The Essential Eight Explained for Sydney Small Businesses

Eight strategies, one framework, and a lot of confusion

The Australian Cyber Security Centre published the Essential Eight as a baseline set of mitigation strategies for cyber threats. The framework is referenced in government tenders, insurance applications, board reports, and client due diligence questionnaires. If you run a business in Australia with more than a handful of staff, someone has probably already asked you about it.

The problem is that most explanations of the Essential Eight are written for security professionals. They assume you know what “application whitelisting” means or why “restricting administrative privileges” matters to a 25-person accounting firm. This article explains each strategy in terms that apply to a real small business in Sydney, and identifies where most SMBs should start.

The Essential Eight is a prioritised list of cyber security mitigation strategies published by the Australian Signals Directorate (ASD). It is not a compliance framework, a certification, or a legal requirement for most private businesses. It is a practical set of controls that, when implemented together, significantly reduce the risk of common cyber attacks.

The ASD designed these strategies based on real incident data. Each one addresses a specific attack vector that has been used against Australian organisations. They are not theoretical. They are drawn from what actually happens when businesses get breached. The eight strategies fall into three categories. Preventing malware from running. Limiting the impact when it does. Recovering data when everything else fails.

Application control

Application control means only approved software can run on your business computers. If an employee accidentally downloads malware, or a phishing email drops a payload onto a workstation, the malware cannot execute because it is not on the approved list.

For a small business, this is one of the harder controls to implement because it requires maintaining an approved application list and managing exceptions when staff need new software. Tools like ThreatLocker handle this by allowing IT administrators to approve applications through a managed workflow rather than maintaining manual lists.

Most SMBs don’t start here. It’s effective but operationally demanding without the right tooling.

Patching applications

Software vendors release security patches when vulnerabilities are discovered. If those patches aren’t applied, the vulnerabilities remain open for attackers to exploit. The Essential Eight recommends patching high-risk applications within 48 hours of a patch being released.

In practice, many small businesses patch sporadically or not at all. The IT person applies updates “when they get around to it,” which might be weeks or months after the patch was available. Every day between the patch release and the patch application is a window of exposure.

Managed patching on a defined schedule is one of the most cost-effective security controls a small business can implement. It requires no new software purchases, just consistent execution.

Configuring Microsoft Office macro settings

Macros in Microsoft Office documents have been a primary delivery mechanism for malware for decades. An employee opens a Word document attached to an email, enables macros when prompted, and malicious code executes on their machine.

The mitigation is straightforward. Disable macros from the internet by default. Only allow macros in documents from trusted locations or with trusted digital signatures. For most small businesses, macros from external sources should be blocked entirely. Very few legitimate business processes require macros from unknown senders.

User application hardening

Web browsers and email clients are the primary entry points for attacks. User application hardening means configuring these applications to reduce their attack surface. Disabling Flash (now end-of-life), blocking Java from running in browsers, preventing ads from executing scripts, and disabling unnecessary browser extensions.

This is mostly a configuration exercise. Your IT provider should be applying these settings as part of a standard build for business workstations. If your staff are running browsers with 15 extensions and no restrictions, that is a gap.

Restricting administrative privileges

Administrative accounts have the ability to install software, change system settings, and access sensitive data. When an attacker compromises an admin account, they have the same access the administrator does. They can disable security tools, exfiltrate data, and move across your network.

The Essential Eight recommends that administrative privileges are only used for tasks that require them. Staff should use standard user accounts for daily work. Admin credentials should be separate, protected with strong authentication, and audited regularly.

For small businesses, this often means breaking the habit of everyone running as a local administrator on their machine. It feels less convenient, but it removes the single most exploited attack vector in Australian cyber incidents.

The same principle applies to operating systems. Windows, macOS, and server OS patches should be applied within 48 hours for internet-facing systems and within two weeks for others. The challenge is that OS patches sometimes require restarts, which disrupts work. A managed IT provider schedules these during maintenance windows, typically outside business hours, so patches are applied without affecting productivity.

Multi-factor authentication

MFA requires a second form of verification beyond a password when logging into systems. Even if an attacker obtains a staff member’s password through phishing or a data breach, they cannot access the account without the second factor.

This is arguably the single most impactful control for a small business. It’s relatively easy to implement, especially on cloud services like Microsoft 365, and it stops the majority of credential-based attacks. If your business has not enabled MFA on all cloud services and VPN connections, that should be the first thing you fix.

Milnsbridge enforces MFA across all managed IT environments as part of Essential Eight alignment. It’s not optional on any plan.

Regular backups

Backups are the last line of defence. If malware encrypts your data, if a system fails catastrophically, or if someone accidentally deletes critical files, backups are what get you back to operational. The Essential Eight recommends regular backups that are tested, stored securely, and not accessible from the same network as the data they protect.

The common failure mode for small business backups is not that they don’t exist, but that they have never been tested. A backup that hasn’t been verified with a test restore is a hope, not a control. Your IT provider should be running periodic test restores and confirming recovery times.

Where Sydney SMBs should start

You don’t need to implement all eight strategies simultaneously. The ASD defines maturity levels (zero through three) for each strategy, and most small businesses should aim for Maturity Level One across all eight as a starting point.

The highest-impact, lowest-effort starting points for a typical 10-50 seat business are MFA on all cloud services, managed patching on a regular schedule, and endpoint protection on every device. These three controls alone address the majority of attack vectors used against Australian SMBs.

From there, you can add application hardening, macro restrictions, and admin privilege management. Application control and full backup testing come last, not because they are less important but because they require more operational maturity to implement well.

Milnsbridge includes Essential Eight aligned security controls in every managed IT plan, starting at $89 per seat per month. That means SentinelOne endpoint protection, managed patching, MFA enforcement, and email security are part of the baseline, not quoted as extras. If your business needs a formal Essential Eight assessment with a maturity roadmap, that is available as a separate engagement scoped to your environment.