If you're running a business in Australia, you've probably heard of the Essential Eight. It's the Australian Cyber Security Centre's (ACSC) framework — eight strategies to mitigate cyber security incidents. It's not a suggestion. For government agencies it's mandatory, and increasingly it's what clients, insurers, and auditors expect from every business.

The good news? If you're on Microsoft 365, you can address most of the Essential Eight without buying anything else.

Here's how they map:

1. Application Control

This is about making sure only approved software runs on your devices. Microsoft Intune and Windows Defender Application Control let you set policies for what can and can't run. You can whitelist approved apps and block everything else.

2. Patch Applications

Microsoft 365 apps update automatically. For everything else, Intune can manage updates across your devices — push patches, set update deadlines, and report on compliance. No more hoping people clicked "update later" and actually did it later.

3. Configure Microsoft Office Macro Settings

Macros are one of the most common attack vectors. Through Intune and Group Policy, you can block macros from the internet, only allow signed macros, or disable them entirely for users who don't need them. This one's usually quick to implement.

4. User Application Hardening

Disabling unnecessary features in web browsers and apps — things like Flash (should be gone by now), Java, and ad networks. Microsoft Edge policies through Intune let you lock down browser settings across your organisation.

5. Restrict Administrative Privileges

Entra ID (Azure AD) makes this straightforward. Privileged Identity Management (PIM) lets you give admin access only when needed, for a set time period. No more permanent global admins. You can also set up access reviews so admin rights don't accumulate over time.

6. Patch Operating Systems

Windows Update for Business through Intune. Set deployment rings — IT gets updates first, then a pilot group, then everyone else. You can set compliance deadlines so devices that aren't updated get flagged or blocked from accessing company data.

7. Multi-Factor Authentication (MFA)

Entra ID supports MFA out of the box. Conditional Access policies let you require MFA for specific scenarios — admin access, access from outside the office, access from new devices. If you haven't turned on MFA yet, this is the single most impactful thing you can do.

8. Regular Backups

OneDrive and SharePoint have versioning and retention policies built in. For email, Exchange Online has retention and litigation hold. For a more complete backup strategy, there are Microsoft-native options and third-party tools that integrate with M365.

Where to start

You don't need to do all eight at once. Start with MFA and patching — they're the highest impact and easiest to implement. Then work through the rest in order of risk for your business.

We've helped a number of businesses map their M365 environment against the Essential Eight and build a roadmap to get compliant. If your insurer, clients, or board are asking about your security posture, this is the framework to work against.

Happy to have a conversation about where you sit and what it would take to get there.