The Essential Eight: What It Is, Why It Matters, and How to Check Where You Stand — in 5 Minutes

If you’ve spent any time looking into cybersecurity for your business, you’ve probably come across the phrase “Essential Eight.” Maybe a client mentioned it in a security questionnaire. Maybe your IT provider brought it up. Maybe your cyber insurer asked about it and you weren’t quite sure what to tell them.

You’re not alone. The Essential Eight is one of the most practical cybersecurity frameworks available, but most of the information out there is written for IT professionals, not business owners. So, let’s fix that.

What is the Essential Eight?

The Essential Eight is a set of eight cybersecurity strategies developed by the Australian Signals Directorate (ASD) — Australia’s equivalent of the GCSB. They represent the most effective things an organisation can do to protect itself against the most common types of cyber-attack.

Think of it as a checklist of the eight things that, if you get them right, will stop the vast majority of real-world attacks before they cause damage.

The eight strategies fall into three categories: preventing attacks from getting in, limiting how far an attacker can go if they do get in, and making sure you can recover if something goes wrong.

Here’s a plain-English summary of each one.

Preventing attacks:

Application control means only allowing approved software to run on your systems. If an attacker tricks someone into downloading malicious software, application control stops it from executing, even if the person clicks “yes.”

Patching applications means keeping your software up to date. Most attacks exploit known vulnerabilities in software that hasn’t been patched. Keeping applications current closes those doors before attackers can walk through them.

Configuring Microsoft Office macros means restricting the use of macros — small, automated scripts inside Office documents — to only those that are necessary and trusted. Macros are one of the most common ways malware gets delivered, typically through email attachments.

User application hardening means locking down everyday software like web browsers and PDF readers so they can’t be used as entry points. This includes blocking ads, disabling Java in browsers, and preventing Flash content — things that attackers frequently exploit.

Limiting damage:

Restricting administrative privileges means ensuring that only the people who genuinely need admin access have it, and that they only use it when necessary. If an attacker compromises an account with admin rights, they can do far more damage than with a standard user account.

Patching operating systems is the same principle as patching applications, applied to Windows, macOS, or whatever operating systems you run. Unpatched operating systems are one of the easiest targets for attackers.

Multi-factor authentication (MFA) means requiring a second form of verification — like a code sent to your phone — when logging into important systems. Even if an attacker steals someone’s password, MFA stops them from using it.

Recovering when things go wrong:

Regular backups means keeping copies of your important data, stored separately from your main systems, and testing that you can actually restore them. If ransomware encrypts your files or a system fails, backups are what get you back on your feet without paying a ransom.

Why does it matter for NZ businesses?

The Essential Eight was developed in Australia, but it’s increasingly referenced across the Tasman — by NZ government agencies, enterprise procurement teams, and cyber insurers.

There are three practical reasons it matters right now.

First, it’s becoming a commercial requirement. If you’re selling into enterprise or government clients — in New Zealand or Australia — you may already be receiving security questionnaires that reference the Essential Eight. Demonstrating maturity against this framework opens doors that are increasingly closed to businesses without it.

Second, NZ cyber insurers are tightening their requirements. Many now ask specifically about controls like MFA, patching, and backups before they’ll issue or renew a policy. The Essential Eight maps directly to what insurers want to see evidence of.

Third, it works. The strategies aren’t theoretical — they’re based on real-world incident data. The ASD estimates that implementing the Essential Eight to even a basic level would have prevented the majority of the cyber incidents they’ve responded to. For a small business, that’s a significant reduction in risk from a manageable set of actions.

What are the maturity levels?

The Essential Eight uses a four-level maturity model, from ML0 to ML3.

Maturity Level 0 means the controls are either not in place or have significant gaps. This is where most small businesses start — not because they don’t care, but because they haven’t had reason to assess themselves formally. There’s no judgement here. It’s a starting point.

Maturity Level 1 means the strategies are partially in place. You might have MFA on some accounts but not others, or you’re patching some systems but not within a consistent timeframe. Level 1 reduces your exposure to opportunistic attackers — the ones using basic, automated tools to find easy targets.

Maturity Level 2 means the strategies are largely implemented across your organisation, with good consistency. This is the level that Australia’s 2023–2030 Cyber Security Strategy is positioning as the recommended baseline for all industries — not just government. For an NZ business selling into Australian markets, ML2 is increasingly the expectation.

Maturity Level 3 means everything is implemented consistently, with strong governance, tight timeframes, and active monitoring. This level is designed to withstand sophisticated, targeted attackers. Most small businesses don’t need to aim for ML3 immediately — but understanding the path to get there matters.

The key principle is balance: you should aim for the same maturity level across all eight strategies before moving higher on any individual one. Security is only as strong as its weakest point, and reaching ML2 on seven strategies while sitting at ML0 on the eighth doesn’t give you the protection you might expect.

How do you know where you stand?

This is where most businesses get stuck. The framework makes sense in theory, but actually assessing your current maturity level feels like it requires an IT security team you don’t have.

That’s exactly why we built a free, self-service Essential Eight assessment.

It takes about five minutes. You answer a series of straightforward questions about your current setup — things like whether you use MFA, how often you patch, whether you restrict admin access, and how your backups work. No technical knowledge required. If you’re not sure about an answer, there’s guidance to help.

When you’re done, you get a report that shows your current maturity level across all eight strategies, highlights your biggest gaps, identifies the most likely attack paths based on those gaps, and gives you practical, prioritised steps to improve — starting with the things that reduce the most risk for the least effort.

Take the free Essential Eight assessment →

There’s no obligation, no sales pitch at the end, and your information is never shared with anyone.

What happens after the assessment?

That depends entirely on what the results show and what you want to do about them.

Some businesses take the report and action the recommendations themselves or with their existing IT provider. That’s fine — the report is designed to be useful on its own.

Others use it as a starting point for a conversation with us. We offer a full cybersecurity risk assessment that goes deeper — covering your systems, policies, and processes against NIST CSF 2.0 and ISO 27001 controls, with a plain-English report and a 60-minute walkthrough session. Many clients start with the free Essential Eight assessment to get a quick snapshot, then move to a full risk assessment when they’re ready.

And some businesses discover that their basics are actually in reasonable shape, and that what they really need is ongoing managed security to keep it that way. We can help with that too.

Whatever the outcome, the value of the assessment is the same: you’ll know where you stand. And knowing where you stand is always better than guessing.

The bottom line

The Essential Eight isn’t complicated. It’s eight practical things that, done well, stop the vast majority of cyber attacks. You don’t need a security team to understand it, and you don’t need a six-figure budget to implement it.

What you do need is an honest picture of where you are today — so you can make informed decisions about where to focus your time and money.

That’s what the assessment gives you. Five minutes, no cost, no jargon.

Take the free Essential Eight assessment →

---

KIS helps New Zealand and Australian businesses get their cybersecurity right — in plain English, with clear pricing, and without the overselling. Book a free 30-minute conversation if you’d like to talk through your results or ask us anything.