Most small business owners hear "Essential Eight" and assume it applies to government agencies or large enterprises. It does not. The Australian Signals Directorate (ASD) developed these eight controls as a baseline for any Australian organisation that wants to make itself meaningfully harder to attack. If your business has twenty people, uses email, stores client data, and processes payments, the ASD Essential Eight is directly relevant to you.
This post explains what the framework is, what the maturity levels mean at your scale, and which controls you are probably already close to achieving. For a full implementation checklist, see the Essential Eight compliance guide for Australian SMBs.
Why the ASD Created the Essential Eight
The Australian Signals Directorate publishes the ASD Essential Eight as its core cybersecurity baseline because most cyber incidents are not sophisticated. They rely on the same handful of techniques: exploiting unpatched software, using stolen credentials, tricking staff into running malicious files, and encrypting data for ransom. The eight controls specifically target those techniques.
The framework is structured around four maturity levels. ML0 means little or nothing is in place. ML1 is the entry-level baseline. ML2 has become the practical target in 2026 for any business seeking cyber insurance, entering government supply chains, or holding significant client data. ML3 is for organisations facing nation-state level threats.
What Each Control Looks Like at 20 People
Every application your team uses: browsers, Office, your accounting software, your CRM, needs security patches applied promptly. At your scale, this is a policy and a process, not a complicated project. Automated patch deployment means updates run on a schedule rather than when someone remembers.
The same logic applied to Windows or macOS. Machines running out-of-date operating systems are the most common entry point for ransomware.
A password alone is no longer sufficient. MFA requires a second verification step before access is granted. For Microsoft 365 businesses, MFA can be enforced across all accounts at no additional licensing cost. This single control blocks the majority of account takeover attacks.
In most small businesses, too many people have admin rights on their machines. Admin accounts that get compromised give an attacker far greater access than standard user accounts. At ML1, admin access is limited to people who genuinely need it and is not used for everyday tasks like email and browsing.
Only approved software runs on company devices. At 20 people, this is achievable through Microsoft Intune, which is included in Microsoft 365 Business Premium.
Most malware delivered by email arrives in Office documents with embedded macros. Blocking macros from the internet is a configuration change that costs nothing operationally and closes a significant attack vector.
Disabling browser features and plugins that are regularly exploited. This is a setup task, done once and maintained as part of standard device configuration.
Critical data backed up daily, stored separately from the live environment, and tested against an actual recovery scenario quarterly. "Tested" means you have restored from the backup, not just confirmed the backup job ran.
What You Probably Already Have
If your business uses Microsoft 365 Business Premium, several Essential Eight controls are already available within your existing licensing: MFA, patch management via Windows Update policies, macro restrictions, and device management via Intune.
The controls most often missing or misconfigured are admin privilege management (too many people have admin rights), application control (not configured at all), and backup testing (backups exist but have never been tested against an actual recovery).
Why 2026 Is the Year to Act
The ACSC reports the average cost of cybercrime for a small Australian business now exceeds $46,000 per incident. Beyond direct cost, cyber insurers are tightening underwriting requirements and asking specific questions about MFA, patching, and backup testing before offering coverage. Businesses that cannot demonstrate basic controls face higher premiums or declined cover.
ML2 is also becoming a de facto requirement for government contracts and large enterprise supply chains. If your clients include government agencies, councils, or large regulated businesses, your own cyber posture is increasingly part of their vendor risk assessment.
How All IT Approaches This with Small Business Clients
All IT works with small and mid-size Australian businesses to assess their current ASD Essential Eight maturity, close the gaps that matter most, and maintain the controls over time. We operate on month-to-month contracts with no lock-in, and our average client relationship runs over ten years. Our average chat response time is under three minutes and email under fourteen minutes.
Find out where your business sits against the Essential Eight
For a detailed breakdown of every control with implementation checklists, read the compliance guide. Or get in touch to find out where your business sits right now.
Frequently Asked Questions
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
Read the Full Guide →
