Essential Eight: What Your Business Needs to Know

The Essential Eight are eight practical mitigation strategies developed by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC) to reduce the likelihood and impact of common cyber attacks. This page gives a plain-English summary for decision-makers and staff.

Our Commitment at XSTRA

At XSTRA, our aim is to provide a baseline level of cyber security preparedness in line with the Essential Eight, as set by the Australian Signals Directorate. This means all of our XDESK clients will meet all eight requirements at Level 3 — the highest maturity level possible under the ASD framework.

The adoption of our technologies collectively is the key to achieving this level of protection. These include:

• XDESK – Secure, managed desktop environment with strict application controls and policy enforcement.
• XACCESS – Multi-factor authentication and secure access management.
• XTERMINAL – Locked-down endpoint terminal solution for Citrix and secure remote access.
• XDEVICE – Managed device security, patching, and compliance monitoring.

The Eight Strategies

1. Application control
   Only allow approved (allow-listed) apps to run. Blocks malware and unapproved tools.
2. Patch applications
   Keep apps (e.g., browsers, PDF readers, Java, Office) up to date. Prioritise fixes for internet-facing and exploited vulnerabilities.
3. Configure Microsoft Office macro settings
   Block macros from the internet and only permit signed, trusted macros needed for business.
4. User application hardening
   Turn off risky features in apps (e.g., block Flash/Java, disable unnecessary browser features, block web ads that can deliver malware).
5. Restrict administrative privileges
   Keep admin accounts to a minimum, use separate admin/non-admin accounts, and review access regularly.
6. Patch operating systems
   Update Windows/macOS/Linux promptly. Remove or replace unsupported OS versions.
7. Multi-factor authentication (MFA)
   Require MFA for remote access, admin accounts, and important apps. Prefer phishing-resistant methods where possible.
8. Regular backups
   Back up critical data, systems and configurations. Keep copies offline/immutable and test restores regularly.

Maturity Levels (how ACSC measures progress)

The ACSC, under the ASD, uses four levels to assess how completely and effectively the Essential Eight are in place.

How we typically implement this with you

• Assess: Identify current maturity for each of the eight areas.
• Target: Agree a target level that fits your risk profile and obligations.
• Roadmap: Prioritise high-impact items (e.g., MFA, patching) and set timelines.
• Verify: Monitor with logs/reports and test (e.g., backup restores, MFA coverage).
• Improve: Reassess regularly; ACSC updates guidance and timeframes over time.

Quick self-check

• Do all admin and remote users have MFA (preferably phishing-resistant)?
• Are app and OS patches applied quickly, especially for internet-facing systems?
• Can staff run only approved software on work devices?
• Are risky features (e.g., Office macros from the internet) blocked by default?
• Do backups include systems and configurations, with offline or immutable copies and regular test restores?

Why it matters

The Essential Eight, designed by the Australian Signals Directorate, are proven to prevent or limit many incidents (ransomware, credential theft, business email compromise). Many government and regulated customers expect suppliers to align with these controls. With XSTRA’s solutions, your organisation achieves this alignment at the highest level — backed by ongoing management, monitoring, and improvement.

Sources & further reading

• ACSC: Essential Eight (official overview)
• ACSC: Essential Eight Maturity Model
• ACSC: November 2023 Maturity Model Changes
• ACSC: Essential Eight Maturity Model FAQ (April 2024)

Tip: Always use the latest ASD and ACSC guidance, as timeframes and expectations (e.g., for patching and MFA) are updated periodically.