If you have read the Essential Eight framework overview and thought “where do we even start?” you are not alone. Most small and medium Australian businesses face the same problem. The framework lists eight controls. All eight matter. But trying to implement all eight at once is how nothing gets done.

Here is the short answer: start with multi-factor authentication, application patching, and restricting administrative privileges. These three controls address the most common attack vectors targeting Australian businesses right now. Get these working properly before touching the other five.

This post explains why these three matter most, what implementation actually looks like in practice, and what it will cost you in time and money.

Why Prioritisation Matters for SMBs

The Australian Signals Directorate does not formally rank the Essential Eight by priority. But ACSC guidance consistently highlights that the majority of successful cyberattacks exploit predictable weaknesses: stolen credentials, unpatched software, and overprivileged accounts. These three weaknesses map directly to the three controls covered in this post.

For a business without a dedicated IT security team, sequencing matters. A small step that is actually implemented beats a comprehensive plan that never gets off the ground. These three controls give you the highest return on effort at Maturity Level 1 and Maturity Level 2 before you invest in the more complex controls like application allow-listing or regular backups testing.

1. Multi-Factor Authentication (MFA)

MFA is the single most impactful change most SMBs can make today. When an attacker gets hold of a password, MFA is what stops them from using it. Without MFA, one phishing email or one data breach can hand an attacker full access to your email, cloud systems, and business data.

The ACSC identifies credential theft as one of the most common initial access methods used against Australian organisations. MFA directly blocks this path.

What “done” looks like at Maturity Level 1

At ML1, MFA is required for remote access (VPN, remote desktop) and for all internet-facing services. This includes your Microsoft 365 or Google Workspace environment, your accounting platform, your CRM, and any cloud-hosted systems your staff access from outside the office. Authentication apps like Microsoft Authenticator are acceptable at this level. SMS-based codes are not considered strong enough under current ACSC guidance.

What “done” looks like at Maturity Level 2

At ML2, MFA must also cover all privileged accounts and all access to sensitive data repositories, not just remote access. Phishing-resistant MFA methods such as hardware security keys or certificate-based authentication are required at this level. If your staff currently use SMS codes, ML2 means migrating them to authenticator apps or hardware tokens.

What it costs in time and money

For a business already on Microsoft 365 Business Premium or Google Workspace Business Starter, enabling MFA costs nothing in licensing. The time cost is typically two to four hours for an IT administrator to configure conditional access policies and one to two hours of staff onboarding across the team. Hardware security keys for privileged accounts run approximately $50 to $80 per device. A 20-person business can reach ML1 MFA compliance in a single afternoon with the right guidance.

2. Patching Applications

Unpatched software is one of the most consistently exploited attack surfaces in Australian cyber incidents. Software vendors release patches because vulnerabilities have been found. Attackers know which patches have been released and actively scan for businesses that have not applied them.

The ACSC specifically highlights that organisations operating with outdated software on internet-facing systems face significantly elevated risk. This is not a theoretical concern. It is a pattern seen repeatedly in incident response across Australian businesses of all sizes.

What “done” looks like at Maturity Level 1

At ML1, patches for internet-facing applications must be applied within 30 days of release. For applications that are no longer receiving security updates from their vendor, those applications must be removed. This applies to web browsers, email clients, PDF readers, and any other software that connects to the internet. An automated patching tool, whether built into your operating system or a third-party endpoint management platform, is the practical way to achieve this without it becoming a weekly manual task.

What “done” looks like at Maturity Level 2

At ML2, the patching window tightens significantly. Patches rated as critical or high severity by the vendor must be applied within 48 hours for internet-facing services. For other applications the window is two weeks. At this level you also need a documented patching process, evidence of patch status across your environment, and a way to identify when a vendor stops supporting a product.

What it costs in time and money

If you are already on Microsoft Intune, JAMF, or a similar endpoint management platform, application patching can be largely automated. If you are not, a basic endpoint management subscription typically starts at around $8 to $12 per device per month through a managed services provider. The ongoing operational cost at ML1 is low once automation is in place. The upfront cost is the time to audit your current software estate and identify anything that needs updating or replacing. For a 20-person business, that audit typically takes half a day.

3. Restricting Administrative Privileges

Most cyberattacks that cause serious damage rely on an attacker gaining administrative access. Ransomware that encrypts your entire file server, data theft that reaches sensitive client records, malware that persists through a reboot: these attacks almost always require elevated privileges to succeed at scale.

The problem is that many SMBs hand out administrator accounts as a default. Staff get admin rights because it is easier than managing permissions carefully. This creates unnecessary exposure across every device in the business.

What “done” looks like at Maturity Level 1

At ML1, users are not given administrator rights on their own devices unless there is a specific documented reason. Administrative accounts are separate from standard user accounts. Staff who need admin access for certain tasks use a separate admin account for those tasks and a standard account for day-to-day work. Privileged access management does not need to be technically complex at this level. It starts with a policy decision and an audit of who currently has admin rights.

What “done” looks like at Maturity Level 2

At ML2, privileged access is tightly controlled and logged. Just-in-time access models, where admin rights are granted temporarily for a specific task and then revoked, are the target approach. Domain administrator accounts must never be used for browsing the internet or reading email. Privileged accounts must be covered by MFA. This level requires tooling to manage and audit privileged sessions, which is where the complexity and cost increases.

What it costs in time and money

Getting to ML1 on privilege restriction is largely a policy and configuration exercise. The time cost is an audit of current admin accounts, a decision about who genuinely needs what access, and a configuration change on your devices. For a 20-person business, expect four to eight hours of IT time. The ongoing cost is mainly cultural: staff need to understand why they are working from standard accounts and who to contact when they need elevated access for a specific task. Moving to ML2 with just-in-time privileged access tooling adds licensing costs that vary depending on your existing environment.

What About the Other Five Controls?

The other five Essential Eight controls, application allow-listing, restricting Microsoft Office macros, user application hardening, multi-factor authentication for privileged users (which overlaps with the controls above), and regular backups, all matter. They will be covered in the next posts in this series.

The reason to start with MFA, patching, and privilege restriction is simple. These three controls address active attack patterns documented by the ACSC. They are also achievable for most SMBs without specialist security tooling or large upfront investment. Getting these three to ML1 in a reasonable timeframe is worth more than a roadmap for all eight that never gets implemented.

Our managed cyber security services are built around this kind of practical, sequenced approach to the Essential Eight. We work with Australian professional services businesses to get the foundations right first.

Frequently Asked Questions

Do all Australian businesses need to comply with the Essential Eight?

The Essential Eight is mandatory for non-corporate Commonwealth entities under the Australian Government Information Security Manual. For private sector businesses, including most SMBs, it is not a legal requirement. However, it is the ACSC’s recommended baseline for cyber resilience and is increasingly referenced in client and supplier contracts, particularly in government supply chains and professional services.

How long does it take to reach Maturity Level 1 for these three controls?

For a business with 10 to 30 staff, getting MFA, patching, and privilege restriction to ML1 typically takes four to eight weeks when approached properly. This includes planning, configuration, testing, and staff communication. Rushing the rollout without staff preparation creates support issues that slow everything down.

Can we self-assess our Essential Eight maturity?

The ACSC publishes self-assessment guides that businesses can work through. Self-assessment is a reasonable starting point for understanding where you sit. For a more accurate picture, particularly if you are responding to a client or contract requirement, an independent assessment from a qualified provider gives you evidence you can present externally.

What is the cheapest way to implement MFA for a small business?

If your business uses Microsoft 365 or Google Workspace, MFA is included in your existing subscription. Microsoft Authenticator and Google Authenticator are free apps. The cost is in IT time to configure and deploy, not in additional licensing. Hardware security keys, which are required at higher maturity levels, are the main out-of-pocket expense.

Where should we go after implementing these three controls?

Once MFA, patching, and privilege restriction are at ML1, the next priority is typically restricting Microsoft Office macros and regular backups. Both address high-frequency attack patterns and are achievable without significant technical complexity. We will cover these in the next posts in this series.

Ready to find out where your business sits against the Essential Eight? Book an Essential Eight Assessment with the Otto IT team. We will map your current position, identify your gaps, and give you a clear, prioritised plan to improve your cyber resilience.