ACSC) that work together to protect organisations from the most common cyber threats.
It started life as the most effective slice of a much longer list of strategies to mitigate cyber security incidents. The ACSC distilled that list down to the eight that give the best return for the effort, and called them the Essential Eight. They’re grouped by intent: some strategies prevent attacks from landing, some limit the extent of an attack that gets through, and some help you recover your data and systems afterwards.
The point of the grouping is that no single control does everything. Multi-factor authentication won’t help if ransomware has already wiped your files; backups won’t help if an attacker can simply turn them off. The eight are designed as a set, which is why the ACSC’s standing advice is to bring them all up to the same standard rather than perfecting one and ignoring the rest.
A quick word on "maturity"
The Essential Eight comes with a maturity model running from Maturity Level Zero up to Maturity Level Three. Level One is the baseline most small businesses should aim for first. It's about being partly aligned with each strategy and standing up to the everyday, widely available attacker tools. We keep maturity light here on purpose; if you want the detail, the maturity levels explained guide goes deep.
The eight controls, one by one
The eight mitigation strategies are: patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, configure Microsoft Office macro settings, user application hardening, and regular backups.
Here’s what each one means without the acronyms, plus an honest note on whether it’s a quick win or something that needs an owner.
1. Patch applications. Keep the software your team uses, such as browsers, email clients, PDF readers and productivity apps, up to date so known security holes get fixed. Why it matters: attackers love unpatched software because the weaknesses are public knowledge. What doing it looks like: turning on automatic updates where you can, and having someone responsible for the apps that don’t update themselves. Mostly quick, but needs a routine.
2. Patch operating systems. The same idea, applied to Windows, macOS, and the operating systems on your servers and devices. Why it matters: an out-of-date operating system is one of the easiest doors to walk through. What doing it looks like: enabling OS updates and retiring devices too old to receive them. Quick to start, ongoing to maintain.
3. Multi-factor authentication (MFA). Add a second step on top of passwords (a code, an app prompt, a hardware key) so a stolen password isn’t enough on its own. Why it matters: most account takeovers start with a leaked or guessed password. What doing it looks like: switching MFA on for email, remote access, and any system holding important data. One of the highest-value quick wins.
4. Restrict administrative privileges. Make sure only the people who genuinely need “admin” access have it, and that they use those accounts only for admin tasks. Why it matters: an admin account is a master key; if one is compromised, the damage is far wider. What doing it looks like: reviewing who has admin rights and stripping back anything that isn’t needed. Needs a named owner and a periodic review.
5. Application control. Allow only approved software to run on your devices, so unknown or malicious programs simply can’t execute. Why it matters: it stops a lot of malware dead, even brand-new strains. What doing it looks like: deciding what’s allowed to run and enforcing it — usually the most involved of the eight. A bigger project; plan it deliberately.
6. Configure Microsoft Office macro settings. Control or block the little automation scripts (macros) inside Office documents, since they’re a classic delivery method for malware. Why it matters: a macro hidden in an emailed spreadsheet has been a favourite attack route for years. What doing it looks like: turning off macros by default and only allowing them from trusted, vetted sources. Moderate effort; mostly a settings change with a policy behind it.
7. User application hardening. Tighten the settings on the software people use every day, for example by blocking risky web content and unnecessary features in browsers. Why it matters: default settings are built for convenience, not safety, and attackers exploit the gap. What doing it looks like: applying recommended hardening settings across your fleet. Moderate; benefits from a consistent baseline.
8. Regular backups. Keep recent, tested, restorable copies of your important data, and protect those backups so an attacker can’t reach them. Why it matters: when prevention fails, a good backup is the difference between a bad day and a closed business. What doing it looks like: automating backups, storing a copy out of reach, and actually testing that you can restore. Easy to set up, often neglected to test.
The Essential Eight isn’t a checklist you finish. It’s a baseline you keep standing up, week after week.
Why the Essential Eight is the right starting point
For a small Australian business, the Essential Eight is the most credible baseline because it’s the national authority’s own list, it’s threat-driven, and it’s deliberately small enough to actually complete.
A lot of cyber advice is either too vague (“be careful online”) or so exhaustive it never gets started. The Essential Eight sits in between: eight concrete things, prioritised by the ASD because they block the attacks businesses genuinely face. That focus is the whole value — you’re not guessing what matters, you’re working from the list the ACSC put at the top.
It’s worth being clear about who it applies to. The Essential Eight is mandatory for many Australian Government entities. For most private small businesses it’s a strongly recommended baseline rather than a legal requirement. You may still find yourself needing it because a larger customer, an insurer, or a government-adjacent contract asks you to demonstrate it. If you’re weighing it against the SMB1001 standard, our guide on the Essential Eight versus SMB1001 talks through which an Australian SME might sensibly start with.
If you’d like to see where you currently stand before committing to a plan, a plain-language run-through helps. Our Essential Eight checklist walks you through a simple self-assessment, control by control, so you can see which of the eight you’ve already got and which need attention.
Quick wins versus the ones that need an owner
Be honest with yourself about effort: MFA and backups are fast wins, while application control and restricting admin privileges need a named owner and a bit of planning.
It helps to split the eight into two mental buckets when you start:
- Fast, high-value moves you can make soon: turning on MFA, enabling automatic updates for applications and operating systems, and getting automated backups running. These don’t need a specialist and pay off immediately.
- The ones that need someone to own them: application control, restricting administrative privileges, hardening user applications, and managing Office macros. None are out of reach, but they involve decisions about what’s allowed and a person responsible for keeping it that way.
The mistake to avoid is doing only the easy half. Because the eight are designed to cover different gaps, a wall with four strong panels and four missing ones still has a hole an attacker can walk through. The aim is to get all eight to the same baseline (Maturity Level One), then decide, deliberately, whether your business needs to go higher.
This is exactly the kind of work SecurSentry is building to make less daunting: turning the Essential Eight from a wall of jargon into a clear sequence of things to put in place, with the routine controls tracked so they don’t quietly slip. For now, the most useful next step is simply knowing the eight and where you stand against them.
Ready to keep going? Start with the Essential Eight topic guide for the full picture, or jump straight to the maturity levels explained to understand how far you should take each control.