If you’ve talked to anyone in IT in the last few years, you’ve probably heard the phrase Essential Eight and nodded along without anyone stopping to say what it is. Here’s the honest version, written for the person signing the invoices rather than the person configuring the firewall.

What it actually is

The Essential Eight is a set of eight baseline security measures published by the Australian Signals Directorate’s Australian Cyber Security Centre. Think of it less as a product and more as a checklist of the eight things that stop the overwhelming majority of common attacks. It’s free, it’s vendor-neutral, and it’s the same baseline the government holds itself to — which is exactly why it’s become the reference point everyone reaches for.

It is not a certification you buy or a box you tick once. It’s a posture you build up to over time.

The eight, without the acronyms

In plain terms, the eight measures are about:

  1. Only running software you trust — blocking unapproved programs from running at all.
  2. Keeping your apps patched — closing the holes attackers walk through, fast.
  3. Locking down Office macros — the hidden scripts in documents that carry a lot of malware.
  4. Hardening everyday apps — turning off the risky features in browsers and PDF readers you don’t use anyway.
  5. Limiting admin access — fewer people with the keys to everything means fewer ways in.
  6. Keeping your operating systems patched — the same idea as your apps, applied to Windows and the like.
  7. Turning on multi-factor authentication — the single highest-value item on this list, and often the cheapest.
  8. Backing up regularly — and testing that the backups actually restore, so ransomware is an inconvenience, not an extinction event.

The Centre also defines maturity levels (roughly: getting started, solid, and hardened against determined attackers). Most small businesses are aiming for the first rung — and even that puts you ahead of the field.

Why this matters to you, not just your IT person

Two of these eight — multi-factor authentication and tested backups — quietly prevent most of the incidents we see actually hurt small businesses. They’re cheap, they’re fast, and you don’t need to swallow all eight at once to get the benefit. That’s the real takeaway: the Essential Eight isn’t an all-or-nothing project. It’s a sequence, and the first couple of steps carry most of the value.

Where to start

The Australian Cyber Security Centre keeps the full, current framework and small-business guidance in one place — start there to see where you stand:

Australian Cyber Security Centre — Small Business Hub →

If you’d rather not work through it alone, that’s the part we do for a living. Embolster will tell you straight which of the eight are worth your money first, set them up, and keep them running — advise, deliver, support, in that order. Get in touch and we’ll give you an honest read on where you stand.