It may sound like the new force of superheroes from the Marvel universe, and in a way, it is, but the Essential Eight is not the spandex-clad rogue team of protectors that you’re probably envisioning. The Essential Eight is a set of cybersecurity guidelines that have been put forth by the Australian Cyber Security Centre (ACSC) to help you and your business stay safe and secure in the cyber landscape, but the guidelines have recently changed, so this is what you need to know.

What are the Essential Eight?

The Essential Eight (E8) are eight mitigation strategies that have been designed by an Australian government agency – the Australian Cyber Security Centre (ACSC) – in a bid to battle the ever-present threat of cyberattacks from malicious actors. The eight strategies focus on three primary areas of concern: prevention, limitation, and recovery and once implemented, aim to improve an organisation’s cybersecurity maturity rating.

Before we get into maturity ratings, though, here are the Essential Eight strategies:

  1. Application Control: organisations should retain a high level of control over user’s applications
  2. Application patching: updating and patching third-party applications should be done regularly and quickly
  3. Microsoft Office macro settings configuration: users should be limited in their ability to freely create macros
  4. Administrative privileges restriction: users’ access privileges should be managed effectively
  5. User application hardening: user applications should be limited
  6. Operating system patches: systems should be regularly updated to increase security
  7. Multifactor authentication enablement: an additional layer of security should be enabled for account logins
  8. Regular backups: organisations should perform backups of critical data, so it is always secure and readily available

What’s the point of the Essential Eight? 

As mentioned, the essential eight are guidelines that organisations can follow to gain a higher level of security online and, therefore, increase their cybersecurity maturity level. A cybersecurity maturity rating reflects an organisation’s ability to mitigate security risks that could be critical to business. Previously, the Essential Eight strategies were aimed at helping organisations reach the highest level of maturity (level 3) across all 3 primary areas (prevention, limitation, recovery), but current changes are aimed at helping organisations build their maturity level steadily so no one area is left exposed, and businesses are more secure.

What are the changes to the Essential Eight?

Staggered and Risk-based Approach

As mentioned earlier, the ACSC has introduced a staggered and risk-based approach to help businesses become more transparently secure across the board. This was changed to address concerns and issues that resulted in organisations feeling protected when they weren’t, or organisations being berated for not strictly following the strategies despite having robust practices and a high maturity rating. The idea behind the staggered and risk-based approach is that businesses will obtain a more accurate assessment of their security level because all organisations must now reach the needed maturity rating across all eight strategies to be able to advance their maturity level rather than receiving varying maturity level scores for each strategy.

Level Zero

Before the changes to the Essential Eight, maturity assessments came in 3 categories:

  • Level 1: partly aligned with the intent of the mitigation strategy
  • Level 2: mostly aligned with the intent of the mitigation strategy
  • Level 3: fully aligned with the intent of the mitigation strategy

Now, however, the ACSC has reintroduced Level Zero, which is like an impending doomsday classification for your data and your business. A maturity level zero suggests that there are significant vulnerabilities that are negatively impacting an organisation’s cybersecurity posture, and an attack is less a matter of ‘if’ and definitely a matter of ‘when’.


The federal government intends to mandate the Essential Eight strategies across all 98 non-corporate Commonwealth entities (NCCEs). Prior to the revamp, only 4 of the security controls were mandatory, but full compliance across all eight strategies is now required.

Be secure, not sorry

Security matters, and that’s a fact. Depending on the size of your business, a security breach has the potential to destroy your business in many ways but not with the right guidance. So let the team at Bespoke Technology be your guide to better cybersecurity today!