Cybersecurity 20 March 2026 8 min read Managed ICT Solutions, Perth WA
In This Article
  1. What is the ASD Essential Eight?
  2. Why it matters for Perth SMBs
  3. The Eight Controls — explained plainly
  4. Maturity Levels 1, 2 and 3
  5. Where to start for your Perth business
  6. Frequently Asked Questions

If you've heard the term "ASD Essential Eight" but aren't sure what it actually means for your Perth business, you're not alone. It's government-speak for what is actually a very practical set of cybersecurity actions — and for most Perth SMBs, implementing them is more straightforward than you'd think.

This guide explains each of the eight controls in plain English, tells you what your business needs to do, and helps you understand where to start.

What Is the ASD Essential Eight?

The ASD Essential Eight is a set of eight cybersecurity strategies developed by the Australian Signals Directorate (ASD) — the Australian Government's signals intelligence and cyber security agency — to help organisations protect their systems against the most common types of cyber attacks.

It is published and maintained by the Australian Cyber Security Centre (ACSC) as part of the Strategies to Mitigate Cyber Security Incidents framework. The Essential Eight represents the top eight strategies that, when implemented together, can prevent the majority of cyber attacks targeting Australian businesses.

Is it mandatory? The Essential Eight is mandatory for all Australian Government agencies. For private sector businesses, it is strongly recommended by the ACSC — and in some regulated industries (banking under APRA CPS 234, healthcare under ADHA requirements), it is effectively required as part of broader compliance obligations. Most Perth SMBs should treat it as a baseline standard, not an optional extra.

Why the Essential Eight Matters for Perth SMBs

Cyber attacks on Australian businesses increased by 23% in the 2024–25 financial year, according to the ACSC Annual Cyber Threat Report. Small and medium businesses were the most targeted group — and Western Australia's resources, legal and healthcare sectors were among the hardest hit.

The most common attack vectors are:

  • Phishing emails targeting staff credentials
  • Unpatched software vulnerabilities exploited by automated scanning tools
  • Weak or stolen passwords used to access business accounts
  • Ransomware deployed after an initial foothold is established

All four of these attack methods are directly prevented or significantly mitigated by the Essential Eight controls. That's why the ASD developed them — they are the minimum effective defence for any Australian business operating online.

The Eight Controls — Explained in Plain English

1

Application Control

"Only approved software is allowed to run on your business computers."

Application control prevents malicious software (malware) from running on your systems — even if it somehow gets onto a device. It works by creating a whitelist of approved applications; anything not on the list simply cannot execute.

What you need: Application whitelisting software configured for all Windows endpoints. Microsoft AppLocker or Windows Defender Application Control (WDAC) can be used on Windows 10/11 Pro and Enterprise.
2

Patch Applications

"Keep all your business software updated — and fast."

Cybercriminals regularly exploit known vulnerabilities in outdated software. The ASD recommends patching internet-facing applications within 48 hours of a critical patch being released, and all other applications within two weeks.

What you need: Automated patch management for Microsoft 365, Adobe, browsers, and all business applications. This is typically handled by your managed IT provider using RMM (Remote Monitoring and Management) software.
3

Configure Microsoft Office Macro Settings

"Disable Office macros unless there's a genuine, verified business reason."

Microsoft Office macros (automated scripts in Word, Excel, PowerPoint) are one of the most common malware delivery methods. Attackers send phishing emails with macro-enabled documents — when opened and the macro runs, malware is installed.

What you need: Microsoft 365 Group Policy configured to block macros from the internet. If your business genuinely needs macros for specific workflows, use digitally signed macros from trusted publishers only.
4

User Application Hardening

"Turn off dangerous features in your everyday applications that attackers commonly exploit."

Web browsers and PDF viewers are common attack surfaces. Hardening means disabling or restricting features like Flash, Java in browsers, ads from unknown sources, and unnecessary browser extensions.

What you need: Browser policy configuration (Chrome or Edge management), Adobe Reader hardening, and review of browser extensions across all staff devices. Managed via Microsoft Intune or Group Policy.
5

Restrict Administrative Privileges

"Don't give staff more system access than they actually need for their job."

Administrator accounts have full system access. If an attacker compromises an admin account (via phishing or stolen password), they can do anything — install malware, delete backups, export all data. The principle of least privilege means staff only get access to what they need.

What you need: A review of all user accounts and admin rights in Microsoft 365 and Active Directory. Separate admin accounts for IT tasks. Regular access reviews (at least quarterly). Remove admin rights from standard user accounts.
6

Patch Operating Systems

"Keep Windows (and all operating systems) updated — especially for critical security patches."

Similar to patching applications, operating system vulnerabilities are actively exploited by attackers. Critical OS patches should be applied within 48 hours of release. End-of-life operating systems (like Windows 10 after October 2025) should be upgraded — no patches means no protection.

What you need: Automated Windows Update management via Microsoft Intune or WSUS. An audit of all devices to identify any running end-of-life Windows versions. A Windows 11 upgrade plan for devices still on Windows 10.
7

Multi-Factor Authentication (MFA)

"Require more than just a password to log in — add a second verification step."

Multi-factor authentication (MFA) is the single most effective control for preventing account compromise. Even if a staff member's password is stolen (via phishing), MFA means an attacker still can't log in without the second factor (phone notification, authenticator app code, or hardware key).

What you need: MFA enabled for all Microsoft 365 accounts (Conditional Access policies), all cloud applications, remote access (VPN), and all admin accounts. Use Microsoft Authenticator app — avoid SMS-based MFA where possible as it is less secure.
8

Regular Backups

"Back up your important business data daily, keep copies offline or off-site, and test that you can actually restore it."

Backups are your last line of defence against ransomware. If all else fails and ransomware encrypts your data, a tested, recent, offline backup means you can recover without paying the ransom. The ASD requires backups to be stored separately from the main system — so ransomware cannot encrypt both simultaneously.

What you need: Daily automated backups of all critical business data using the 3-2-1 rule: 3 copies, on 2 different media types, with 1 stored off-site or in immutable cloud storage. Test restore at least quarterly. Backup solutions: Veeam, Datto, or Microsoft Azure Backup.

Essential Eight Maturity Levels: What Do They Mean?

The ASD Essential Eight Maturity Model has three levels. Rather than aiming for perfection immediately, the model allows businesses to incrementally improve their cybersecurity posture.

Maturity Level What It Means Who Should Target This
Level 0 Controls are not in place or are ineffective. Significant risk of common cyber attacks. No business should remain at Level 0.
Level 1 Basic controls in place. Protects against opportunistic, low-sophistication attacks such as automated scanning and spray-and-pray phishing. Minimum target for all Perth SMBs. Achievable within 4–8 weeks with a managed IT provider.
Level 2 Controls are more comprehensive. Protects against targeted attacks where an adversary is specifically trying to breach your business. Recommended target for Perth SMBs in healthcare, legal and finance. Takes 3–6 months to achieve.
Level 3 Controls are fully implemented and continuously monitored. Protects against sophisticated, persistent adversaries. Government agencies and high-risk private sector businesses. Ongoing investment required.

For most Perth SMBs, the realistic and appropriate goal is Maturity Level 2. Level 1 is the absolute minimum. If your business handles sensitive client data — medical records, financial information, legal files — you should be targeting Level 2 as quickly as practical.

Where to Start: A Practical Action Plan for Perth Businesses

The idea of implementing eight cybersecurity controls can feel overwhelming, but in practice, a managed IT services provider handles all of this on your behalf. Here's a simple priority order for a Perth SMB starting from scratch:

Week 1–2: Enable MFA on all Microsoft 365 accounts. This is the single highest-impact action you can take and can be done quickly without disrupting business operations.
Week 1–2: Audit admin accounts. Identify who has admin privileges in Microsoft 365 and Active Directory. Remove unnecessary admin rights from standard user accounts.
Week 2–3: Set up automated patch management. Ensure all devices are receiving Windows and application updates automatically, within 48 hours of critical patches.
Week 2–4: Implement and test backups. Set up daily automated backups with off-site or immutable cloud storage. Schedule a test restore to verify you can actually recover.
Month 2: Disable Office macros from the internet. Configure Microsoft 365 Group Policy to block macros except from trusted, digitally signed sources.
Month 2–3: Harden browsers and applications. Review and tighten browser settings, disable unused plugins, and configure Adobe Reader security settings.
Month 3+: Implement application control. This requires the most planning but provides the strongest protection. Work with your IT provider to build an approved application whitelist.

Get Your Perth Business Essential Eight Assessed

Managed ICT Solutions offers a free Essential Eight assessment for Perth businesses — we'll review your current cybersecurity posture against all eight controls and give you a clear picture of where you stand and what needs to be done.

Book a Free Cyber Assessment View Our Cybersecurity Services

Frequently Asked Questions

The ASD Essential Eight is a set of eight cybersecurity strategies developed by the Australian Signals Directorate to help Australian organisations protect against the most common cyber threats. The eight controls are: application control, patching applications, configuring Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups.

The Essential Eight is mandatory for Australian Government agencies. For private sector Perth businesses, it is strongly recommended by the ACSC. For businesses in regulated industries — banking (APRA CPS 234), healthcare (ADHA requirements), or financial services (ASIC RG 257) — compliance with the Essential Eight is effectively required as part of broader information security obligations.

For a Perth SMB with fewer than 50 users, reaching Maturity Level 1 typically takes 4 to 8 weeks with a managed IT provider. Maturity Level 2 may take 3 to 6 months. The timeline depends on the current state of your IT environment. Managed ICT Solutions can perform a free Essential Eight gap assessment to give you an accurate timeline for your specific business.

Most Perth SMBs should target Maturity Level 2. Level 1 is the absolute minimum baseline — it protects against opportunistic, automated attacks. Level 2 adds protection against targeted attacks where an adversary is specifically trying to breach your business. Businesses in healthcare, legal or finance should prioritise reaching Level 2 as quickly as possible due to the sensitive nature of their client data.

Managed ICT Solutions Pty Ltd

Perth, Western Australia — ABN: 86 658 753 809

Perth's cybersecurity and managed IT specialists since 2009. ASD Essential Eight compliance support for Perth SMBs from our Cannington and Osborne Park offices. Learn more about us.

Back to Blog
Free Essential Eight Assessment

Find out where your Perth business stands against all 8 ASD controls — free, no obligation.

Book Free Assessment Call +61 8 9242 4511
Related Articles
Related Services
Cybersecurity Services Perth Managed IT Services Perth Backup & Disaster Recovery IT Support Perth WA
Contact Us

Cannington & Osborne Park, Perth WA

+61 8 9242 4511

24/7 Phone Support

Send an Enquiry