If you’ve been following cybersecurity news in Australia, you’ve probably heard of the Essential Eight. But here’s the thing - most explanations assume you’ve got an IT degree or a dedicated security team. Most small businesses don’t have either.

So let’s fix that.

What Actually Is the Essential Eight?

The Essential Eight is a set of cybersecurity strategies developed by the Australian Signals Directorate (ASD). Think of it as a checklist of the most effective things you can do to protect your business from cyber attacks. It’s not a legal requirement for most businesses (yet), but it’s becoming the gold standard that insurers and larger clients expect you to follow.

The eight strategies are:

1. Application control - Only approved programs can run on your systems
2. Patch applications - Keep software updated
3. Configure Microsoft Office macro settings - Block dangerous macros
4. User application hardening - Turn off risky features in web browsers and other apps
5. Restrict administrative privileges - Not everyone needs admin access
6. Patch operating systems - Keep Windows, macOS, and Linux updated
7. Multi-factor authentication - Use more than just passwords
8. Regular backups - Have copies of your data that can’t be encrypted by ransomware

Why Should SMBs Care?

I get it. You’re running a business, not a tech company. Why should you spend time on this?

Three reasons:

1. You’re a target. The Australian Cyber Security Centre (ACSC) reported that small businesses are increasingly targeted because attackers know you’re less likely to have strong defences. It’s easier to hit ten small businesses than one big one.

2. Insurance requirements are changing. Cyber insurance premiums have skyrocketed, and many insurers now ask about your Essential Eight compliance before they’ll quote. Some won’t cover you at all without basic controls in place.

3. Your clients might require it. If you work with government agencies or larger companies, they’re starting to include Essential Eight compliance in their supplier requirements. Lose compliance, lose the contract.

The Maturity Levels Explained

The Essential Eight uses maturity levels from zero to three. Here’s what they actually mean:

Maturity Level Zero: You’re not doing much (or anything) in that area. No judgement - this is where most businesses start.

Maturity Level One: Basic implementation. You’ve got the fundamentals covered, which stops most opportunistic attacks.

Maturity Level Two: More comprehensive. You’re protected against more sophisticated attackers who specifically target your business.

Maturity Level Three: Full implementation. This is enterprise-grade security, typically for businesses handling sensitive data or working with government.

For most SMBs, getting to Maturity Level One across all eight strategies is a realistic and worthwhile goal. Don’t let anyone tell you it’s Level Three or nothing.

Where to Start

Feeling overwhelmed? Here’s my honest advice on where most small businesses should begin:

Multi-factor authentication (MFA): This is the biggest bang for your buck. Turn it on for email, accounting software, and anything else that handles sensitive data. Most platforms offer it free - you just need to enable it.

Regular backups: Make sure you’ve got backups that aren’t connected to your main network. If ransomware hits, you want backups it can’t reach. Test your restoration process at least once (you’d be surprised how many businesses discover their backups don’t work when they actually need them).

Patch your stuff: Turn on automatic updates wherever possible. Yes, the restart notifications are annoying. Getting hacked is more annoying.

These three will give you more protection than any expensive security product.

Common Myths About Essential Eight

“It’s only for government.” Nope. It was developed by a government agency, but it’s designed to work for any organisation. The ASD specifically recommends it for businesses of all sizes.

“I need to hire a consultant to do this.” Not necessarily. A tech-savvy person on your team can implement most of Level One. You might want help for the trickier bits, but don’t assume you need to outsource everything.

“My business is too small to bother.” This is exactly what attackers are hoping you think. Small businesses often have weaker security AND access to valuable data (customer details, financial information, supplier networks). That makes you attractive.

“I’ve got antivirus, so I’m covered.” Antivirus is just one piece of the puzzle. Essential Eight includes it as part of application control, but it’s not a substitute for the other seven strategies.

Real Costs and Timeframes

Let me be straight with you about what implementing Essential Eight actually looks like for a typical SMB with, say, 10-50 employees.

Time investment: Getting to Level One might take 20-40 hours spread over a few months, depending on your current setup and technical skills.

Software costs: Many strategies use built-in features of Windows and Microsoft 365. You might need backup software ($50-200/month for a small business) and possibly a password manager ($3-5/user/month).

Potential consultant costs: If you bring someone in to help, expect $150-300/hour for a competent cybersecurity consultant. A full assessment and implementation plan might run $5,000-15,000, though you can do much of the work yourself with their guidance.

Is it worth it? Consider this: the average cost of a cyber incident for a small business in Australia is around $50,000. And that’s just the direct costs - it doesn’t include lost customers, damaged reputation, or the weeks of stress and distraction.

Next Steps

If you’re ready to take this seriously, here’s what I’d suggest:

1. Do a self-assessment. The ACSC has a free Essential Eight Maturity Model you can use to see where you currently stand.

2. Pick two or three strategies to focus on first. MFA, backups, and patching are my recommendations for most businesses.

3. Set realistic timeframes. This isn’t a weekend project. Give yourself three to six months to reach Level One.

4. Document what you do. Your insurance company and clients will want to see evidence, not just hear promises.

The Essential Eight isn’t perfect, and it won’t stop every attack. But it will stop most of them. And in cybersecurity, that’s about as good as it gets.