Essential Eight Basics

Hello Sello Techos!

This week we wanted to discuss the Cyber Security Essential Eight; specifically, we will discuss what the Eight are, why are they important, and what you may need to do about them. As one of our goals with this blog is to de-mystify all of the “techo talk”, I will try to break this down in a way that both techos and non-techos (like me!) can understand and gain something from. As we’ve said before, cyber security is not just a privilege for the already knowledgeable; it is an area that impacts everyone and that everyone should be aware of.

One disclaimer before we get started: this post is fairly specific to Australian organisations, and in particular non-corporate Commonwealth entities who are now required to mandate the Essential Eight. That said, these are great guidelines for many types of organisations who have a cyber presence!


What are the Essential Eight?

The Essential Eight are recommended as a baseline set of mitigation strategies that the Australian Cyber Security Centre (ACSC) has developed to help ensure organisations are protected against cyber threats. These guidelines are becoming increasingly important, as cyber threats have been drastically increasing over the years. According to the ACSC:

  • Over 67,500 cyber-crimes were reported in the 2020-2021 financial year – that is almost 1 attack every 8 minutes! This is up from 1 attack/10 minutes from the year previously.
  • Losses totalled more than $33 billion (self-reported).
  • Approximately 25% of incidents were associated with Australian critical infrastructure.
  • More than 75% of pandemic-related cybercrime events involved loss of money or personal information.

So, obviously, cyber security is an important concern for all of us! This brings us to the Essential Eight, which was originally published in 2017 as an update to the Australian Signals Directorate (ASD) Top Four set of strategies for federal government entities to protect themselves. In the latest Protective Security Policy Framework (PSPF) Policy 10 not only are the Eight strategies mandated, but Maturity Level Two is now mandated for some organisations as of 1 July 2022.

First off, let’s talk about what the Eight actually are. In a nutshell, the strategies are:

  1. Application Control – Let only approved users run certain file types.
  2. Patch Applications – Patch vulnerable applications as soon as updates are released.
  3. Configure MS Office Macro Settings – Let only approved users make changes to settings and stop the operation of unapproved automated tasks in Office.
  4. User Application Hardening – Protect your internet browsers.
  5. Restrict Admin Privileges – Ensure that only approved users can make changes to your system.
  6. Patch Operating Systems – Immediately address when your operating system needs to be updated, patched, or modified to prevent vulnerabilities.
  7. Multi-Factor Authentication – Use multiple methods to ensure the people accessing your system are who they say they are. The days of password-only protection is over!
  8. Regular Backups – Keep your data backed up and secure, so that in case a recovery is needed you have minimal interruption.

Obviously this is a bit of a simplification of these topics, for full and complete details please review the this link on the Essential Eight Maturity Model. In the Maturity Model the specific requirements for each of the Eight are also broken down. The key piece of information here is that there are different Levels which indicate different levels of security and compliance.


So that’s the “What”… what about the “Who”, “When” and “How”?

Who: In the publishing of Policy 10, all non-corporate Commonwealth entities must be at Maturity Level Two. However, as we stated before, these guidelines are great for everyone who operates a Windows-based system!

When: Implementation is required as of 1 July 2022, so… now!

How:  I’ll defer you to our next section 🙂

The Essential Eight are all about minimum standards to protect yourself. While there are guidelines set out for compliance purposes, it is always a good idea to evaluate your organisation and determine what is the best level of protection for what you do. For those who want to go above-and-beyond the minimum, there are many additional suggestions which have been published to help you go Beyond the Eight.


Where should you go from here?

The best thing to do is to reach out to us to schedule a free 30-minute Essential Eight Maturity Level assessment. This is really your first step: before you can map out the path forward you need to have a good understanding of what your starting point is. During this assessment we will:

  • Help you identify what Maturity Level you are at for each of the Eight (you might be at different levels for different requirements!)
  • Identify what needs to be done to bring you up to full compliance.
  • Provide observations and recommendations for any ongoing security risks that go Beyond the Eight.

From there you have many options ahead of you. But don’t worry, Sello Tech will have you covered to ensure that your digital world stays secure! To contact us please email:, and include “Essential Eight” in the subject line!

Stay secure, friends.


Share this post


Leave a Reply

Recent Posts

Essential Eight Basics

Hello Sello Techos! This week we wanted to discuss the Cyber Security Essential Eight; specifically, we will discuss what the Eight are, why are they

Read More »