Question 1

What is the ACSC Essential 8 and why does it matter?

Accepted Answer

The Essential 8 is a baseline of eight practical mitigation strategies published by the Australian Cyber Security Centre. It's pragmatic, well-understood, and used as the de facto SMB cybersecurity standard in Australia — including by insurers when assessing cyber liability premiums. Hitting Maturity Level 1 across all 8 takes most SMBs 3–6 months of focused work and dramatically reduces the chance of a successful attack.

Question 2

We're a 30-person business — do we really need cyber security investment?

Accepted Answer

Yes, and the threat profile has shifted in your favour for it. Mid-size Australian businesses are now actively targeted by ransomware groups specifically because they have valuable data, can pay a meaningful ransom, but typically lack mature security. The notifiable data breach scheme (NDB) under the Privacy Act means a breach also triggers regulatory reporting, customer notifications, and reputational damage. The cost of prevention is roughly 2–5% of the cost of a breach.

Question 3

Are you incident responders, or do you only do prevention?

Accepted Answer

Primarily prevention and resilience design. For active incident response, we work alongside dedicated IR firms (we'll recommend specific Australian ones we trust). Our role pre-incident is hardening so the IR scope is contained; post-incident is helping rebuild the architecture to prevent recurrence.

Question 4

What does a typical SMB security engagement look like?

Accepted Answer

Three phases: (1) gap assessment against Essential 8 maturity (1–2 weeks, AU$5,000–$12,000); (2) prioritised remediation — usually MFA rollout, patching automation, application allowlisting, backup hardening (4–12 weeks, AU$15,000–$60,000); (3) ongoing — quarterly reviews and incident drills (AU$2,000–$5,000/quarter). We always do gap assessment first because most SMBs don't actually need everything in the catalogue.

Question 5

What about cyber insurance — will this help with my premium?

Accepted Answer

Yes, materially. Australian cyber insurers increasingly require Essential 8 alignment as a condition of cover, with premium reductions of 10–30% for documented Maturity Level 1 or 2 attainment. We provide the evidence pack insurers ask for as part of our engagement deliverables.

Question 6

We had a breach already — can you help with rebuild?

Accepted Answer

Yes. Post-breach engagements have specific characteristics: stakeholder anxiety is high, regulatory deadlines are tight (NDB requires assessment within 30 days), and there's often pressure to over-correct. We help clients prioritise the remediation that closes the actual breach vector first, then methodical Essential 8 rollout. We work alongside your IR firm and lawyers; we don't replace them.

Cyber Resilience

The ACSC Essential 8 — what it actually means

Our engagement model

Phase 1 — Gap assessment (1–2 weeks)

Phase 2 — Prioritised hardening (4–12 weeks)

Phase 3 — Ongoing review (quarterly)

What we don't sell

Cyber resilience FAQ

Get a free Essential 8 gap snapshot