The Australian Cyber Security Centre (ACSC) Essential Eight is now the de facto cyber security baseline for Australian businesses — and Perth SMEs that deal with government, healthcare, legal, or financial clients increasingly need to demonstrate compliance to win contracts and protect themselves from liability.
This guide explains each of the eight controls in plain language, what they mean for a typical Perth SME, and the realistic path to achieving Maturity Level 1 and 2 compliance.
The Essential Eight is a set of baseline cyber security strategies developed by the ACSC to mitigate the most common cyber threats facing Australian organisations. It covers eight distinct control areas, each rated at Maturity Level 1, 2, or 3.
Only approved applications can run on your devices. This prevents malware, ransomware, and unauthorised software from executing — even if it gets onto a machine via email or USB.
For Perth SMEs: Microsoft Intune and Windows Defender Application Control (WDAC) can enforce this across your Microsoft 365 environment without expensive additional tools.
Software vulnerabilities must be patched within defined timeframes: critical patches within 48 hours (ML2), non-critical within 2 weeks.
For Perth SMEs: Automated patch management via your RMM tool handles this at scale. The key is having a process that doesn't rely on users manually updating software.
Macros in Office documents are a common malware delivery vector. Restrict macros to digitally signed, business-approved macros only.
For Perth SMEs: Microsoft 365 security hardening includes macro policy deployment via Intune group policy. Takes less than a day to implement.
Configure web browsers and other user applications to block web-based delivery of malware — disable Flash, restrict ActiveX, block ads from untrusted sources.
For Perth SMEs: Browser configuration policies deployed via Intune. Microsoft Edge with Defender SmartScreen provides strong default protection.
Admin accounts should only be used for admin tasks. Standard users should never have local admin rights. Privileged Access Workstations (PAWs) are recommended for ML3.
For Perth SMEs: Role-based access control in Azure AD/Entra ID and removing local admin from standard user accounts is the key first step — and one of the most impactful changes you can make.
OS patches (Windows, macOS, iOS, Android) must be applied within defined timeframes. Unsupported operating systems must be eliminated.
For Perth SMEs: Windows 10/11 via Intune with automatic patching enabled. Any devices still running Windows 10 after October 2025 End of Support need to be upgraded.
MFA must be enabled for all remote access, email, and cloud services. Phishing-resistant MFA (hardware keys or FIDO2) is required for ML3.
For Perth SMEs: Microsoft Authenticator via Conditional Access in M365 blocks over 99.9% of account compromise attacks. This is the single highest-impact control for most businesses.
Data, applications, and configuration must be backed up at defined frequencies. Backups must be tested. Offline or immutable copies required at ML2+.
For Perth SMEs: Cloud backup with immutable storage, daily incremental backups, and quarterly tested restores. Microsoft 365 has no native backup — a dedicated third-party solution is required.
For a typical Perth business of 10–50 users, reaching Essential Eight Maturity Level 1 involves:
You should prioritise Essential Eight compliance if you:
Spectrum IT Services provides Essential Eight gap assessments and remediation for Perth SMEs. Find out where you stand and what it takes to reach ML1 or ML2.
Book Free Assessment → Call 0431 882 201The Essential Eight is mandatory for Commonwealth entities but is the ACSC's strongly recommended baseline for all Australian businesses. Many government contracts and insurance policies now require Essential Eight compliance.
Maturity Level 1 means you have basic implementations of all eight controls, protecting against targeted opportunistic attacks. It's the recommended starting point for most SMEs.
For most Perth SMEs starting from scratch, reaching Maturity Level 1 takes 4–12 weeks with a managed IT provider. Level 2 typically takes 3–6 months.
Yes. Microsoft 365 Business Premium includes the tools needed for most Essential Eight controls — Intune, Defender, Entra ID Conditional Access, and Purview. The key is proper configuration, not additional software.