The Essential Eight: Australia's blueprint for cybersecurity

When the Australian Signals Directorate (ASD) reports that a cyberattack hits an Australian organisation every six minutes, it's clear we need more than crossed fingers and hope to protect our digital assets. That's where the Essential Eight comes in—Australia's homegrown cybersecurity framework that's helping organisations across the country build stronger defences against increasingly sophisticated threats.

Whether you're unsure if your organisation's cybersecurity is adequate or you're already familiar with the framework and simply need a refresher, this guide will clarify the essentials. Now, let’s break down what the Essential Eight is, why it matters, and how you can use it to strengthen your digital defences.

What exactly is the Essential Eight? 

The Essential Eight isn't just another cybersecurity checklist dreamt up in a boardroom. It's a carefully crafted framework developed by Australia's cybersecurity experts at the ASD, based on real-world intelligence about how cyberattacks actually happen and what stops them in their tracks.

Think of it as eight fundamental strategies that act as a multi-layered approach to cybersecurity. Each strategy targets different attack vectors, but they are designed to complement each other, creating multiple layers of protection that significantly hinder cybercriminals' efforts.

The framework emerged from ASD's extensive experience in cyberthreat intelligence, incident response, and penetration testing. They observed what works and what doesn't and distilled that knowledge into these eight core strategies that can protect most internet-connected IT networks. With 95% of organisations worldwide experiencing more than one data breach, and this statistic remaining consistent for Australian organisations, managing threats is a clear and non-negotiable priority for Australian organisations.

The 8 strategies that keep Australian organisations safe 

Let's dive into each of the Essential Eight strategies and understand what each is designed to protect against.

1. Application patching 

Stay current with application updates, especially those that frequently use the internet. Outdated software creates easy opportunities for cybercriminals.

The strategy utilises vulnerability scanners and patch management tools to identify and address vulnerabilities, necessitating a systematic approach to application security—not just clicking update later.

2. Operating system patching

Similar to application patching but for operating systems, operating system updates are primarily targeted because they control network device access.

The framework emphasises prompt patching, especially for internet-facing servers and network devices.

3. Multi-factor authentication

Multi-factor authentication (MFA) is a highly effective step that requires users to verify their identity with something they know, have, or are.

If passwords are stolen, MFA adds a required step to reduce the risk of unauthorised access.

4. Restricting administrative privileges 

Administrative accounts are like master keys to an organisation's digital kingdom. The Essential Eight framework emphasises limiting who has these powerful privileges and implementing the principle of least privilege—giving people only the access they absolutely need to do their jobs.

Eliminate standing admin privileges and use controls to prevent unauthorised elevation. If one account is compromised, the impact is limited.

5. Application control

Application control is about ensuring only approved software can run on an organisation's systems. This prevents malware from executing and stops employees from installing potentially dangerous applications.

The strategy includes implementing allowlists for approved executables, libraries, scripts, and installers, while maintaining blocklists for known malicious software. It's particularly crucial for internet-facing servers where the attack surface is greatest.

6. Microsoft Office macro management

Microsoft Office macros can automate repetitive tasks, but they can also be weaponised by attackers to deliver malware. This strategy involves securing macro settings to prevent malicious code execution while still allowing legitimate business use.

Options include disabling macros by default; only allowing digitally signed macros from trusted publishers; or restricting macro execution to secure, sandboxed environments.

7. User application hardening

Configure apps—like browsers, PDF readers, or Microsoft 365—to reduce the attack surface by disabling extra features and blocking harmful content.

User application hardening is about making applications as secure as possible while maintaining usability for end users. Hardening refers to modifying settings and configurations to mitigate risk and making it more difficult for attackers to exploit vulnerabilities.

8. Regular data backups

When all else fails, good backups can mean the difference between a minor inconvenience and a business-ending disaster. This strategy emphasises regular, tested backups that are protected from the very threats they're intended to help organisations recover from.

Backups should have access controls (restrictions on who can reach them), regular restore testing (checking if backups work by restoring data), and be stored securely, separated from production systems (the live systems a business uses).

The maturity model: A roadmap to better security

The Essential Eight uses a maturity model with four levels, each protecting against different threats and attackers.

Maturity Level Zero: Compromised cybersecurity posture

Level zero is the most basic level of the Essential Eight model. It serves as a starting point for organisations that have a compromised cybersecurity posture and provides a basis on which to improve. Weaknesses in cybersecurity systems and processes may lead to an increased risk of data breaches and compromised personal information.

Maturity Level One: Protection against opportunistic attacks

Level one is suitable for smaller organisations and focuses on protection against adversaries using readily available tools and basic techniques. These attackers typically cast a wide net, looking for easy targets with common vulnerabilities.

At this level, it's about covering the basics well and closing the most obvious security gaps.

Maturity Level Two: Defence against targeted attacks

Level two is designed for medium to large enterprises facing more sophisticated threats. Attackers at this level invest more time and use well-known but effective tools to bypass security controls and evade detection.

This level adds comprehensive implementation to each strategy, making it harder for determined attackers to succeed.

Maturity Level Three: Protection against advanced persistent threats

Level three offers the highest level of protection against highly sophisticated, adaptive adversaries who use advanced techniques to target specific organisations. These attackers possess the necessary skills, time, and resources to inflict significant damage.

This level is for organisations in high-threat contexts. It requires complete control implementation, advanced monitoring, and responsive capabilities.

Why Australian organisations should care 

The statistics paint a sobering picture of the current threat landscape. With the average data breach costing organisations $4.4 million in 2025—although this represents a decrease year over year—the financial case for robust cybersecurity is still clear.

But it's not just about money. Cyberattacks can erode customer trust, disrupt operations, and, in some cases, pose a threat to public safety. The Essential Eight provides a proven framework for building resilient defences that can withstand the evolving threat landscape.

For Australian government entities, compliance with the Essential Eight is mandatory. Non-corporate Commonwealth entities must achieve at least Maturity Level Two under the Protective Security Policy Framework. But even for organisations for which it's not compulsory, the framework represents cybersecurity best practices.

Making implementation practical 

The beauty of the Essential Eight framework lies in its staged approach. You don't need to implement everything at once. Instead, you can:

1. Assess your current state against the maturity model.

2. Choose a target maturity level based on your risk profile and resources.

3. Develop a realistic implementation plan with clear milestones.

4. Prioritise strategies that address your most critical vulnerabilities first.

5. Implement controls (specific technical or policy measures to manage risks) progressively and validate their effectiveness before moving to the next level.

This approach makes the framework accessible to organisations of all sizes and security maturity levels. Small businesses can start with Maturity Level One and build their capabilities over time, while larger organisations can target higher maturity levels from the outset.

The road ahead

Cybersecurity is an ongoing journey. The threat landscape evolves, with attackers using new techniques and seeking unknown vulnerabilities. The Essential Eight emphasises regular review, not a set-it-and-forget-it approach.

Regular assessment and continuous improvement are essential. As your organisation grows and the threat landscape changes, you may need to adjust your target maturity level or enhance specific controls. The key is maintaining a proactive approach rather than waiting for an incident to force your hand.

The framework also emphasises the importance of having proper incident response capabilities. Even with the best preventive measures in place, some attacks may still succeed. Being prepared to detect, respond to, and recover from incidents is just as important as preventing them in the first place.

Your next steps 

If you're ready to strengthen your organisation's cybersecurity posture using the Essential Eight framework, start with an honest assessment of your current standing. Map your existing security measures against each of the eight strategies and identify the gaps.

Engage cybersecurity professionals who know the Australian context to create an implementation plan tailored to your needs. Remember, the goal is continuous improvement and resilience, not perfection.

The Essential Eight framework represents Australia's collective cybersecurity wisdom, distilled into practical strategies that work. By implementing these measures thoughtfully and systematically, you're not just protecting your own organisation—you're contributing to Australia's overall cyber resilience.

Don’t wait—review your organisation’s cybersecurity measures today by mapping them against the Essential Eight. Choose a target maturity level, develop an actionable plan, and begin implementing improvements that address your most critical vulnerabilities. By taking these practical steps, you strengthen your organisation and help secure Australia’s digital future.