The Essential Eight: What Perth Business Owners Need to Know

If you run a small or medium business in Perth and you've never heard of the Essential Eight, that's about to change. What started as a cybersecurity framework for Australian government agencies is rapidly becoming a de facto requirement for any business operating in supply chains that touch government or enterprise clients.

What is the Essential Eight?

The Essential Eight is a set of cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD). It covers eight practical controls:

1. Application control — Only approved applications can execute on your systems
2. Patch applications — Keep your software up to date promptly
3. Configure Microsoft Office macro settings — Block or restrict macros
4. User application hardening — Disable unnecessary features in web browsers, Office, etc.
5. Restrict administrative privileges — Not everyone needs admin access
6. Patch operating systems — Keep Windows, macOS, etc. current
7. Multi-factor authentication (MFA) — Require more than just a password
8. Regular backups — Ensure you can recover from ransomware or data loss

Each control is assessed at one of four maturity levels (0 through 3), with Level 3 being the most secure.

Why Perth SMBs should care

Here's the reality: if you're a mining services company, a professional services firm, or a healthcare provider in Perth, your enterprise and government clients are increasingly asking about your cybersecurity posture.

Tender requirements are changing. We're seeing more Perth tenders — particularly in mining services and government supply chains — that explicitly ask for Essential Eight maturity level evidence. If you can't demonstrate at least Maturity Level 1, you're being excluded from opportunities.

Cyber insurance is getting harder. Australian insurers are tightening underwriting requirements. Demonstrating Essential Eight alignment can lower your premiums and make it easier to get coverage.

The cost of getting it wrong is real. The ACSC reported that the average cost of cybercrime for Australian small businesses was $46,000 in 2023–24. For medium businesses, it was over $97,000.

The good news for Microsoft 365 users

If your business runs on Microsoft 365, you already have many of the tools needed for Essential Eight compliance. The catch? They're probably not turned on.

• MFA — Built into M365, but we regularly see Perth businesses where half the team hasn't enabled it
• Conditional Access — Controls who can access what, from where. Requires Microsoft Entra ID P1 or higher
• Application management — Intune can handle application control for your devices
• Patch management — Windows Update for Business through Intune

The gap isn't technology — it's configuration. Most Perth SMBs are paying for M365 licences that include these capabilities but haven't had anyone set them up properly.

What to do next

1. Understand your current position. Get an assessment of where you sit against the Essential Eight. This isn't a week-long audit — for a typical SMB, it's a half-day exercise.

2. Prioritise MFA and patching. These two controls alone dramatically reduce your attack surface and are the easiest to implement.

3. Leverage M365. If you're already paying for Microsoft 365 Business Premium or E3/E5, you have the tools. You just need someone to configure them.

4. Document everything. When a client or insurer asks about your cybersecurity posture, you need evidence, not promises.

How we can help

Our M365 Security Health Check includes an Essential Eight assessment for Perth businesses. It covers MFA status, admin account hygiene, patching posture, and Conditional Access configuration. The assessment is free, takes 30 minutes, and gives you a clear starting point.

Book your free Essential Eight assessment — because "we'll get to it eventually" isn't a cybersecurity strategy.