Essential Eight: What Your Business Needs to Know
The Essential Eight are eight practical mitigation strategies developed by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC) to reduce the likelihood and impact of common cyber attacks. This page gives a plain-English summary for decision-makers and staff.
Our Approach at XSTRA
At XSTRA, we work with clients to improve cyber security posture in many areas that align with the Essential Eight.
For clients using our technologies, particularly XDESK and XDEVICE, there is often strong alignment across a number of the Essential Eight strategies. However, it is important to note that not all Essential Eight requirements are automatically met in every environment, and not all clients will achieve every maturity level by default.
If your organisation would like to better understand its current position, or would like to investigate what would be required to align to higher Essential Eight maturity levels, we encourage you to reach out to XSTRA for further guidance.
Solutions that may contribute to stronger alignment in a client environment include:
- XDESK – Secure, managed desktop environment with strong centralisation, policy enforcement, and reduced endpoint risk.
- XACCESS – Multi-factor authentication and secure access management.
- XPC – Locked-down endpoint terminal solution for Citrix and secure remote access.
- XDEVICE – Managed device security, patching, and compliance monitoring.
The Eight Strategies
- Application control
Only allow approved (allow-listed) apps to run. Blocks malware and unapproved tools. - Patch applications
Keep apps (e.g., browsers, PDF readers, Java, Office) up to date. Prioritise fixes for internet-facing and exploited vulnerabilities. - Configure Microsoft Office macro settings
Block macros from the internet and only permit signed, trusted macros needed for business. - User application hardening
Turn off risky features in apps (e.g., block Flash/Java, disable unnecessary browser features, block web ads that can deliver malware). - Restrict administrative privileges
Keep admin accounts to a minimum, use separate admin/non-admin accounts, and review access regularly. - Patch operating systems
Update Windows/macOS/Linux promptly. Remove or replace unsupported OS versions. - Multi-factor authentication (MFA)
Require MFA for remote access, admin accounts, and important apps. Prefer phishing-resistant methods where possible. - Regular backups
Back up critical data, systems and configurations. Keep copies offline/immutable and test restores regularly.
Maturity Levels (how ACSC measures progress)
The ACSC, under the ASD, uses four levels to assess how completely and effectively the Essential Eight are in place.
| Level | Meaning |
|---|---|
| Level 0 | Not effectively implemented; significant risk remains. |
| Level 1 | Basic protection against common, opportunistic threats. |
| Level 2 | Better protection against more targeted attacks. |
| Level 3 | Strong controls against skilled, persistent adversaries. |
How we typically help
- Explain: Help clients understand what the Essential Eight is and why it matters.
- Review: Identify areas where existing controls already align with the Essential Eight.
- Improve: Recommend practical steps to strengthen alignment over time.
- Support: Assist clients who want to investigate what would be required to move toward higher maturity levels.
Quick self-check
- Do all admin and remote users have MFA (preferably phishing-resistant)?
- Are app and OS patches applied quickly, especially for internet-facing systems?
- Can staff run only approved software on work devices?
- Are risky features (e.g., Office macros from the internet) blocked by default?
- Do backups include systems and configurations, with offline or immutable copies and regular test restores?
Why it matters
The Essential Eight, designed by the Australian Signals Directorate, are widely recognised as practical and effective baseline strategies for reducing cyber risk. Many businesses, government agencies, and regulated organisations look to these controls as an important benchmark.
XSTRA supports clients in many of these areas through solutions such as XDESK and XDEVICE, but full Essential Eight alignment depends on the broader design, policies, controls, and operational practices of each individual client environment. Clients seeking to work toward the highest levels of Essential Eight maturity are encouraged to speak with us so that we can help assess what is in place today and what additional measures may be required.
Sources & further reading
- ACSC: Essential Eight (official overview)
- ACSC: Essential Eight Maturity Model
- ACSC: November 2023 Maturity Model Changes
- ACSC: Essential Eight Maturity Model FAQ (April 2024)
Tip: Always use the latest ASD and ACSC guidance, as timeframes and expectations (e.g., for patching and MFA) are updated periodically.
Need more help with this?
© 2021–2026 XSTRA Group Pty Ltd (Australia). All rights reserved.