Essential Eight Self-Assessment
Assess your business against the ACSC Essential Eight cyber security framework. Answer 24 questions across all eight mitigation strategies and get your maturity level instantly.
Application Control
Preventing unapproved applications from executing on your systems.
Can staff install any software they want on their work computers?
Understanding the Essential Eight Framework
The Essential Eight is the Australian government's recommended baseline for cyber defence. Developed by the Australian Cyber Security Centre (ACSC), it provides eight mitigation strategies that, when implemented effectively, make it much harder for attackers to compromise your systems.
Why the Essential Eight matters for small businesses
While the Essential Eight was originally developed for government agencies, the ACSC now recommends it for all Australian organisations regardless of size. Small businesses are particularly vulnerable to cyber attacks because they often lack dedicated IT security staff and have limited budgets for security tools. The Essential Eight provides a practical, prioritised framework that helps small businesses focus their security efforts where they will have the most impact.
The eight strategies explained
- Application Control - Prevents unapproved programs from running on your systems. This stops malware and unauthorised software from executing even if it reaches your devices.
- Patch Applications - Keeps third-party software like browsers, PDF readers, and Office up to date. Unpatched applications are one of the most common entry points for attackers.
- Configure Microsoft Office Macros - Restricts macros, which are commonly used to deliver malware via email attachments. Only trusted macros from approved sources should be allowed to run.
- User Application Hardening - Disables unnecessary features in web browsers and other applications, reducing the attack surface available to attackers.
- Restrict Admin Privileges - Limits who has administrative access to systems. If an attacker compromises a standard user account, the damage is contained.
- Patch Operating Systems - Keeps Windows, macOS, and other operating systems up to date with security patches. Like application patching, this closes known vulnerabilities.
- Multi-Factor Authentication - Requires a second form of verification beyond passwords. Even if a password is stolen, the attacker cannot log in without the second factor.
- Regular Backups - Maintains tested copies of critical data so you can recover from ransomware, hardware failure, or accidental deletion. Backups should be protected from ransomware with immutable snapshots.
Getting started
If your self-assessment revealed gaps, the good news is that most Essential Eight strategies can be implemented incrementally. Start with the highest-impact, lowest-effort items: enabling MFA on all accounts, setting up automated patching, and ensuring you have tested backups. From there, work toward application control, macro restrictions, and privilege management with the help of an experienced IT partner.
Better Networks helps small businesses across Geelong and the Bellarine Peninsula achieve Essential Eight compliance. We provide initial assessments, implementation support, and ongoing management to keep you aligned as the framework evolves.
Frequently Asked Questions
What is the Essential Eight?
The Essential Eight is a set of eight cybersecurity mitigation strategies developed by the Australian Cyber Security Centre (ACSC). They are considered the baseline cyber defence measures for all Australian organisations. The eight strategies are: application control, patch applications, configure Microsoft Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.
What are the Essential Eight maturity levels?
The Essential Eight uses four maturity levels (0 to 3). Level 0 means the strategy is not implemented. Level 1 is partially aligned with the strategy's intent. Level 2 is mostly aligned. Level 3 is fully aligned and represents the target for most organisations. Your overall maturity level is determined by your lowest-scoring strategy - you are only as strong as your weakest link.
Is the Essential Eight mandatory for small businesses?
The Essential Eight is mandatory for Australian government agencies. For private sector businesses, it is not legally required but is strongly recommended by the ACSC. Many cyber insurance providers and government contracts now require alignment with the Essential Eight. Given the rising threat landscape, achieving at least Maturity Level 2 is considered best practice for any Australian business.
How long does it take to reach Maturity Level 2?
The timeline depends on your starting point and business complexity. A small business with 10-20 employees can typically reach Maturity Level 2 within 3 to 6 months with the right IT partner. The process involves assessing your current state, prioritising gaps, implementing controls, and verifying compliance. Some strategies like enabling MFA can be done in days, while others like application control may take longer.
How does Essential Eight compliance relate to cyber insurance?
Australian cyber insurance providers increasingly assess Essential Eight alignment when underwriting policies. Businesses that can demonstrate alignment with Maturity Level 2 or above typically receive better premiums and broader coverage. Conversely, businesses with poor security practices may face higher premiums, exclusions, or be denied coverage altogether. The Essential Eight gives insurers a standardised framework to evaluate your risk.
Is this self-assessment the same as a professional Essential Eight assessment?
No. This self-assessment provides a general indication of your maturity level based on your own responses. A professional assessment involves a detailed technical review of your systems, configurations, and policies by a qualified assessor. Professional assessments provide much greater accuracy and produce a formal report with specific remediation steps. We offer professional Essential Eight assessments for businesses in the Geelong region.
Need Help Reaching Maturity Level 2?
We help Geelong businesses implement the Essential Eight from assessment through to ongoing management. Get started with a free initial assessment.
Book a Free Call →