Skip to content
Call: 1300 596 560
ITL-Coloured-H.png
  • Products
    CCare.png

    Comprehensive IT support and maintenance services to ensure smooth business operations.

    CPrivate_1.png

    Secure, private networking solutions tailored for your business's specific needs.

    CCloud.png

    Flexible cloud solutions for secure, scalable, and efficient data management.

    CNetwork.png

    Robust networking services to keep your business connected and efficient.

    CNBN.png

    High-speed NBN services to boost your internet connectivity and productivity.

    CVoice.png

    Advanced voice communication solutions to enhance your business communications.

    CPBX_1.png

    Innovative PBX systems providing reliable and scalable telecommunication solutions.

    Connect Web

    Enhance your online presence & streamline operations with our tailored web solutions!

    Our Products - Connect Cyber

    Protect your digital assets & safeguard your business online with our comprehensive cyber security services.

  • Services

    IT Support Services

    We offer tailored IT support customised to your business or enterprise needs & operations, ensuring optimal performance of your systems and infrastructure.

    Learn More

    Business IT Support

    Get specialised IT support for your business that ensures your technology aligns with your specific business goals, enhancing efficiency and productivity.

    IT Consulting

    Make informed decisions, implement effective strategies, and navigate complex landscapes with the help of our expert IT consultancy services!

    IT Procurement Services

    Let us assist you in acquiring the best tech solutions at competitive prices so that your business gets superior value, quality & performance.

    Managed IT Services

    Our innovative Managed IT Services drive business growth & scale with you! We work with you to understand your specific Managed IT needs, creating solutions that improve your IT infrastructure at a simple fixed monthly rate.

    Learn More

    Managed IT Support

    Experience hassle-free & cost-effective IT outsourcing to take the complexity out of IT management for your business.

    Managed Backups

    Safeguard your critical data, minimise downtime and ensure quick recovery when you need it, for total peace of mind and continuity.

    Managed IT License Management

    Streamline your IT lincense renewals and software license management to ensure compliance and optimised usage.

    Managed Firewall

    Fortify your network's security, protect against unauthorised access & evolving cyber threats for effective collaboration and operations.

    Microsoft 365

    Transform and modernise your workplace with our comprehensive M365 Solutions. Designed to foster collaboration, enhance flexibility & enable seamless connectivity from any location!

    Learn More

    Microsoft 365 Migration

    Seamlessly migrate to Microsoft 365 with our smooth transitioning process for minimal downtime.

    Microsoft 365 Backups

    Protect your critical M365 data with our robust backup solutions, ensuring data integrity and security.

    Email Signature Management

    Manage & unify your organisation's email signatures, reinforcing your professional brand identity.

    Microsoft Teams

    Achieve unparalleled team collaboration with Microsoft Teams for Business or Enterprise!

    Cyber Security Solutions

    In today’s ever-changing digital landscape, robust cyber security is essential. We develop tailored solutions that protect your business and safeguard sensitive customer information for confidence and peace of mind!

    Learn More

    Email Security

    Fortify your email communications to safeguard sensitive data and ensure uninterrupted business operations.

    Endpoint Security

    Enhance the security of your endpoints, from laptops to mobiles, ensuring compliance & threat protection.

    Cyber Security Training

    Empower your staff to proactively handle cyber threats & foster a culture of cyber awareness and preparedness.

    Essential 8 Simplified

    Implement a streamlined Essential 8 cyber strategy to effectively mitigate cyber risks in your business.

    Cyber Security Audits

    Conduct cyber audits to identify vulnerabilities, enhance security measures & ensure robust defences.

    Cloud Computing

    Reduce your IT infrastructure costs, increase operational efficiency and flexibility & improve the overall performance of your systems with our versatile and scalable cloud computing services for business and enterprise.

    Learn More

    Cloud Computing Services

    Enjoy fully scalable & versatile cloud computing services to drive business efficiency.

    Cloud Migration

    Our seamless migration services ensure a smooth transition and integration with your IT systems to the cloud.

    Cloud Backups

    Benefit from reliable cloud backup solutions to protect your critical data and client information.

    VoIP Telephony

    Our VOIP telephony solutions provide a cost-effective and flexible solution for businesses to communicate with their clients & employees. Enjoy greater mobility, scalability, and accessibility compared to traditional phone systems!

    Learn More

    VoIP Phone Systems

    Discover our state-of-the-art VoIP phone systems for superior communications.

    Remote Workplace Solutions

    Explore our innovative IT solutions to support efficient remote work environments & hybrid teams.

  • Industries

    Transportation

    Specialised IT solutions for the transportation sector.

    Learn More

    Professional Services

    Tailored IT services for professional service providers.

    Learn More

    Education & Government

    Specialised IT services for educational institutions and government bodies.

    Learn More

    Healthcare & Aged Care

    Custom IT solutions for healthcare and aged care facilities.

    Learn More

    Manufacturing

    Advanced IT solutions to streamline manufacturing processes.

    Learn More

    Mining & Resources

    Robust IT solutions for the mining and resources industry.

    Learn More

    Retail Industry

    Explore our innovative IT solutions for the retail industry.

    Learn More
  • Resources

    New User Form

    Do you need assistance with setting up a new user? Complete our new user form.

    New User Form

    Exit User Form

    Need help with an urgent IT issue? Complete our exit user form here.

    Exit User Form

    Blog

    Stay ahead in the digital world with our latest blogs. Get expert insights on evolving IT advancements or tips for seamless business IT operations!

    Read The Blog

    Case Studies

    Discover the success stories of IT Leaders’ clients and unlock the secrets to seamless IT support, managed services, cloud computing & VoIP telephony!

    Discover Our Case Studies
  • About

    About Us

    Learn more about IT Leaders, our values, team, and our expert services!

    Learn More

    Get Support

    Lodge a support ticket & we will get back to you as soon as possible!

    Get Support

    Technical Capability Summary

    Discover IT Leaders’ range of technical capabilities as a leading Australian IT solutions provider and MSP!

    Learn More

    Careers

    Discover the opportunities to join our team!

    Explore

    Our Team

    Do you need assistance with setting up a new user? Complete our new user form.

    Learn More

    Our Partners

    Gold Coast IT Services that will help your business optimise and grow as fast as you grow.

    Learn More

    Testimonials

    Do you need assistance with archiving your email? Complete our exit user form.

    View Testimonials
  • Contact
Call: 1300 596 560

How to Implement the Essential Eight Maturity Model

  • September 11, 2024
Essential Eight

Cyber security can sometimes seem unapproachable. How do you defend against so many different threat vectors? How can you secure your data when even industry leaders like Medibank get breached? How do you even know where to start?

Luckily, frameworks like the Essential Eight make it easy. In this article, we’ll explore exactly what the Essential Eight is and how SMBs can use it to build effective cyber security postures. We’ll also explain exactly what resources you need to implement each of the 8 strategies.

What Is the Essential Eight Maturity Model?

The Essential Eight is a set of cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD), a federal government body.

Each of the 8 strategies has multiple controls – technical requirements that organisations need to meet to stay compliant. Those controls increase in complexity across each of the 4 Essential Eight maturity levels. Maturity Level Zero (ML0), which indicates cyber security weaknesses, is the lowest maturity level and ML3, which is designed for high-risk organisations, is the highest.

The Essential Eight strategies are:

  1. patch applications
  2. patch operating systems
  3. multi-factor authentication
  4. restrict administrative privileges
  5. application control
  6. restrict office macros
  7. user application hardening
  8. regular backups.

Essential Eight

Why Is the Essential Eight Necessary?

Think of the Essential Eight as the baseline cybersecurity standard for organisations. It’s necessary but not sufficient for a strong security posture.

Its value as a framework, though, comes from its structure. The 8 strategies have been selected through prioritisation – that is, they’re the minimum requirements to protect your organisation against cyber threats (as per the ASD’s own research). Implementing ML1, for example, will give most SMBs strong coverage without imposing an unnecessarily high security burden.

Virtually every business with 5 or more employees (and some with fewer) should aim to achieve Essential Eight ML1. In addition to the standard benefits of good cybersecurity (a lower risk of breaches equals less potential downtime, costs, and reputational damage), implementing the Essential Eight can be useful for meeting partner/supplier requirements and may actually be required by some cyber insurers.

 

Essential Eight Versus Other Models

The Essential Eight isn’t the only cybersecurity framework that your organisation should consider. Others include:

  • the CIS Critical Security Controls Version 8, an international framework that’s essentially a more robust version of the Essential Eight
  • the NIST Cybersecurity Framework 2.0, an industry-leading framework developed by the US’s National Institute of Standards and Technology
  • the Information Security Manual, a holistic cybersecurity framework developed by the ASD, which has a broader scope than the Essential Eight
  • ISO 27001, the international standard for infosec and cybersecurity.

Keep in mind that the above frameworks/standards may not be suitable for smaller organisations. They’re technically complex, costly to implement, and deliver an extremely high level of security coverage – which may not be necessary for SMBs with low risk profiles. Essential Eight ML1, on the other hand, is recommended for organisations of all sizes.

 

Implementing Essential Eight ML1

Essential Eight ML1 isn’t difficult to implement – it is designed for SMBs – but you’ll still need a competent managed service provider (MSP) or in-house team. To make the implementation process easier, this article will provide an overview of each strategy and explain the basic steps your team will need to take.

You can find the exact ML1 requirements in Appendix A of the ASD’s guide.

 

Patch Applications

To meet the ‘Patch Applications’ controls, you’ll need two resources:

  • a vulnerability scanner like Microsoft Defender, Tenable or Rapid7
  • a proactive in-house team or MSP.

Most of the controls can be addressed by deploying and correctly configuring a suitable vulnerability scanner.

Common vulnerabilities and exposures (CVE) patch application, though, requires manual intervention. Once a vendor has identified a CVE in their software, they’ll roll out a patch to address it, which your IT team needs to implement. (Your vulnerability scanner will tell your team when a patch is required.) To stay compliant with ML1, you’ll need to patch critical vulnerabilities in 48 hours and non-critical ones in 2 weeks.

Your team will also need to proactively remove unused services and apps, which means they’ll need to maintain documentation that lists in-use resources.

 

Patch Operating Systems

Meeting the ‘Patch Operating Systems’ controls requires the same approach as ‘Patch Applications’. A good vulnerability scanner, on-time patching, and proactive retirement of legacy operating systems will generally be enough to stay compliant.

The main difference is that your IT team will need to patch critical vulnerabilities in 48 hours, non-critical vulnerabilities for internet-facing systems in 2 weeks, and non-critical vulnerabilities for non-internet-facing systems in 4 weeks.

 

Multi-Factor Authentication

Multi-factor authentication (MFA) is a verification method that requires an end user to combine at least two proofs of identity. The standard is: something a user knows (such as a password) plus something a user has (such as a token) and/or something a user is (such as a biometric).

To meet ML1, you’ll need MFA across your apps. Microsoft Entra can be used to provide MFA for Microsoft 365 using Microsoft Authenticator; your IT team should set up number-matching push notifications in conjunction with passphrases of 14 characters or more. Non-Microsoft apps, like your CRM, should be secured with a similar method.

Keep in mind two things when you’re implementing the ML1 MFA controls. Firstly, more doesn’t equal safer. If you make your end users complete MFA every time they use an app, they’ll become fatigued and vulnerable to MFA phishing. Secondly, MFA doesn’t guarantee safety; if an adversary breaches your defences in some other way, they can bypass MFA through an adversary-in-the-middle attack.

 

Restrict Administrative Privileges

‘Restrict Administrative Privileges’ is a strategy based around the principle of least privilege: that all users should have minimum network access levels. If you don’t need it, you shouldn’t have it.

ML1 requires two categories of action:

  • Create and use separate accounts for privileged and non-privileged actions (that is, a privileged account should never be used to access a non-privileged system, and vice versa).
  • Where possible, prevent privileged accounts from accessing the internet.

The ML1 controls can be met by setting up separate accounts and then configuring role-based accesses in Microsoft Entra (which can also log privileged activity). Privileged accounts can be blocked from the internet by removing their relevant Microsoft 365 licenses and then implementing a cloud proxy.

 

Application Control

Application control refers to automatically blocking specific executables, which helps prevent malicious code from spreading through your systems. You can meet the ML1 controls through Microsoft AppLocker (which comes standard with all enterprise Windows editions) or Defender Application Control (which is necessary for more complex environments).

Many issues with application management can be solved by implementing the ML1 ‘Restrict Administrative Privileges’ controls. Once your IT team limits administrative access to essential personnel and implements an application allow list, you should eliminate the majority of unapproved downloads.

 

Restrict Office Macros

Microsoft Office macros are commands that allow users to automate tasks in Microsoft applications like Word and Excel. They’re also often used by adversaries to execute malicious code, which is why ML1 requires restricting their use.

As of July 2024, Office applications will automatically block macros from internet-originated files. That means your IT team can disable all macro usage by default using Intune (exempting users who have demonstrated business requirements). A security app like Defender will automatically scan for malicious macros.

 

User Application Hardening

Like ‘Restrict Office Macros’, ‘User Application Hardening’ is likely already implemented, to an extent, by your organisation’s use of Windows 11 and Microsoft 365. Internet Explorer 11 and Java aren’t installed on Windows 11, which means you’ll only need to disable them if your organisation is running on legacy systems.

The other two controls – disabling ad processing by browsers and removing the ability for end users to change security settings – can both be accomplished by setting Intune policies.

 

Regular Backups

Unlike most of the ML1 strategies, the ‘Regular Backups’ controls aren’t particularly specific. As long as you have a secure backup solution in place – and test it regularly – you’ll be compliant.

With that said, not all backups are created equal. Aim to follow the 3-2-1-1-0 rule, which means having:

  • 3 different copies of data
  • stored on at least 2 different media
  • with one stored offsite
  • and zero errors following backup recoverability verification.

We typically recommend combining a solution like Veeam or Commvault with air-gapped, offsite backups and immutable blob storage in Azure. (‘Air-gapping’ is almost exactly what it sounds like – tape backups that are physically separated from your network and isolated in cold storage, preferably in a different city).

 

Next Steps

Good cyber security doesn’t mean an enterprise software stack or a bloated annual budget. It can be as simple as Essential Eight ML1 – infosec fundamentals that, together, substantially reduce your attack surface.

Of course, ‘fundamental’ doesn’t equal ‘easy to implement’. You still need an IT partner that understands how the Essential Eight should be implemented, especially if you’re operating a more complex computing environment. And you need the right implementation approach, one that balances operational and budget realities with security requirements.

We’ve helped more than 500 organisations across Australia become Essential Eight-compliant across all three maturity levels. If you’re interested in what that could look like for your business – or if you want an unbiased evaluation of your current security posture – schedule a consultation with us.

Share It:

Read More IT Leader Articles
Loading...
laptop screen showing software updates
October 28, 2024

Windows 10 Countdown: Why It’s Time to Upgrade Your PC Today

Windows 10 has been a reliable companion, but its days are numbered. Come October 14, 2025, Microsoft will end support for it. That means...
Read More
someone using a laptop looking at an email
October 21, 2024

Six Signs of Business Email Compromise to Watch For

Table of Contents Business email compromise (BEC) attacks are the most common cyber threat that Australian businesses face. They’re also one of the most...
Read More
smart office trends
October 14, 2024

Boost Productivity: Top 6 Smart Office Trends You Need To Know

The office environment is experiencing a major overhaul. The days of drab cubicles and repetitive routines are behind us. Today’s smart offices are vibrant...
Read More
ITL-Coloured-WhiteSub-H.png

Professional IT Services that are optimised to change and grow as fast as your business!

Facebook Twitter Linkedin

Products

  • Connect Care
  • Connect Cloud
  • Connect NBN
  • Connect Network
  • Connect PBX
  • Connect Private
  • Connect Voice
  • Connect Web
  • Connect Cyber

Services

  • IT Support
  • Managed IT Services
  • Microsoft 365 Solutions
  • Cyber Security
  • Cloud Computing
  • Cloud Migration
  • Cloud Backup
  • VoIP Telephony

Support

  • Contact Us
  • New User Form
  • Exit User Form

Resources

  • Careers
  • Blog
  • Technical Capabilities

© 2025 IT Leaders

Terms & Conditions

Privacy Policy