🚀 Introducing our new product: opHA Message Bus 5.0 - Real-time event management! Learn More

LOGIN
Blog home

23 October 2025

What is the Essential Eight

The Essential Eight is a set of eight practical mitigation strategies recommended by the ACSC to reduce the risk of common cyber threats such as ransomware, phishing, data breaches, and targeted network intrusions. These strategies were designed to be effective from multiple angles and feasible for organizations of various sizes. Each control addresses a specific aspect of cybersecurity; when implemented together, they provide a layered defense that significantly strengthens an organization’s security posture.

The Essential Eight Controls and Their Goals:

Application Control – Ensure only approved (whitelisted) applications can run on systems, preventing execution of unauthorized or malicious software. This greatly reduces the risk of malware or untrusted programs entering your network .
Patch Applications – Keep third-party software (e.g. browsers, office suites, runtimes) up to date by promptly applying security patches. This closes known vulnerabilities in applications that attackers could exploit .
Configure Microsoft Office Macro Settings – Block or tightly restrict macros in Office documents, especially those downloaded from the internet. Macros are a common malware delivery mechanism; disabling them by default or only allowing trusted macros helps ensure users don’t inadvertently run harmful code .
User Application Hardening – Harden the configuration of user applications by disabling or removing features not needed, especially those that are commonly abused. For example, turn off unsafe browser plugins (like Flash), block ads or remote code in PDF readers, and remove legacy protocols. The goal is to limit attackers’ opportunities to exploit weaknesses in user applications .
Restrict Administrative Privileges – Apply the principle of least privilege. Limit admin accounts to only those who genuinely need them and tightly control their use. By restricting admin rights, you significantly reduce the impact if a regular user account is compromised (attackers cannot easily leverage it to gain full control) . Admin accounts that do exist should be separate from standard accounts and actively monitored.
Patch Operating Systems – Just as with applications, keep operating systems (Windows, Linux, etc.) updated with the latest security patches. Ensuring OS updates are applied (especially for critical and high-risk vulnerabilities) prevents attackers from exploiting known OS flaws .
Multi-Factor Authentication (MFA) – Require MFA for all users accessing important systems, especially for remote access or privileged accounts. MFA (such as a one-time code or biometric in addition to a password) helps stop adversaries who have stolen or guessed passwords from actually logging in . It adds an extra barrier that significantly improves account security.
Regular Backups – Perform regular (at least daily) backups of important data, software, and configurations, and test that you can recover from them. In the event of ransomware or data loss, reliable backups ensure you can restore systems to normal operations. Testing backups is critical to ensure the restore process works when needed .

Maturity Levels 0–3

Each Essential Eight control can be implemented at varying levels of rigor, which the ACSC defines as Maturity Levels 0 through 3. These maturity levels indicate how prepared your organization is to handle adversaries of increasing sophistication :
Maturity Level 0 – Controls are ineffective or not in place. This signifies serious weaknesses in cyber hygiene – an adversary using even basic, widely available techniques could compromise systems . (Level 0 is essentially “below the baseline”.)
Maturity Level 1 – Basic implementation. Addresses opportunistic attacks using commodity malware and known exploits. The focus at Level 1 is on basic protections to prevent attacks that require minimal attacker effort/skill (e.g. script kiddies or automated scans) . This level is recommended as a minimum for all organizations and is often the first target maturity for compliance.
Maturity Level 2 – Intermediate/Enhanced implementation. Defends against more sophisticated tradecraft than Level 1. At Level 2, attackers might invest more time in a target or use moderately advanced techniques to evade basic controls (for example, spear-phishing users or using well-known bypass methods) . The controls at this level are stronger and more consistently applied, stopping a wider range of threats.
Maturity Level 3 – Advanced implementation. Represents a robust, highly resilient posture against determined, adaptive adversaries . Level 3 is designed to mitigate advanced persistent threats (APTs) who employ sophisticated tools and novel techniques to target specific victims . An organization at Level 3 has comprehensive, tightly integrated security controls and can resist sustained attacks (though even Level 3 cannot stop the most well-resourced attackers in all cases ).

In general, organisations are advised to achieve the same maturity level across all eight controls before moving to a higher level . For example, reach Level 1 on all eight strategies, then progress to Level 2 on all, and so forth. This ensures a balanced defense – an attacker will typically target the weakest link. By using the maturity model as a roadmap, IT teams can prioritize improvements and measure their progress toward a stronger security posture.