The ACSC Essential Eight Cyber Security Strategies for Businesses

June 10, 2024

Small and medium-sized businesses are the backbone of the Australian economy, accounting for more than half of all private sector jobs. However, despite their importance, small and medium-sized businesses are often targeted by cyber-attacks. In fact, 60% of small businesses have experienced a cyber-attack, and 70% of those attacks resulted in substantial financial losses. The good news is that there are steps SME businesses can take to protect themselves from cyber-attacks.

The Essential Eight is a set of eight cybersecurity mitigation strategies that, if implemented, can significantly reduce the risk of a cyber-attack. The Essential Eight was developed by the Australian Signals Directorate (ASD), and while it was designed with Australian businesses in mind, it is designed to help organisations around the world protect themselves against various cyber threats. The mitigation strategies that constitute the Essential Eight are:

1. Application Control

One of the most important things a business can do to protect itself from cyber-attacks is to keep its systems and applications up to date and whitelisted. Outdated software is one of the most common ways that hackers gain access to business networks. By regularly installing updates and patches, businesses can close the security gaps that hackers exploit.

2. Patching Applications

Ensuring all applications are securely maintained and updated so that vulnerabilities are mitigated. This involves the installation of patches within specific timeframes, and the removal of applications that are no longer supported.

3. Patching Operating Systems

This means frequently checking for patch updates and ensuring that your internet facing services and systems are securely maintained and that vulnerabilities are mitigated. If you don’t have the latest versions of operating systems, businesses are left open to vulnerabilities being exploited.

4. Microsoft Office Macro Settings

There is a specific framework to follow that contains a series of measures businesses can take to strengthen Microsoft Office macros to prevent them from being maliciously abused. Configuring macros correctly will block malicious scripts from running.

5. Restrict Administrative Privileges

Another way to protect businesses from cyber-attacks is to evaluate and minimise the number of employees who have administrative privileges. Administrative privileges allow users to make changes to the system that could potentially jeopardise security. By limiting the number of users who have administrative privileges, businesses can reduce the risk of a cyber-attack.

6. Multi-factor Authentication

Protect your users’ employees and customer accounts from compromise across your business applications by mandating a second or even third identifier in addition to a password.

7. Hardening User Applications

Another way to protect businesses from cyber-attacks is to regularly secure applications that frequently interact with the web. By hardening configurations, such as blocking ads, Flash, Java and suspicious websites, businesses can reduce the risk of a cyber-attack.

8. Performing Regular Backups

All businesses should encrypt data and mandate regular backups to ensure that technology systems can be restored, and your important business information can be recovered in the event of a cyber incident with minimal disruption to operations.


The Essential Eight can be used by all businesses to protect themselves from attacks and will one day be mandated. By implementing these strategies now, businesses can greatly reduce their risk of being hacked or otherwise compromised.

Whilst some of these strategies seem obvious, it is very rare to see an organisation that has taken the opportunity to fully implement these strategies into their business.

If you’re serious about protecting your business against cyber-attacks, drop us a message to find out how BAMITS can assist you.