The Essential Eight is a set of cybersecurity strategies from the Australian Signals Directorate (ASD). It's the baseline for protecting Australian businesses from cyber threats. If you're being asked about it by clients, insurers, or auditors, here's what it actually means in plain English.

1. Application control

Only approved software can run on your devices. This stops malware from executing even if someone downloads it.

In M365: Use Intune and Windows Defender Application Control to restrict what can run on managed devices.

2. Patch applications

Keep your software up to date. Most attacks exploit known vulnerabilities that already have patches available.

In M365: Microsoft 365 apps update automatically. For everything else, use Intune to manage and monitor patch status.

3. Configure Microsoft Office macro settings

Block macros from running in Office documents unless specifically approved. Macros are a common way malware gets in.

In M365: Use Intune or Group Policy to block macros from the internet and only allow signed macros from trusted locations.

4. User application hardening

Disable unnecessary features in browsers and apps. Things like Flash, Java plugins, and ad networks that can be exploited.

In M365: Configure browser security settings through Intune. Block risky browser extensions. Enable SmartScreen.

5. Restrict administrative privileges

Not everyone needs admin access. The fewer accounts with admin rights, the smaller the attack surface.

In M365: Use Entra ID Privileged Identity Management (PIM) for just-in-time admin access. Review who has Global Admin regularly.

6. Patch operating systems

Keep Windows, macOS, iOS, and Android up to date. Same principle as patching apps — fix known vulnerabilities before they're exploited.

In M365: Use Windows Update for Business through Intune. Set deployment rings so IT gets updates first, then a pilot group, then everyone.

7. Multi-factor authentication

Require a second factor beyond passwords. The single most effective thing you can do to prevent account compromise.

In M365: Enable Security Defaults or Conditional Access policies. Use the Microsoft Authenticator app.

8. Regular backups

Back up your data regularly and test that you can restore it. Microsoft 365 has retention policies but it's not a backup solution.

In M365: OneDrive and SharePoint have version history. Exchange has retention. But for proper backup, you need a third-party backup tool like Veeam or AvePoint that takes independent copies.

Where to start

You don't need to do all eight perfectly on day one. Start with MFA and patching — they're the highest impact and lowest effort. Then work through the rest based on your risk profile.

The ASD defines maturity levels (1, 2, and 3) for each strategy. Most small businesses should aim for Maturity Level 1 across all eight as a starting point.

We help Australian businesses assess where they sit against the Essential Eight and build a roadmap using their existing Microsoft 365 tools. If you need to meet Essential Eight requirements, get in touch.