Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

Most small business owners hear "Essential Eight" and assume it applies to government agencies or large enterprises. It does not. The Australian Signals Directorate (ASD) developed these eight controls as a baseline for any Australian organisation that wants to make itself meaningfully harder to attack. If your business has twenty people, uses email, stores client data, and processes payments, the ASD Essential Eight is directly relevant to you.

This post explains what the framework is, what the maturity levels mean at your scale, and which controls you are probably already close to achieving. For a full implementation checklist, see the Essential Eight compliance guide for Australian SMBs.

Why the ASD Created the Essential Eight

The Australian Signals Directorate publishes the ASD Essential Eight as its core cybersecurity baseline because most cyber incidents are not sophisticated. They rely on the same handful of techniques: exploiting unpatched software, using stolen credentials, tricking staff into running malicious files, and encrypting data for ransom. The eight controls specifically target those techniques.

The framework is structured around four maturity levels. ML0 means little or nothing is in place. ML1 is the entry-level baseline. ML2 has become the practical target in 2026 for any business seeking cyber insurance, entering government supply chains, or holding significant client data. ML3 is for organisations facing nation-state level threats.

For most 20-person businesses, reaching ML1 quickly and progressing toward ML2 is the right objective.

What Each Control Looks Like at 20 People

1. Patch Applications

Every application your team uses: browsers, Office, your accounting software, your CRM, needs security patches applied promptly. At your scale, this is a policy and a process, not a complicated project. Automated patch deployment means updates run on a schedule rather than when someone remembers.

2. Patch Operating Systems

The same logic applied to Windows or macOS. Machines running out-of-date operating systems are the most common entry point for ransomware.

3. Multi-Factor Authentication

A password alone is no longer sufficient. MFA requires a second verification step before access is granted. For Microsoft 365 businesses, MFA can be enforced across all accounts at no additional licensing cost. This single control blocks the majority of account takeover attacks.

4. Restrict Administrative Privileges

In most small businesses, too many people have admin rights on their machines. Admin accounts that get compromised give an attacker far greater access than standard user accounts. At ML1, admin access is limited to people who genuinely need it and is not used for everyday tasks like email and browsing.

5. Application Control

Only approved software runs on company devices. At 20 people, this is achievable through Microsoft Intune, which is included in Microsoft 365 Business Premium.

6. Restrict Microsoft Office Macros

Most malware delivered by email arrives in Office documents with embedded macros. Blocking macros from the internet is a configuration change that costs nothing operationally and closes a significant attack vector.

7. User Application Hardening

Disabling browser features and plugins that are regularly exploited. This is a setup task, done once and maintained as part of standard device configuration.

8. Regular Backups

Critical data backed up daily, stored separately from the live environment, and tested against an actual recovery scenario quarterly. "Tested" means you have restored from the backup, not just confirmed the backup job ran.

What You Probably Already Have

If your business uses Microsoft 365 Business Premium, several Essential Eight controls are already available within your existing licensing: MFA, patch management via Windows Update policies, macro restrictions, and device management via Intune.

The gap for most small businesses is not licensing. It is configuration and consistency.

The controls most often missing or misconfigured are admin privilege management (too many people have admin rights), application control (not configured at all), and backup testing (backups exist but have never been tested against an actual recovery).

Why 2026 Is the Year to Act

The ACSC reports the average cost of cybercrime for a small Australian business now exceeds $46,000 per incident. Beyond direct cost, cyber insurers are tightening underwriting requirements and asking specific questions about MFA, patching, and backup testing before offering coverage. Businesses that cannot demonstrate basic controls face higher premiums or declined cover.

ML2 is also becoming a de facto requirement for government contracts and large enterprise supply chains. If your clients include government agencies, councils, or large regulated businesses, your own cyber posture is increasingly part of their vendor risk assessment.

How All IT Approaches This with Small Business Clients

All IT works with small and mid-size Australian businesses to assess their current ASD Essential Eight maturity, close the gaps that matter most, and maintain the controls over time. We operate on month-to-month contracts with no lock-in, and our average client relationship runs over ten years. Our average chat response time is under three minutes and email under fourteen minutes.

Find out where your business sits against the Essential Eight

For a detailed breakdown of every control with implementation checklists, read the compliance guide. Or get in touch to find out where your business sits right now.


Frequently Asked Questions

The ASD Essential Eight is a set of eight cybersecurity controls developed by the Australian Signals Directorate. It was originally built for government agencies but the ASD now recommends it for all Australian organisations. If your business stores client data, uses email, or processes payments, the framework is directly relevant regardless of your size.
ML1 means your environment blocks commodity attacks: automated scans, credential stuffing, and opportunistic ransomware. ML2 extends those protections to more targeted threats. In 2026, ML2 has become the practical target for any business seeking cyber insurance or entering government supply chains. Most small businesses should aim to reach ML1 quickly, then progress to ML2 within 12 months.
For a 20-person business using Microsoft 365, reaching ML1 across all eight controls typically takes four to eight weeks working with a managed IT provider. Many controls are configuration tasks rather than major projects. Admin privilege management and application control take a little more planning but are achievable within that window.
Yes. Most small businesses do this through a managed IT provider. A good provider assesses your current state, handles the configuration across all eight controls, and maintains them as your business and threat environment change. You do not need an internal IT team to operate at ML1 or ML2.

Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →