Let me be upfront about something. The Essential Eight is not complicated. The Australian Signals Directorate has done a pretty good job of distilling decades of breach analysis into eight practical controls. The complexity that people experience around it is almost always a product of poor implementation, not poor design.

If your business has been told the Essential Eight is "too advanced" or "not applicable to you yet," somebody is either confused or hoping you stay confused.

Here is what it actually is, what each control does, and why most organisations are further along than they think.

What the Essential Eight Actually Is

The Essential Eight is a prioritised set of baseline mitigation strategies published by the ASD as part of the Australian Government Information Security Manual. It was designed to protect Microsoft Windows-based internet-connected networks from common intrusion techniques. That matters, because it is not a general compliance framework or an IT hygiene checklist. It is specifically a set of controls that make the most common attack paths significantly harder to execute.

The ASD's position, backed by incident response data, is that organisations that implement these eight controls consistently and correctly will mitigate the vast majority of cyber intrusions targeting them.

That is a strong claim. It is also accurate.

The Eight Controls, Plain English

1. Application Control

Prevent any software from running on your systems that you have not explicitly approved. This stops malicious executables, installers, and scripts from running even if an attacker gets them onto a machine. The concept is simple: if it is not on the approved list, it does not run. ThreatLocker is what we use for this and it is one of the most effective single controls you can deploy.

2. Patch Applications

Apply security patches to applications within defined timeframes based on criticality. Internet-facing applications within 48 hours of a patch being available. Other applications within two weeks. This closes the window attackers rely on. Most breaches we investigate exploit vulnerabilities that had a patch available for weeks or months before the intrusion.

3. Configure Microsoft Office Macro Settings

Disable macros from the internet. Only allow macros from trusted, digitally signed sources. Malicious macros delivered via phishing emails are still one of the most common initial access vectors targeting professional services firms. This control, applied correctly, stops most of them.

4. User Application Hardening

Configure browsers and other user-facing applications to block ads, prevent access to known malicious sites, and disable insecure features like Flash (yes, some environments still have it). Remove or disable features that users do not need and attackers routinely abuse.

5. Restrict Administrative Privileges

Only give admin access to people who genuinely need it for specific tasks. Validate admin accounts regularly. Do not let users operate with admin rights day to day. Administrative credentials are the prize in almost every lateral movement scenario. Protecting them is not optional.

6. Patch Operating Systems

Patch operating systems within defined timeframes. Extreme risk vulnerabilities within 48 hours. Everything else within a month. The same logic as application patching: the longer a known vulnerability goes unpatched, the longer attackers have a reliable entry point.

7. Multi-Factor Authentication

Require MFA for all remote access, all privileged accounts, and all cloud service access. MFA is the single most effective control for preventing credential-based attacks. Token theft and adversary-in-the-middle attacks can bypass some MFA implementations, which is why configuration matters as much as deployment. Phishing-resistant MFA (FIDO2/hardware keys) is the gold standard.

8. Regular Backups

Back up important data, software, and configuration settings. Test the backups. Store at least one copy offline or in a separate, immutable environment. Verify you can actually restore from them. Ransomware gangs count on organisations discovering that their backups were either not running, not complete, or accessible from the same network they just encrypted.

The Maturity Model

Each control has four maturity levels: zero through three. Maturity zero means the control is either not implemented or implemented so poorly it provides no meaningful protection. Maturity three means the control is implemented comprehensively and consistently across the entire environment.

Most organisations we assess sit somewhere between maturity one and maturity two across the majority of controls, with specific gaps in administrative privilege management and application control. Maturity three across all eight is achievable for most SMBs within six to twelve months with the right tooling and a structured remediation plan.

The ASD's recommendation for most organisations is to reach maturity three. Not as a box-ticking exercise, but because the gap between maturity two and maturity three is where the residual risk lives.

Why Organisations Struggle

The controls themselves are not the issue. Where things fall apart is typically one of three places.

The first is tooling gaps. You cannot enforce application control without a tool purpose-built for it. You cannot patch effectively without visibility across every endpoint. The right stack makes most of these controls achievable; the wrong stack makes them nearly impossible to maintain consistently.

The second is accountability gaps. Essential Eight compliance requires someone to own it. Not in the sense of a compliance officer ticking a box, but a practitioner who is actively monitoring, remediating gaps, and verifying that controls are functioning as intended. In most SMB environments, that person is either not clearly defined or does not have the access they need.

The third is the gap between "configured" and "enforced." Application control that allows exceptions for every user who raises a helpdesk ticket is not application control. MFA that is deployed but allows legacy authentication bypass is not MFA. The implementation has to be complete or the control does not deliver what it promises.

Where to Start

If you have not done a formal Essential Eight assessment, start there. A proper assessment will tell you your current maturity level across each control, what specific gaps exist in your environment, what the remediation effort actually looks like, and what residual risk you are carrying right now.

At Stealth Cyber we do these assessments using ConnectSecure alongside manual review of policy, configuration, and access controls. The output is a maturity rating for each control and a prioritised remediation plan that distinguishes between quick fixes and longer-term project work.

The assessment is the starting point, not the deliverable. What you do with the findings is where the actual protection comes from.

The Essential Eight is not a compliance burden to be endured. It is a practical, evidence-based set of controls that makes your organisation materially harder to compromise. The firms that treat it that way get real security outcomes. The ones that treat it as a checkbox exercise get a report that sits in a folder.

If you want to know where your organisation actually sits against the Essential Eight, get in touch. The assessment might surprise you.

Demystifying ASD Essential Eight: It's Not That Hard, Is It?