The ACSC Essential Eight gets presented like an enterprise programme: eight strategies, four maturity levels, an implied army of specialists. For a thirty- person company where "the IT team" is one person named Dave who also runs the phones, that framing is paralysing. So nothing happens, and "we'll do security properly next year" becomes a tradition.
Here's the reframe: the Essential Eight is a sequence, not a checklist you attack all at once. Most small and mid-size organisations can make genuine, audit-visible progress on three or four strategies without hiring anyone.
What the Eight actually areLink to this section
| Strategy | The plain-English version | A realistic first move |
|---|---|---|
| Patch applications | Update your software | Turn on auto-update for browsers and key apps |
| Patch operating systems | Update the machines | Enforce OS updates via your device management tool |
| Multi-factor authentication | Two steps to log in | MFA on email and admin consoles first |
| Restrict admin privileges | Fewer keys to the kingdom | Remove local admin from daily-use laptops |
| Application control | Only run approved software | Start with an allowlist on your most sensitive machines |
| Restrict Office macros | Stop a classic malware path | Block macros from the internet by default |
| User application hardening | Shrink the attack surface | Disable Flash, Java, and ads in the browser |
| Regular backups | Be able to recover | Automate backups and test a restore |
Start where the leverage isLink to this section
If you do nothing else this quarter, do these three.
Patch applications and operating systemsLink to this section
Unpatched software is the boring answer because it's still the right one. Most real-world intrusions walk through a hole that had a fix available months ago. Turn on automatic updates everywhere you can, and put the few that need a human on a recurring calendar invite so they don't quietly rot.
Multi-factor authentication, everywhere that mattersLink to this section
Passwords stopped being a control years ago; they're a placeholder until MFA arrives. Email and admin consoles first – those are the accounts attackers use to reset everything else. Phishing-resistant MFA (passkeys, hardware keys) is the gold standard, but any MFA beats a password alone.
Backups you have actually restoredLink to this section
A backup nobody has tested is a wish with a cron job. Ransomware doesn't care how diligently you copied your data if you can't get it back. Run a real restore drill at least quarterly, time it, and write down who did what.
Where automation and AI quietly helpLink to this section
You don't have the headcount to watch logs all night, so let the tooling do it. Modern endpoint and identity platforms now flag anomalous logins, surface missing patches, and summarise alerts in plain language – work that used to need an analyst. Lean into that. Just remember the flip side: every AI assistant your team adopts is also new software that needs patching, access control, and a line in your asset list. Capability and attack surface arrive in the same box.
Pick a target and mean itLink to this section
Maturity Level One across all eight strategies beats Level Three on two and chaos on the other six. Consistency is the control.
Choose a maturity level, sequence the work, assign each strategy an owner with a date, and review it quarterly. The organisations that mature aren't the ones with the biggest budgets. They're the ones that picked an order and kept showing up.