The Essential Eight: What Every Australian Business Needs to Know

The Essential Eight is a set of baseline cyber security strategies developed by the Australian Cyber Security Centre (ACSC). Originally designed for government agencies, it has become the gold standard for businesses of all sizes across Australia.

At HB Networks, we've helped dozens of businesses implement the Essential Eight — and we've seen firsthand how it transforms their security posture. Here's our plain-English guide to each strategy.

1. Application Control

Application control prevents unapproved software from running on your systems. Think of it as a bouncer at the door — only apps on the approved list get in.

This is one of the most effective defences against malware, ransomware, and other malicious software. If an employee accidentally downloads something harmful, application control stops it from executing.

2. Patch Applications

Software vendors regularly release patches to fix security vulnerabilities. If you're not applying these patches promptly, you're leaving known doors open for attackers.

We recommend patching critical vulnerabilities within 48 hours of release. For everything else, a two-week window is a reasonable target for most businesses.

3. Configure Microsoft Office Macro Settings

Macros are small programs embedded in Office documents. While they can be useful for automation, they're also one of the most common ways malware gets delivered — often through phishing emails with attached Word or Excel files.

The Essential Eight recommends blocking macros from the internet and only allowing vetted macros in trusted locations.

4. User Application Hardening

This involves configuring web browsers and other applications to block risky content like Flash, Java, and web ads. These are common attack vectors that most users don't need.

Simple changes like disabling unnecessary browser extensions and blocking pop-ups can significantly reduce your attack surface.

5. Restrict Administrative Privileges

Admin accounts are the keys to the kingdom. If an attacker compromises an admin account, they can do virtually anything on your network.

The principle is simple: only give admin access to people who genuinely need it, and only for the specific tasks that require it. Regular users should never have admin rights on their workstations.

6. Patch Operating Systems

Just like applications, operating systems need regular patching. Unpatched operating systems are one of the most exploited vulnerabilities in cyber attacks.

We manage this automatically for our clients through our monitoring and management platform, ensuring patches are tested and deployed without disrupting business operations.

7. Multi-Factor Authentication (MFA)

MFA adds a second layer of verification beyond just a password. Even if an attacker steals or guesses a password, they still can't access the account without the second factor.

We consider MFA non-negotiable for any business. At minimum, it should be enabled on email, VPN, remote desktop, and any cloud services.

8. Regular Backups

Backups are your last line of defence. If everything else fails — ransomware encrypts your files, a disaster destroys your office, or human error deletes critical data — backups let you recover.

The key is testing your backups regularly. A backup that hasn't been tested is a backup that might not work when you need it most.

Getting Started

You don't need to implement all eight strategies at once. Start with MFA and patching — these give you the biggest security improvement for the least effort.

If you'd like a free assessment of where your business stands against the Essential Eight, get in touch with our team. We'll give you a clear picture of your current posture and a practical roadmap to improve it.