The Essential Eight for Small Business, in Plain English

The eight strategies, translated

• ☐Patch applications — keep your software and website plugins updated promptly
• ☐Patch operating systems — keep Windows/macOS updated; don't run unsupported versions
• ☐Multi-factor authentication — require a second factor on email, accounting, and admin accounts
• ☐Restrict administrative privileges — daily work shouldn't happen in admin accounts; know who has admin and why
• ☐Application control — only approved software runs on business machines (the hardest one for small business; start by removing unknown software)
• ☐Restrict Microsoft Office macros — block macros from the internet; most small businesses never need them
• ☐User application hardening — let browsers update themselves; remove legacy plugins
• ☐Regular backups — automatic, separated from your main systems, and tested

Where small businesses should start

If you do nothing else: enforce MFA, keep things updated, sort out admin access, and test your backups. Those four moves close off a large share of common attacks and are achievable without enterprise tooling. The full Essential Eight maturity model is published on cyber.gov.au — use it as guidance, not as a certification to claim.

• ☐Week 1: MFA on email and accounting software
• ☐Week 2: Update everything; turn on auto-updates where safe
• ☐Week 3: List admin accounts; remove what isn't needed
• ☐Week 4: Verify and test backups

A note on maturity levels

The ACSC defines maturity levels for each strategy. Small businesses don't need to chase maturity scores to get real benefit — but if a client or tender asks about the Essential Eight, you'll want documented, honest answers about where you stand. That's what a structured review provides.