The Essential Eight has become the default security framework for Australian businesses. Insurance requires it. Government contracts demand it. The ACSC keeps updating guidance.

But knowing the framework and implementing it are different things. Here’s what actually works for SMBs trying to achieve and maintain compliance.

The Essential Eight: Quick Reminder

For those who need a refresher:

1. Application Control - Only allow approved programs to run
2. Patch Applications - Update third-party applications quickly
3. Configure Microsoft Office Macro Settings - Restrict macro execution
4. User Application Hardening - Block Flash, Java, ads in browsers
5. Restrict Administrative Privileges - Minimise who has admin access
6. Patch Operating Systems - Update Windows/macOS quickly
7. Multi-Factor Authentication - Require MFA for access
8. Regular Backups - Backup data and test recovery

Maturity Level One is the baseline. Most insurers and contracts now require at least Level One compliance.

Category 1: Patch Management Tools

Patching applications and operating systems is two of the eight controls. Good tools handle both.

For Windows Environments:

Microsoft Intune + Windows Update for Business Built into Microsoft 365 Business Premium. Handles Windows patching well, third-party applications less well.

• Cost: Included with M365 Business Premium
• Strength: Tight integration with Windows
• Weakness: Third-party app patching is clunky

Automox Cloud-native patching that handles Windows, macOS, and third-party apps.

• Cost: ~$4-6 per device/month
• Strength: Covers third-party apps properly
• Weakness: Another console to manage

NinjaRMM / Datto RMM / ConnectWise Automate If you’re working with an IT provider, they’re probably using one of these. Built-in patching capabilities.

• Cost: Usually included in managed services
• Strength: Your IT provider handles it
• Weakness: You’re dependent on their execution

My recommendation: If you’re managing your own IT, Automox is the most complete solution for SMBs. If you have a managed service provider, make sure patching is explicitly in your agreement with SLAs.

Category 2: Application Control

This is the hardest Essential Eight control for SMBs to implement.

Windows Defender Application Control (WDAC) Microsoft’s built-in solution. Powerful but complex.

• Cost: Free (included with Windows)
• Strength: Native integration
• Weakness: Configuration is genuinely difficult

Airlock Digital Australian-made application whitelisting designed to be manageable.

• Cost: ~$50 per device/year
• Strength: Much easier than WDAC
• Weakness: Another tool to manage

Carbon Black App Control Enterprise-grade solution, now owned by VMware (Broadcom).

• Cost: Enterprise pricing
• Strength: Very powerful
• Weakness: Overkill for most SMBs

My recommendation: For Level One compliance, start with basic controls in your endpoint protection (blocking unknown executables). True application whitelisting can come at Level Two or Three. Don’t let perfect be the enemy of good.

Category 3: Microsoft Office Macro Control

The ASD has clear guidance here. Implementation is mostly configuration.

Group Policy / Intune Configure macro settings centrally. Block macros from the internet, allow only signed macros, or block entirely.

• Cost: Free (configuration)
• Strength: Built-in
• Weakness: Requires understanding of Group Policy

Third-party tools Most endpoint protection tools can add another layer of macro control.

My recommendation: This is a configuration exercise, not a tool purchase. If you’re using Microsoft 365, use the built-in controls. The ACSC has specific guidance documents - follow them step by step.

Category 4: User Application Hardening

Blocking risky features in browsers and applications.

Browser configuration:

• Block Flash (easy - it’s dead anyway)
• Block Java in browsers (configure browser policies)
• Block malicious ads (browser extensions or DNS-level blocking)

DNS-level blocking: Cisco Umbrella, Cloudflare Gateway, DNSFilter Block malicious domains and ads at the DNS level.

• Cost: $2-5 per user/month
• Strength: Protects all devices on the network
• Weakness: Another subscription

Browser extensions: uBlock Origin (free, open source) blocks ads and tracking.

My recommendation: DNS-level filtering provides the best coverage for least effort. Cloudflare Gateway has a free tier that works for small teams.

Category 5: Administrative Privileges

This is about process as much as tools.

Microsoft Entra ID / Azure AD Privileged Identity Management (PIM) provides just-in-time admin access.

• Cost: Requires Entra ID P2 licensing
• Strength: Proper privilege management
• Weakness: Premium licensing cost

Local admin management: LAPS (Local Administrator Password Solution) from Microsoft. Free. Unique passwords on each local admin account, centrally managed.

Privileged Access Management: CyberArk, BeyondTrust, Delinea Enterprise solutions for managing privileged accounts.

• Cost: Enterprise pricing
• Weakness: Overkill for most SMBs

My recommendation: For SMBs, focus on the basics: separate admin accounts for IT staff, remove unnecessary local admin rights, implement LAPS. LAPS is free and essential.

Category 6: Multi-Factor Authentication

The most impactful control and thankfully the easiest to implement.

Microsoft Authenticator / Entra ID If you’re using Microsoft 365, MFA is built in.

• Cost: Included
• Strength: Native integration
• Weakness: Some friction for users

Google Authenticator / Workspace Built into Google Workspace.

• Cost: Included

Duo Security Works across multiple platforms and applications.

• Cost: ~$3-6 per user/month
• Strength: Universal coverage
• Weakness: Additional cost

Hardware keys: YubiKey, Feitian Physical security keys for highest security.

• Cost: $50-100 per key
• Strength: Phishing resistant
• Weakness: Users lose them

My recommendation: Use what’s built into your platform first (Microsoft or Google). Add Duo if you need coverage across multiple systems. Hardware keys for high-risk accounts (finance, executives).

Category 7: Backups

The last line of defence and often poorly implemented.

Microsoft 365 backup: Veeam Backup for Microsoft 365, Acronis, Backupify M365 retention isn’t the same as backup. You need a separate solution.

• Cost: $2-5 per user/month
• Strength: Proper backup with retention
• Weakness: Often overlooked

Server/endpoint backup: Veeam, Acronis, Datto, Axcient Full system backup with tested recovery.

• Cost: Varies widely
• Strength: Complete protection
• Weakness: Requires proper configuration and testing

Cloud-to-cloud backup: For SaaS applications beyond M365/Google.

My recommendation: Whatever you choose, test restores monthly. Automated backup verification is now standard in good backup tools - use it.

Compliance Reporting Tools

Proving compliance is as important as achieving it.

Microsoft Secure Score Built into M365. Shows your compliance posture.

• Cost: Included
• Strength: Good baseline visibility
• Weakness: Doesn’t cover everything

Essential Eight assessment tools: Tenable, Qualys, Rapid7 Vulnerability scanners that can report against Essential Eight.

• Cost: Enterprise pricing
• Weakness: May be overkill

Essential Eight specific: Huntsman Security Essential 8 Auditor Australian tool specifically for Essential Eight assessment.

• Cost: Varies
• Strength: Purpose-built for the framework

My recommendation: Start with Microsoft Secure Score if you’re in M365. For formal assessments and reporting, consider specialist tools or consultants.

The Integration Challenge

The problem with this list: it’s a lot of tools. Multiple consoles. Multiple vendors. Multiple bills.

This is where working with specialists helps. AI consultants Sydney and similar firms can help integrate tools, automate compliance checking, and reduce the management burden.

Some consolidation options:

Single-vendor approaches:

• Microsoft stack (M365 + Defender + Intune + Azure) covers a lot
• All-in-one security platforms (Sophos, Fortinet, etc.)

Managed security services: Let someone else worry about the tools. Many Australian MSPs now offer Essential Eight compliance packages.

Budget Reality

What does Essential Eight compliance actually cost for a 20-person business?

Baseline (if you’re on Microsoft 365 Business Premium):

• M365 Business Premium: ~$30/user/month (includes Defender, Intune, MFA)
• M365 backup: ~$5/user/month
• Total: ~$35/user/month or $8,400/year

Adding key tools:

• DNS filtering: ~$3/user/month (+$720/year)
• Improved patching: ~$5/device/month (+$1,200/year)
• Total with additions: ~$10,320/year

With managed services: A fully managed Essential Eight compliance package from an MSP typically runs $100-150/user/month, or $24,000-36,000/year for a 20-person company.

These are rough figures - actual costs depend on your specific situation.

Where to Start

If you’re just beginning:

1. MFA first. Highest impact, lowest cost.

2. Patching automation. Use what you have or add Automox.

3. Backup verification. Make sure your backups actually work.

4. Admin privilege review. Remove unnecessary access manually before buying tools.

5. Assessment. Use Microsoft Secure Score or get an external assessment to identify gaps.

For businesses needing help with implementation, AI consultants Melbourne and similar firms specialise in helping SMBs achieve compliance without enterprise budgets.

The Maintenance Reality

Essential Eight isn’t a project - it’s an ongoing practice.

Tools help achieve compliance. Maintaining compliance requires:

• Regular access reviews (quarterly)
• Patching cadence monitoring (weekly)
• Backup testing (monthly)
• Policy reviews (annually)
• Staff training (ongoing)

Build these into your operations. Compliance that’s checked once and forgotten will drift.

Final Thoughts

The good news: Essential Eight compliance is achievable for SMBs without massive budgets.

The challenge: it requires intentional effort and the right combination of tools and processes.

Start with fundamentals. Use built-in features before buying more tools. Automate what you can. Get help where you need it.

The businesses that treat Essential Eight as a continuous practice rather than a one-time project are the ones that stay secure.