• cyber security
  • Essential Eight
  • small business
  • ACSC
  • Newcastle

Essential Eight for Hunter Small Businesses: Where to Start

Cyber security can feel overwhelming for a small business. You’re busy running things — serving clients, managing staff, keeping the books — and then someone mentions the Essential Eight and it sounds like a government compliance project your team of six simply cannot afford.

Here’s the good news: the ACSC Essential Eight is not an all-or-nothing programme. It’s a prioritised list of eight mitigations designed precisely so organisations can make meaningful progress without unlimited resources. If you run a small business in Newcastle, Maitland, Lake Macquarie, or anywhere in the Hunter Valley, here is a realistic place to start.

What Is the Essential Eight?

The Australian Cyber Security Centre (ACSC) publishes the Essential Eight as its baseline mitigation strategy for Australian organisations. It covers:

  1. Application Control
  2. Patch Applications
  3. Configure Microsoft Office Macro Settings
  4. User Application Hardening
  5. Restrict Administrative Privileges
  6. Patch Operating Systems
  7. Multi-Factor Authentication (MFA)
  8. Regular Backups

Each mitigation has four Maturity Levels (ML0-ML3). ML0 means the control is not implemented. ML1 is the baseline that every organisation should reach.

Start Here: MFA and Patching

For most Hunter small businesses, the two highest-bang-for-buck controls are Multi-Factor Authentication and patching.

Multi-Factor Authentication (MFA)

MFA stops the overwhelming majority of credential-based attacks cold. If an attacker obtains your staff member’s password – via phishing, data breach, or password reuse – MFA prevents them logging in without a second factor (an app, hardware key, or SMS code).

Where to start:

  • Enable MFA on Microsoft 365 or Google Workspace for every account, especially admin accounts
  • Enable MFA on your accounting software (MYOB, Xero), your banking portals, and your VPN
  • Use an authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS where possible – SMS can be intercepted via SIM-swapping

Patch Applications and Operating Systems

Unpatched software is the number-one entry point for ransomware. The good news is that enabling automatic updates on Windows, macOS, and your key applications – Microsoft 365, your browser, Adobe Acrobat – gets you most of the way to ML1 for both patching controls.

Where to start:

  • Enable Windows Update automatic updates (set to install within two weeks of release)
  • Enable automatic updates in Microsoft 365 Admin Centre
  • Set a monthly reminder to check your router and NAS firmware – these are often forgotten

The One You Can Do This Afternoon: Restrict Administrative Privileges

Most small business staff do not need local administrator rights on their PC. Yet many still have them by default, either from the initial setup or because “it was easier”. Removing admin rights from day-to-day accounts means that even if a staff member clicks a malicious attachment, the malware cannot install itself or modify system files.

  • Create a separate admin account for IT tasks
  • Set everyday user accounts to standard user
  • Your IT provider can do this in under an hour for a typical small business

Backups: The Last Line of Defence

Ransomware encrypts your files and demands payment. A recent, tested, offline or offsite backup means you can recover without paying.

The Essential Eight ML1 requirement is:

  • Daily backups of important data
  • Backups stored offline or in a separate environment (not connected to the network being backed up)
  • Backups tested – meaning you have actually restored from them and confirmed the data is readable

Cloud backup solutions like Microsoft 365 Backup, Acronis, or Veeam with offsite replication satisfy this requirement for most small businesses.

A Realistic Roadmap for a Hunter Small Business

Week Action
1 Enable MFA on Microsoft 365 or Google Workspace for all accounts
2 Enable automatic updates on all workstations and servers
3 Remove admin rights from day-to-day user accounts
4 Set up daily offsite backups and run a test restore
Ongoing Monthly firmware check for routers, switches, NAS

Need a Hand Getting Started?

Peritus Digital works with small and medium businesses across Newcastle, Maitland, Lake Macquarie, and the Central Coast to implement the Essential Eight at a pace and budget that makes sense. We can assess your current maturity level, produce a plain-English gap report, and handle the remediation work – so you can get back to running your business.

Talk to our team about a cyber security assessment

Let's talk

Talk to Peritus about your IT and cyber security.

Newcastle's local technology partner — practical, plain-English advice and hands-on support for Hunter Region businesses.