The Essential Eight: What Every MSP Needs to Know
The Essential Eight isn't optional anymore. The Australian government now requires all non-corporate Commonwealth entities to implement it. If you serve government clients, you need to comply. If you serve private clients, you need to understand it — because they're increasingly asking about it.
This guide covers what the Essential Eight is, how to implement it across your MSP, and how to help your clients reach compliance.
What Is the Essential Eight?
The Essential Eight is a set of eight mitigation strategies published by the Australian Signals Directorate (ASD). Each strategy is designed to prevent a specific class of cyber attack. Together, they form the baseline for cyber security in Australian government agencies.
The Eight Strategies
| # | Strategy | What It Prevents | Implementation Difficulty |
|---|---|---|---|
| 1 | Application Control | Malicious software execution | Medium |
| 2 | Patch Applications | Exploitation of known vulnerabilities | Medium |
| 3 | Configure Microsoft Office Macro Settings | Macro-based malware | Low |
| 4 | User Application Hardening | Exploitation of vulnerable applications | Low |
| 5 | Restrict Administrative Privileges | Privilege escalation | High |
| 6 | Patch Operating Systems | OS-level vulnerabilities | Medium |
| 7 | Multi-Factor Authentication | Credential theft | Medium |
| 8 | Regular Backups | Data loss and ransomware | Low-Medium |
Maturity Levels
The framework has four maturity levels:
- Maturity Level Zero: Not meeting the intent of the mitigation strategy
- Maturity Level One: Partly aligned with the intent
- Maturity Level Two: Mostly aligned with the intent
- Maturity Level Three: Fully aligned with the intent
Most organisations start at Level Zero and work toward Level One. Level Two takes 6-12 months. Level Three is a multi-year journey.
Implementation Guide for MSPs
Phase 1: Assessment (Weeks 1-2)
1. Inventory your environment. Before you can implement anything, you need to know what you have: - List all endpoints (workstations, servers, mobile devices) - Catalog all applications (including versions) - Map your network topology - Document your current security controls
2. Identify gaps. For each of the eight strategies, assess your current state: - Are you running application control? - Are all applications patched within 48 hours (critical) or 2 weeks (other)? - Are macros configured to block untrusted macros? - Are browsers configured to block Flash, Java, and web ads? - Are admin privileges restricted to the minimum necessary? - Are operating systems patched within 48 hours (critical) or 2 weeks (other)? - Is MFA enabled on all external-facing services? - Are backups performed daily and tested monthly?
3. Prioritise. Start with the strategies that have the highest impact for the lowest effort: - User Application Hardening (quick win) - Macro Settings (quick win) - Regular Backups (quick win) - Multi-Factor Authentication (medium effort, high impact)
Phase 2: Quick Wins (Weeks 3-6)
Application Hardening. Configure browsers to block: - Flash content - Java from the internet - Web advertisements - PowerShell in Office applications - Windows Script Host
Macro Settings. For most organisations: - Block macros from the internet - Block VBA macros in Office files from unknown sources - Allow only digitally signed macros from trusted publishers
Backups. - Perform daily backups of critical data - Store backups offline or in a separate environment - Test restoration monthly - Maintain at least 3 months of backup history
Multi-Factor Authentication. Enable MFA on: - All VPN and remote access solutions - Email (Exchange, Office 365, Gmail) - Cloud management consoles (Azure, AWS, Google Cloud) - RMM and PSA tools - Privileged accounts (domain admin, service accounts)
Phase 3: Medium-Term (Weeks 7-16)
Application Control. This is the most complex strategy. You need to: - Create a whitelist of approved applications - Block all other applications from executing - Test thoroughly before deploying - Maintain the whitelist as applications change
Tools like Microsoft Defender Application Control (WDAC) or AppLocker can help.
Patch Applications. Establish a patching cadence: - Critical vulnerabilities: patch within 48 hours - High vulnerabilities: patch within 2 weeks - Medium/Low: patch within 1 month
Use your RMM tool to automate patching and reporting.
Restrict Administrative Privileges. - Implement least privilege access - Separate admin accounts from daily-use accounts - Use Privileged Access Workstations (PAWs) for admin tasks - Log and audit all admin actions
Phase 4: Long-Term (Months 4-12)
Patch Operating Systems. - Same cadence as application patching - Test patches before deploying to production - Maintain a rollback plan for failed patches
Continuous Monitoring. - Monitor for compliance drift - Review logs for policy violations - Conduct regular penetration testing - Update policies as the threat landscape changes
Common Pitfalls
1. Trying to do everything at once. Start with quick wins and build momentum. The Essential Eight is a journey, not a project.
2. Ignoring the exceptions. Some applications can't be patched or controlled. Document exceptions formally and review them quarterly.
3. Treating it as a one-time project. The Essential Eight requires ongoing maintenance. Build it into your operational processes.
4. Not testing. A backup that's never tested isn't a backup. Test restoration quarterly at minimum.
5. Forgetting the people. Technical controls fail when users find workarounds. Train your staff and clients on why these controls matter.
How to Sell This to Clients
The Essential Eight isn't just a compliance checkbox — it's a sales opportunity:
For government clients: - Essential Eight compliance is mandatory - You can offer compliance consulting + ongoing managed compliance - The framework provides a clear scope for engagements
For private clients: - "Are you Essential Eight compliant?" is a question that creates urgency - Insurance companies are increasingly requiring Essential Eight compliance - The framework provides a roadmap for security improvement
Pricing: - Initial assessment: A$5,000-15,000 (depending on size) - Implementation: A$15,000-50,000 - Ongoing compliance: A$2,000-5,000/month (managed service)
This guide is based on the Australian Signals Directorate's Essential Eight Maturity Model (updated July 2023) and practical implementation experience across Australian MSP environments.
Was this helpful?