The Australian Cyber Security Centre’s Annual Cyber Threat Report 2024–25 underlines one simple fact: threats are increasing and basic controls matter more than ever. For Melbourne businesses, ACSC Essential Eight compliance remains the baseline that reduces risk from ransomware, data theft and supply-chain intrusion. This guide walks each Essential Eight control, gives concrete actions, shows the kind of evidence assessors expect, and recommends practical maturity targets for typical SME and mid-market organisations.
1. Application control (whitelisting)
What it is
Prevent unauthorised or malicious applications running on endpoints and servers.
Quick actions
Implement application allow-lists on servers and high-risk workstations first (use Microsoft AppLocker / WDAC or equivalent). Block risky file types in user folders and restrict execution paths to approved directories.
Evidence to collect
AppLocker/WDAC policy export, enforcement status screenshots, exception register.
Suggested maturity
Level 1 → Level 2 for business-critical servers; Level 2 for admin workstations.
2. Patch applications (timely patching)
What it is
Apply vendor patches for applications (especially internet-facing apps) within an agreed SLA.
Quick actions
Set a triage window — internet-facing & business-critical apps patched within 7 days, others within 30 days. Use automated patch tools, test on a pilot group, and keep rollback plans ready.
Evidence to collect
Patch reports, vulnerability scanner output, patch change tickets.
Suggested maturity
Level 1 minimum; aim for Level 2 on public-facing services given current threat levels.
3. Configure Microsoft Office macro settings
What it is
Block or control macros to stop malware delivered via documents.
Quick actions
Set Group Policy to block macros from the internet and only allow signed macros where business-critical. Combine technical controls with user awareness and simulated phish testing.
Evidence to collect
GPO screenshots, Outlook/Exchange transport rule configs, simulated phishing results.
Suggested maturity
Level 1 baseline; Level 2 where document workflows are critical.
4. User application hardening
What it is
Reduce attack surface by disabling unneeded features (legacy plug-ins, unused browser extensions, risky protocols).
Quick actions
Deploy hardened browser configurations, remove legacy plugins, restrict local admin rights and enforce baseline configurations via MDM or GPO.
Evidence to collect
Configuration baselines, compliance scan reports, policy enforcement logs.
Suggested maturity
Level 1 → Level 2; accelerate for customer-facing or finance teams.
5. Restrict administrative privileges
What it is
Limit and control privileged accounts — separate admin and user accounts; use just-in-time access and Privileged Access Management (PAM) where possible.
Quick actions
Inventory privileged accounts, implement least-privilege, deploy PAM or strong workflow controls, and enforce MFA for all admin access.
Evidence to collect
Privileged account inventory, PAM session logs, MFA enforcement reports.
Suggested maturity
Level 1 minimum; aim Level 2 for systems with sensitive or regulated data.
6. Patch operating systems
What it is
Keep operating systems patched to remove known vulnerabilities.
Quick actions
Automate OS patching with staged rollouts; ensure emergency patch windows for internet-facing hosts and network appliances; maintain clear rollback processes. Prioritise servers and edge devices.
Evidence to collect
OS patch reports, vulnerability scan results before/after patching, change tickets.
Suggested maturity
Level 1 → Level 2 depending on exposure of hosts.
7. Multi-factor authentication (MFA)
What it is
Require MFA for remote and privileged access — one of the highest-impact controls you can implement quickly.
Quick actions
Enforce MFA for all admin and cloud console access immediately, then expand to all remote access and SaaS admin users. Use conditional access (device state, location) where available.
Evidence to collect
Conditional access policies, MFA enablement reports, exception register with rationale.
Suggested maturity
Level 2 for admin accounts; Level 1 minimum for all remote access.
8. Regular backups (and tested recovery)
What it is
Maintain immutable or protected offsite backups with verified restore processes.
Quick actions
Implement scheduled, automated backups; isolate backup storage from production networks; require multi-person approval for restores; run restore tests at least quarterly.
Evidence to collect
Backup logs, restore test reports, backup retention and access control policies.
Suggested maturity
Level 2 for business-critical data; Level 1 baseline for less critical data.
Mapping to the 2024–25 threat picture
The ACSC’s Annual Cyber Threat Report 2024–25 highlights rising targeting of critical services and an increase in commodity ransomware and supply-chain attacks — exactly the scenarios the Essential Eight is designed to blunt. Given that context, if you only do one thing this quarter: enforce MFA and patching for internet-facing systems, then validate backups are recoverable.
Practical next steps (30 / 60 / 90 days)
30 days: complete an asset inventory, enable MFA for all admin & cloud consoles, and patch internet-facing applications.
60 days: deploy application control on servers, begin PAM rollouts, and configure macro restrictions.
90 days: assemble an evidence pack (policies, screenshots, reports), perform a full backup restore test, and prepare for an Essential Eight assessment.
Conclusion / call to action
ACSC Essential Eight compliance is not bureaucracy — it’s the practical foundation that reduces the most common attack vectors. As a Melbourne MSP, we run rapid Essential Eight uplift sprints: inventory, emergency hardening (MFA + patching), and a tailored evidence pack for assessments. Want us to run a 30-day Essential Eight risk sprint for your organisation? Book a time and we’ll prioritise the controls that matter most for your business.
