Essential Eight Maturity Level One: A Step-by-Step Guide

Maturity Level One of the Essential Eight isn’t sexy. It’s not enterprise-grade security. It won’t stop a determined nation-state attacker.

But it will stop most of the attacks that actually hit Australian small businesses. And that’s the point.

Here’s how to get there, strategy by strategy.

Strategy 1: Application Control

What Level One requires: Application control is implemented on workstations to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an approved set.

In plain English: Only approved programs can run on your computers.

How to achieve it:

For Windows devices, you’re looking at Microsoft Defender Application Control (WDAC) or AppLocker (on Windows Pro/Enterprise). The ACSC recommends WDAC for new deployments.

Start with audit mode - this logs what would be blocked without actually blocking it. Review the logs for a few weeks to understand what your users actually run.

Then create your approved list:

  • Microsoft-signed applications
  • Your business applications
  • Anything else legitimately needed

Enable enforcement gradually - maybe start with one department and expand.

Reality check for SMBs: This is one of the more complex Essential Eight strategies. For very small businesses, it might be overkill. But if you’re using Microsoft Endpoint Manager (Intune), you’ve got the tools to do this already.

Strategy 2: Patch Applications

What Level One requires: Patches, updates or other vendor mitigations for security vulnerabilities in internet-facing services, office productivity suites, web browsers and email clients are applied within two weeks of release.

In plain English: Keep your software updated, especially the stuff that touches the internet.

How to achieve it:

Internet-facing services (web servers, email, VPNs): These are highest priority. Enable automatic updates where possible. For critical vulnerabilities, patch within 48 hours.

Office and productivity apps: Microsoft 365 can be set to auto-update. Do it.

Web browsers: Chrome and Edge auto-update by default. Make sure this isn’t disabled.

Email clients: Usually handled through office suite updates.

Create a patching schedule:

  • Critical vulnerabilities: Within 48 hours
  • High vulnerabilities: Within 2 weeks
  • Everything else: Within 1 month

Reality check for SMBs: This is achievable. Enable automatic updates everywhere possible. For things that can’t auto-update, put a monthly “patch everything” task in your calendar.

Strategy 3: Configure Microsoft Office Macro Settings

What Level One requires: Microsoft Office macros are disabled for users that do not require them. Microsoft Office macros are blocked from making Win32 API calls.

In plain English: Turn off macros unless someone actually needs them. And even then, restrict what macros can do.

How to achieve it:

Through Group Policy or Intune, configure:

  • Disable macros by default for all users
  • Block macros in documents from the internet
  • For users who need macros, enable only digitally signed macros from trusted publishers
  • Block Win32 API calls from macros

In Microsoft 365 admin, you can also configure macro policies centrally.

Reality check for SMBs: Most small businesses don’t need macros at all. The handful that do usually have specific finance or data processing workflows. Identify those users and give them limited exceptions; everyone else gets macros disabled.

Strategy 4: User Application Hardening

What Level One requires: Web browsers don’t process Java from the internet. Web browsers don’t process web advertisements from the internet. Internet Explorer 11 is disabled or removed.

In plain English: Turn off risky features in web browsers and remove old, vulnerable software.

How to achieve it:

Remove Internet Explorer 11: It’s end-of-life anyway. Make sure it’s actually gone, not just hidden.

Block web-based Java: Unless you have specific line-of-business apps that require it (and if they do, those apps should probably be replaced), disable Java in browsers.

Block ads: Use browser extensions (uBlock Origin is solid) or DNS-level blocking (Cloudflare Gateway, Pi-hole). Malvertising is real - legitimate ad networks have served malware.

Additionally, disable features like:

  • Flash (should be gone anyway)
  • Autoplay for untrusted content
  • Automatic download of files

Reality check for SMBs: The hardest part is discovering what legacy apps might break. Test changes before rolling out widely.

Strategy 5: Restrict Administrative Privileges

What Level One requires: Requests for privileged access are validated when first requested. Privileged accounts are not used for reading email and browsing the web.

In plain English: Not everyone needs admin access. Those who do shouldn’t use it for everyday tasks.

How to achieve it:

Audit who has admin access: In Windows, check the local Administrators group on each machine. In Microsoft 365, review admin roles.

Remove unnecessary admin rights: Most users should be standard users, not administrators. They can still do their work; they just can’t install random software or change system settings.

Create separate admin accounts: If someone needs admin access, they should have two accounts - a standard account for daily work and an admin account used only when needed.

Don’t use admin accounts for email/browsing: This is where many breaches escalate. Click a phishing link as admin, and the attacker has admin access.

Reality check for SMBs: This is achievable and high-impact. The pushback will be from people who are used to installing whatever they want. Explain why, provide a process for requesting new software, and stay firm.

Strategy 6: Patch Operating Systems

What Level One requires: Patches, updates or other vendor mitigations for security vulnerabilities in operating systems of internet-facing services, workstations, servers and network devices are applied within two weeks of release.

In plain English: Keep Windows, macOS, Linux, and router/firewall firmware updated.

How to achieve it:

Workstations: Enable Windows Update or macOS automatic updates. Use Intune or similar to manage and report on compliance.

Servers: Schedule monthly patching windows. Test critical patches before deployment if you have the capability.

Network devices: Don’t forget routers, firewalls, and access points. These often don’t auto-update and are frequently overlooked.

Reality check for SMBs: The main challenge is network devices - the router in the corner that nobody thinks about until it’s breached. Add firmware update checks to your monthly tasks.

Strategy 7: Multi-factor Authentication

What Level One requires: MFA is implemented for all users when accessing internet-facing services and to authenticate privileged users.

In plain English: Use more than just a password for anything accessible from the internet, and for any admin access.

How to achieve it:

Enable MFA for:

  • Email (Microsoft 365, Google Workspace)
  • VPN and remote access
  • Cloud applications
  • Admin portals

Use authenticator apps (Microsoft Authenticator, Google Authenticator) rather than SMS where possible.

For privileged accounts, consider hardware security keys (YubiKey) for stronger protection.

Reality check for SMBs: This is often the easiest Essential Eight strategy to implement and has the highest impact. If you only do one thing, do this.

Strategy 8: Regular Backups

What Level One requires: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. Restoration of systems, software and important data from backups is tested.

In plain English: Back up your stuff, keep copies offline or immutable, and make sure you can actually restore from them.

How to achieve it:

Identify critical data: What would you need to recover if everything was encrypted tomorrow?

Implement 3-2-1 backup: Three copies, two different media types, one offsite. At least one copy should be offline or immutable (can’t be modified or deleted).

Test restoration: At least annually, actually restore from backup and verify the data is intact and usable.

Document the process: Who’s responsible? How do they restore? What’s the expected recovery time?

Reality check for SMBs: Many small businesses have backups they’ve never tested. Test yours. The worst time to discover your backup doesn’t work is when you need it.

Putting It All Together

You don’t have to implement all eight strategies at once. Prioritise based on your biggest gaps:

If you don’t have MFA: Start there. If you’re not patching: Get that sorted. If everyone’s an admin: Fix privileges. If your backups are questionable: Test them.

Track your progress. The ACSC publishes a maturity assessment guide that lets you score yourself across each strategy.

Level One isn’t the end. But it’s a solid foundation that will protect you from most common attacks. Get there first, then think about Level Two.

For businesses that need help with implementation, firms like AI consultants Melbourne can assist with automation and monitoring to make Essential Eight compliance more manageable.

Good security is a journey, not a destination. Maturity Level One is an excellent place to start.