All articles
Compliance

Understanding the Essential Eight: Australia's Cybersecurity Baseline

20 October 2025Updated 13 February 20269 min readBy Affinity MSP

What Is the Essential Eight?

The Essential Eight is a set of cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) to help organisations protect themselves against cyber threats. Originally published as the "Top 4" in 2012, it was expanded to eight strategies and has become the de facto cybersecurity standard for Australian businesses and government agencies.

The Essential Eight framework is designed to prevent cyberattacks, limit their impact, and ensure data availability. It is recommended for all Australian organisations regardless of size or industry.

The Eight Mitigation Strategies Explained

1. Application Control

Only approved applications are allowed to execute on your systems. This prevents malware, ransomware, and unauthorised software from running. For businesses, this means maintaining a whitelist of approved applications and blocking everything else.

2. Patch Applications

Security patches for applications must be applied within a defined timeframe — ideally within 48 hours for critical vulnerabilities. Unpatched applications are one of the most common attack vectors. Our free scan checks your public-facing applications for known CVE vulnerabilities that indicate missing patches.

3. Configure Microsoft Office Macro Settings

Microsoft Office macros are a common delivery mechanism for malware. The ASD recommends blocking macros from the internet, only allowing vetted macros in trusted locations, and logging macro execution.

4. User Application Hardening

Web browsers and email clients should be configured to block ads, Java, and Flash. PDF viewers should disable JavaScript. These measures reduce the attack surface available to adversaries targeting end users.

5. Restrict Administrative Privileges

Admin accounts should only be used for administrative tasks. Privileged access should be limited to the minimum required, regularly reviewed, and protected with strong authentication. Our scan can detect exposed admin panels that are accessible from the internet.

6. Patch Operating Systems

Like application patching, operating system patches must be applied promptly. Systems running unsupported operating systems (such as Windows Server 2012 or older Linux kernels) should be upgraded or isolated.

7. Multi-Factor Authentication (MFA)

MFA should be implemented for all remote access, privileged accounts, and internet-facing services. Our scan identifies exposed remote access services (RDP, VPN, Citrix) that may lack MFA protection.

8. Regular Backups

Important data, software, and configuration settings must be backed up regularly. Backups should be tested, stored offline or in a separate environment, and protected from unauthorised access.

Essential Eight Maturity Levels

The ASD defines three maturity levels for each strategy:

  • Maturity Level One — partly aligned with the strategy, providing basic protection against common threats
  • Maturity Level Two — mostly aligned, protecting against more sophisticated adversaries
  • Maturity Level Three — fully aligned, providing the highest level of protection
Most Australian small businesses operate below Maturity Level One. The goal should be to achieve at least Maturity Level One across all eight strategies as a starting point.

How a Free Scan Helps You Assess Compliance

Affinity MSP's free cybersecurity assessment at affinityscan.com.au checks several aspects that directly relate to Essential Eight compliance:

  • Patch Applications — we detect known CVE vulnerabilities on your public-facing servers and applications
  • Restrict Administrative Privileges — we identify exposed admin panels, management interfaces, and remote access services
  • Multi-Factor Authentication — we flag exposed RDP, VPN, and other remote services that should require MFA
  • Application Control — we identify outdated or vulnerable software versions running on your infrastructure
While a full Essential Eight assessment requires internal system access, our external scan provides a valuable starting point to understand your organisation's security posture.

Getting Started with Essential Eight Compliance

  1. Run a free external scan at affinityscan.com.au to identify immediate vulnerabilities
  2. Review your results against the Essential Eight framework
  3. Prioritise remediation based on risk level and business impact
  4. Contact Affinity MSP for a comprehensive Essential Eight maturity assessment
For businesses in regulated industries or government contracting, Essential Eight compliance is increasingly becoming a procurement requirement. Starting with a free external scan is the fastest way to identify gaps in your security posture.

Contact Affinity MSP at security@affinitymsp.com.au or call 1300 943 486 for expert guidance on Essential Eight implementation.

Check your business security now

Free external attack surface scan. 60 seconds. No installation.

Run Free Scan
Essential EightASDAustralian cybersecurity frameworkcompliancematurity modelcybersecurity baselineAustralian government

Related Articles

Threat Intel

Exposed RDP and SSH: The Open Doors Ransomware Gangs Are Looking For

Our platform data shows that 18% of scanned businesses have remote desktop or SSH services directly accessible from the internet. For ransomware operators, these are the easiest way in.

ReadThreat Intel

Your Business Email Is Probably in a Data Breach. Here's What to Do About It.

Our scanning data shows that over 40% of Australian business domains have at least one email address appearing in a known data breach. If you think your organisation is immune, the numbers suggest otherwise.

ReadThreat Intel

Why Unpatched WordPress Sites Are a Hacker's Favourite Target (And Why Your MSP Should Manage It)

WordPress powers over 40% of the web, and that popularity makes it the most targeted CMS on the planet. If your business runs WordPress, here is why patching is not optional and why we include it in every security scan.

Read

Protect Your Australian Business Today

Join hundreds of Australian businesses that have discovered their hidden security vulnerabilities with our free scan.

Get Your Free Security Report