What are the Essential Eight? The strategies essential to keep your organisation secure

30 Mar 2026, by Slade Baylis

There are many different approaches and strategies that organisations can choose when looking to secure their systems.  And one of the most widely adopted frameworks in Australia is the Essential Eight maturity model.  This is the official framework published and endorsed by the Australian Signals Directorate (ASD), who is Australia’s statutory agency responsible for cyber security and signals intelligence. 

The Essential Eight - in what may sound like a sequel to a Tarantino movie - has been designed to protect Australian organisations’ internet-connected IT networks.  It encompasses various mitigation strategies, each of which is essential for ensuring your systems remain secure, especially with the growing number, frequency, and severity of cyberattacks.

That’s why in this month’s blog we’ll be exploring what the Essential Eight is, what strategies are included in it, and how organisations are evaluated against these strategies in its maturity model approach.

What are the Essential Eight?

As implied in the name, the Essential Eight encompass eight different cybersecurity mitigation strategies. These have been deemed essential as baseline protection to make it harder for adversaries to compromise your IT systems, ensuring you remain secure in the face of modern threats.

The mitigation strategies that constitute the Essential Eight are:

1. Patch Applications 
   
   With all software, it’s vitally important to ensure your systems are up-to-date.  Not only does this have the benefit of providing new features for your application, but doing so also provides critical security patches. 
   
   Without these patches, your organisation and systems can potentially be left wide open for attackers to exploit and break into.  Attackers will often scan the internet for vulnerable devices after a vulnerability is found, looking for potential victims.  Having a patching strategy and updating systems quickly is critical to remaining secure.
    
2. Patch Operating Systems
   
   Operating systems, like Windows and MacOS, are essential for your applications to run.  Like applications, operating systems are also software, and arguably even more important to update regularly - especially given they are the base software that everything runs on!   More so, due to their universal use on computers, operating systems are also one of the most targeted by threat actors. 
   
   You may have heard that some operating systems are at more at risk than others.  This is true, as some operating systems have larger market share than others, some are more complex, and others have more legacy versions (known as “End of Life”) still out there in use without security support.  However, even with varying risk, the key measure and message here is that irrespective of brand, ALL operating systems are at high risk of cyberattacks and should be updated regularly.
    
3. Multi-Factor Authentication
   
   With an ever-growing list of attacks against large multinational companies succeeding due to the lack of Multi-Factor Authentication (MFA) on their employees’ devices, the need for it has never been clearer.
   
   MFAs are able to further protect your systems from unauthorised access.  Even in those cases where user credentials have been stolen, having the additional layer of MFA protection in place, will make it significantly harder for those attackers to gain access.  For those interested, we’ve covered this in our Why Multi-Factor Authentication (MFA) is Essential for Your Business Security article from last year.
    
4. Restrict Administrative Privileges
   
   Implementing the principle of least privilege for users and administrators, ensures that they have access only to those systems that they absolutely require in order to perform their role.  This helps limit the potential damage that can be done should any of those accounts be compromised in the future.
    
5. Application Control
   
   It’s important to have control over your systems, and part of this includes controlling what is allowed to be installed and run on them.  Without this ability to limit and control what is installed, you are not able to ensure that only authorised applications and software are run. And having no such control, then leaves you open to malware, data leakage, and many other threats coming your way.
   
   Implementing application control allows you to specify exactly what software is allowed to run on your employees’ systems, with official escalation pathways built into the software should employees want to request to run new applications.  The process that explicitly allows applications to be installed and run is known as “Whitelisting”,  whereas those specific applications which are denied from being installed and run is known as "Blacklisting".
    
6. Restrict Microsoft Office Macros
   
   You might be surprised to see such a specific application (or suite of applications) mentioned within its own dedicated strategy in the Essential Eight, but the reason for this is the ubiquity of this software, as well as the level of threat that “macros” pose.
   
   Macros are small programs that are written to help automate repetitive tasks in Microsoft Office applications.  These are created to help automate part of a job and are saved within the Office file they are contained within.  However, these programs can also be written by malicious actors and used to bypass security controls and break into systems. 
   
   It’s for this reason that they’re often disallowed/disabled entirely in organisations looking to remain secure.
    
7. User Application Hardening
   
   This metric focuses on ensuring the applications you host on your infrastructure are secure, particularly your own software.  This includes disabling unnecessary features, removing outdated applications, ensuring your software isn’t vulnerable to attacks such as SQL injection, cross-site scripting, and other common forms of attack.
    
8. Regular Backups
   
   Ensuring you have adequate backups, in terms of the number of backups and the frequency in which they're undertaken is essential.  Also of critical importance is to ensure that these backups are adequately separated from the systems that they’re designed to protect!
   
   Without proper isolation from the systems they’re backing up, an attacker could potentially gain access to them after moving laterally after breaching your systems.  Once they have access, they could destroy your backups, which would negate the reason for having them in the first place.  Alternatively, they could even encrypt them and ransom them back to you for exorbitant fees, as well as steal the data for selling it on the dark web.
    

As you can see from the above, at their most basic, they just list the high-level concepts and areas that organisations need to address in order to be secure.  However, it’s in the evaluation of compliance against these strategies that you’re able to know how secure you really are.

Compliance with these strategies is measured via a maturity model, which evaluates how well each strategy has been implemented to protect against increasing types and severity of threat.  The more your organisation and systems are protected against these increasing levels of threat – also known as levels of “tradecraft”, which are the tactics, techniques, and procedures (TTP) used by malicious actors – then the more “mature” that protection is deemed to be.  

What are Maturity Levels?

When determining how secure your systems are, it’s important to consider the types of threats and level of targeting that you’re secure against.  Threats can vary in terms of their sophistication, both in terms of the TTP used as well as the time invested by the malicious actor to try and break into your systems. 

The systems, policies, and techniques you implement may protect you against more common threats, but may not protect you should a cyber-criminal take a special interest in breaking into your systems.  They may spend countless hours probing, evaluating, and attempting to learn all the weaknesses in your infrastructure and organisation.  The mitigation strategies you use to protect against the more basic threats will likely not protect you against these more diligent and persistent threats, which is why it’s important to know where you stand.

Maturity Level Zero

The lowest of the Maturity Levels is Level Zero, and it doesn’t so much describe a level of threat that has been protected against, but rather the opposite.  For an organisation to have been deemed Maturity Level Zero for a particular control, it simply means that they aren’t protected – not even to the low level of Maturity Level One.

Any system that’s deemed to be vulnerable to even commonly available, widely used, and non-targeted attacks will fall into this category.  With these systems, it’s not so much a matter of “if” they will be compromised, but a case of “when”. 

Maturity Level One

Some threats are non-targeted, launched against a wide array of potential victims, which use commodity tradecraft, which are less sophisticated approaches and TTP to try and break into systems.  This includes a wide range of different types of attacks, from generic phishing emails that are sent en-masse to hundreds of thousands of recipients, to automatic probing of servers for known vulnerable applications that can automatically be breached.

These types of attacks differ in one substantial way from other types of threat.  The attackers who launch these attacks are often searching for vulnerabilities and choosing their targets based on who is vulnerable, rather than the inverse, which is choosing a target and then looking and probing them to see how they are vulnerable to different types of attack.

If your organisation is able to adequately protect against these broad non-targeted threats, but not able to protect themselves from more sophisticated and targeted levels of threats, this Maturity Level One rating is what you would receive for the associated mitigation strategy.

Maturity Level Two

The natural next level of threat, compared to untargeted and broad reaching attacks, are those that are specifically aimed against a particular target.  These threats usually originate from malicious actors that are a step up in terms of their abilities and the quality of the attacks that they launch against their unfortunate victims.

These types of attacks are often ongoing, persisting over larger spans of time, with more time invested from the malicious actor to try and break into their targets systems.  Often attacks will be hand-crafted, such as attacks aimed at deceiving particular staff members through phishing and social engineering attacks, launched after doing research about who that staff member is to improve the likelihood of the attack succeeding.

Similarly to before, if your organisation is positioned and set up to defend against these attacks, Level Two is the maturity level rating you would receive for the control being assessed.

Maturity Level Three

This is the highest standard within the Essential Eight framework. Organisations that meet Maturity Level Three are able to demonstrate that all the Essential Eight controls are thoroughly implemented, documented, and regularly reviewed.  Not only are they able to defend against automated attacks and more sophisticated and targeted attacks, but they’re able to greatly mitigate threats from adversaries that are much more adaptive, such as state-sponsored actors and well-funded cybercriminals.

As mentioned by the ASD¹, threats that need to be mitigated under this Maturity Level Three come from malicious actors that are “willing and able to invest some effort into circumventing the idiosyncrasies and particular policy and technical controls implemented by their targets”.  Due to this, they are able to find vulnerabilities that other, more automated, methods may not usually find.  They are also “less reliant on public tools and techniques”, may exploit vulnerabilities not yet known to the wider security community, and are swift to act on new vulnerabilities.

These malicious actors  will aim to breach systems, evade detection, spread throughout systems after gaining a foothold. In this category, monetary gain and extortion may not even be the primary goal, with the category including state-actors and connected groups that aim to breach systems for espionage reasons rather than monetary ones.

Overall, the controls at this level require very short timeframe for action and remediation.  Additionally it requires detailed logging and constant monitoring of activity on networks and systems.  This Maturity Level Three sets the gold standard when it comes to ensuring your systems are as secure as possible against the latest threats.

Have any questions about the Essential Eight or improving your Maturity Levels?

If you have any questions about the different strategies listed within the Essential Eight, or alternatively are looking for someone to speak to about how to improve your cybersecurity posture, let us know!

We can work with you directly and discuss your own infrastructure and organisational cybersecurity posture to offer guidance, as well as help implement recommended changes together. We also have a range of software and services to provide compliance with the Essential Eight and to improve your overall maturity levels in cybersecurity.

You can reach us via email at sales@micron21.com or calling us on 1300 769 972 (choose option #1).

Sources

1, Australian Signals Directorate, Essential Eight Maturity Model, <https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight/essential-eight-maturity-model>