Home » Tech Translated — IT Blog for Australian Businesses | All IT Services » Essential Eight for Not-for-Profits | All IT Services
By |

The ACSC Essential Eight is the Australian government's baseline cybersecurity framework. These eight controls, implemented together, make it much harder for adversaries to compromise your systems. Not-for-profits are not exempt from these threats. Charities and community services organisations are frequently targeted precisely because they hold sensitive data and often run leaner IT environments than commercial businesses.

This guide explains what the Essential Eight is, why it matters for NFPs, and how to approach implementation when budget and headcount are tight.

What is the ACSC Essential Eight?

The Essential Eight is a set of mitigation strategies developed by the Australian Cyber Security Centre (ACSC). It is not a compliance standard you certify against in the traditional sense. It is a practical baseline designed to make organisations significantly harder to compromise. The framework is structured around four maturity levels (ML0 to ML3), where ML1 represents the minimum recommended starting point for most organisations.

Together the eight controls address the most common attack vectors: unpatched software, stolen credentials, malicious email attachments, and ransomware.

  • 1. Patch Applications Keep third-party software up to date: browsers, Office, PDF readers. Unpatched applications are the most common entry point for attackers.
  • 2. Patch Operating Systems Apply OS security patches promptly. At ML1, internet-facing systems must be patched within two weeks of release.
  • 3. Multi-factor Authentication Require MFA for all remote access, email, and cloud services. A single compromised password should not be enough to get in.
  • 4. Restrict Administrative Privileges Limit who has admin access and what they can do with it. Admin accounts should not be used for day-to-day tasks.
  • 5. Application Control Only allow approved applications to run on your systems. Prevents malware and unapproved software from executing.
  • 6. Restrict Microsoft Office Macros Block or tightly control Office macros, a common delivery vehicle for malware via email attachments.
  • 7. User Application Hardening Disable features in browsers and applications that attackers commonly exploit: ads, Java in browsers, and unnecessary plug-ins.
  • 8. Regular Backups Back up data, applications, and configuration settings regularly. Test that backups can actually be restored, and keep at least one offline copy.

Why NFPs need to take this seriously

Not-for-profit organisations hold significant amounts of sensitive information: donor financial records, beneficiary personal data, employee files, grant documentation, and often health or welfare details. Under the Privacy Act, organisations with annual turnover above $3 million have obligations around how that data is stored, protected, and disclosed. Many NFPs are approaching or already past that threshold.

Beyond legal obligation, the reputational risk of a data breach for a charity is disproportionately severe. Donor trust is hard-won and quickly lost. A ransomware incident that locks your systems during a campaign or emergency response is not just an IT problem. It is an organisational crisis.

The ACSC's annual reporting consistently notes that charities and community organisations face cyber threats at rates comparable to small commercial businesses. Attackers are opportunistic. They look for organisations with known vulnerabilities, not deep pockets.

How the Essential Eight applies to a small or mid-size NFP

ML1 is the appropriate starting point for most organisations, regardless of size. For NFPs using Microsoft 365, many of the controls are already included in your licensing and can be configured within the Microsoft 365 admin centre without additional cost. The gaps are usually in application control, macro restrictions, and admin privilege management , all straightforward to address with the right configuration.

The recommended approach for NFPs starting their Essential Eight journey:

  • Assess your current state. Map each of the eight controls against your environment honestly. Identify where you are at ML0 versus ML1.
  • Prioritise by impact. MFA and patching deliver the most risk reduction per dollar of effort. Start there.
  • Close the quick wins. MFA, patch schedules, and backup testing can usually be addressed in weeks, not months.
  • Plan the longer-term controls. Application control and privilege management require more planning but are achievable over 6 to 12 months.
  • Test and validate. The Essential Eight is not a one-time project. It requires ongoing maintenance as systems change and new vulnerabilities emerge.

How All IT approaches this with NFP clients

All IT works with not-for-profit organisations across Australia to assess their current Essential Eight maturity, close the most critical gaps, and maintain ongoing compliance , without requiring a dedicated internal security team. Our average client stays for over 10 years, and we operate on month-to-month contracts with no lock-in. NFPs should not be tied to a provider that is not delivering.

If your NFP wants to understand where it sits against the Essential Eight and what it would take to reach ML1, get in touch with the All IT team. No sales process, no jargon, just a straight assessment.

Frequently Asked Questions

Is the Essential Eight mandatory for not-for-profits in Australia?

The Essential Eight is not legislatively mandatory for most NFPs. It is a recommended baseline from the ACSC. However, NFPs that handle government grants or contracts are increasingly required to demonstrate Essential Eight compliance as a condition of funding. Even without a formal mandate, it represents the minimum prudent standard for any organisation that holds sensitive data.

Which Essential Eight control should an NFP implement first?

Multi-factor authentication and patching deliver the highest risk reduction per unit of effort. These two controls alone prevent the majority of successful credential-based and vulnerability-based attacks. If your organisation is not yet running MFA on email and remote access, that is where to start.

How much does it cost to implement the Essential Eight for a small NFP?

For NFPs using Microsoft 365, many controls are already included in your licensing. MFA, patch management, and macro restrictions can all be configured within the Microsoft 365 admin centre at no extra cost. Full ML1 implementation for a 20-person NFP can typically be achieved in 20 to 40 hours of managed IT time, spread over a few weeks.

Can a small NFP with no internal IT team implement the Essential Eight?

Yes. Most small and mid-size NFPs implement the Essential Eight through a managed IT provider rather than in-house staff. A good provider will assess your current state, prioritise the controls that reduce the most risk for your specific environment, and manage implementation and ongoing maintenance on your behalf.

All IT Services works with not-for-profit organisations across Australia to implement the ACSC Essential Eight: practically, affordably, and without requiring a dedicated internal IT team.

Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →
Posted in Cybersecurity Advisory Cybersecurity Advisory 2026 cybersecurity-advisory Not-For-Profits Security Uncategorized

About All IT Services

We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

CONTACT US