23 February 2026 · 4 min read
Essential Eight compliance: a plain-English guide for Brisbane SMBs
What actually happens when a small business gets hacked?
Ask a room of business owners what a cyber attack looks like and you'll hear about hackers in hoodies picking targets. The reality is duller and more common: an automated attack finds a gap, someone clicks a dodgy link, and suddenly your files are locked or your bank details have quietly changed on an invoice.
The Essential Eight is the Australian Cyber Security Centre's answer to that. It's eight practical things that stop the most common attacks - not a product you buy, but a set of habits and settings. Here's what the eight actually are, and how a small business realistically gets started.
What are the Essential Eight?
Think of these as eight locks. You don't need all eight perfect on day one, but each one you close makes you a harder target.
- Application control - only approved programs are allowed to run, so random malware can't just launch itself.
- Patch applications - keep your everyday software (browsers, PDF readers, Office) up to date, because updates fix the holes attackers use.
- Configure Microsoft Office macro settings - macros are little scripts inside Word and Excel files. Most small businesses never use them, and they're a favourite way to sneak in malware. Turn them off unless you genuinely need them.
- User application hardening - switch off risky features you don't use, like old web browser plug-ins, so there's less to attack.
- Restrict admin privileges - not everyone needs to be an administrator. Fewer admin accounts means a stolen password does far less damage.
- Patch operating systems - same idea as patching apps, but for Windows itself. Don't run versions that no longer get security updates.
- Multi-factor authentication (MFA) - a code or tap on your phone on top of your password. This one alone blocks a huge share of account break-ins.
- Regular backups - proper, tested backups so that if the worst happens, you can restore and keep trading instead of paying a ransom.
Why should I care about this as a non-technical owner?
Two reasons, and they're both practical.
First, real protection. These eight aren't theory - they map directly to how small businesses actually get hit. Ransomware, dodgy invoices, hijacked email. Closing these gaps stops the bulk of it.
Second, and this is the one landing on more desks lately: cyber insurance. Insurers have worked out that businesses with weak security cost them money, so they're asking harder questions at renewal. MFA, backups, patching and admin controls now show up on application forms. Get them wrong and you risk a higher premium, a declined policy, or - worse - a claim knocked back after an incident because you said you had controls you didn't.
If someone's ever handed you a security questionnaire to fill in for a client contract or an insurer, you've already met the Essential Eight without knowing its name.
What are maturity levels, and do I need to worry about them?
You might see the Essential Eight described with "maturity levels" from zero to three. It's simpler than it sounds - it's just how thoroughly you've put each control in place.
- Level one is the baseline that suits most small businesses.
- Levels two and three are for organisations facing more targeted, sophisticated attackers - think government suppliers or larger firms.
For a physio clinic, accounting practice or trades business, aiming at a solid level one is a genuinely good target. Don't let the framework intimidate you. The goal is steady progress, not a perfect score.
How does a small business realistically start?
You don't do all eight at once, and you don't need a big budget. A sensible order for most Brisbane SMBs:
- Turn on MFA everywhere you can - email first, then anything with client or financial data.
- Check your backups actually work by doing a test restore, not just assuming.
- Make sure Windows and your key apps are set to update automatically.
- Review who has administrator access and trim it back to the people who truly need it.
That handful of steps moves the needle more than most people expect, and none of it requires you to become technical.
Where does that leave you?
Probably in better shape than the framework's reputation suggests - most businesses have two or three of the eight partly done without realising. Pick one of the four starting steps above and knock it over this week.
And if you'd like to know exactly where you stand before an insurer asks you, the free security scan will show you - a one-page report that's yours to keep whether we ever work together or not.
Want me to check your domain?
Free health check, plain-English action list, yours to keep.