Service · ACSC Essential 8

Cyber Resilience

Practical cyber security for Australian small and mid-market businesses, aligned to the ACSC Essential 8. We do gap assessments, prioritised hardening, and the boring foundational work that actually prevents breaches — not vendor product pitches.

The ACSC Essential 8 — what it actually means

Eight mitigation strategies, three maturity levels each. For most Australian SMBs, hitting Maturity Level 1 across all 8 is the realistic 6-month target and prevents the vast majority of opportunistic attacks. The 8 controls:

  • Application control — only approved software runs on endpoints
  • Patch applications — automated patching with documented SLAs
  • Configure Microsoft Office macro settings — disable by default, allowlist exceptions
  • User application hardening — disable Java, Flash, ads in browsers; restrict PowerShell
  • Restrict administrative privileges — least-privilege, separate admin accounts
  • Patch operating systems — automated OS patching with monitoring
  • Multi-factor authentication — MFA on email, remote access, privileged accounts
  • Regular backups — automated, tested, offline copies, ransomware-resistant

Our engagement model

Phase 1 — Gap assessment (1–2 weeks)

We assess your current state against Essential 8 Maturity Level 1. Output: a written gap report with prioritised remediation, effort and cost estimates per gap, and a recommended phasing plan. You own the report regardless of whether you proceed with the remediation phase.

Phase 2 — Prioritised hardening (4–12 weeks)

We work through the gaps in priority order. Highest-leverage wins for most SMBs: MFA rollout (often the single biggest risk reducer), patch automation, backup verification, and admin-account separation. We do the implementation work alongside your existing IT support — we don't replace them.

Phase 3 — Ongoing review (quarterly)

Quarterly review against Essential 8, an annual tabletop incident drill, and updates as ACSC guidance changes. This is optional and many clients run it internally after our initial engagement.

What we don't sell

We're not a product reseller — we don't take vendor margin on security tooling. Our revenue is engineering time, not licence kickbacks. When we recommend tools, we recommend the cheapest thing that meets the requirement (often that's the Microsoft 365 Business Premium licences you already pay for, properly configured).

Explore more

Cyber resilience FAQ

The Essential 8 is a baseline of eight practical mitigation strategies published by the Australian Cyber Security Centre. It's pragmatic, well-understood, and used as the de facto SMB cybersecurity standard in Australia — including by insurers when assessing cyber liability premiums. Hitting Maturity Level 1 across all 8 takes most SMBs 3–6 months of focused work and dramatically reduces the chance of a successful attack.
Yes, and the threat profile has shifted in your favour for it. Mid-size Australian businesses are now actively targeted by ransomware groups specifically because they have valuable data, can pay a meaningful ransom, but typically lack mature security. The notifiable data breach scheme (NDB) under the Privacy Act means a breach also triggers regulatory reporting, customer notifications, and reputational damage. The cost of prevention is roughly 2–5% of the cost of a breach.
Primarily prevention and resilience design. For active incident response, we work alongside dedicated IR firms (we'll recommend specific Australian ones we trust). Our role pre-incident is hardening so the IR scope is contained; post-incident is helping rebuild the architecture to prevent recurrence.
Three phases: (1) gap assessment against Essential 8 maturity (1–2 weeks, AU$5,000–$12,000); (2) prioritised remediation — usually MFA rollout, patching automation, application allowlisting, backup hardening (4–12 weeks, AU$15,000–$60,000); (3) ongoing — quarterly reviews and incident drills (AU$2,000–$5,000/quarter). We always do gap assessment first because most SMBs don't actually need everything in the catalogue.
Yes, materially. Australian cyber insurers increasingly require Essential 8 alignment as a condition of cover, with premium reductions of 10–30% for documented Maturity Level 1 or 2 attainment. We provide the evidence pack insurers ask for as part of our engagement deliverables.
Yes. Post-breach engagements have specific characteristics: stakeholder anxiety is high, regulatory deadlines are tight (NDB requires assessment within 30 days), and there's often pressure to over-correct. We help clients prioritise the remediation that closes the actual breach vector first, then methodical Essential 8 rollout. We work alongside your IR firm and lawyers; we don't replace them.

Get a free Essential 8 gap snapshot

Book a free 30-minute call. We'll talk through your current state and tell you honestly which Essential 8 gaps are urgent and which can wait.

Book a Free 30-Min Discovery CallSee Pricing