Blog Post

Cyber threats aren’t just something big corporations deal with anymore. Across Western Australia, small and medium businesses and not-for-profits are increasingly being targeted. The reality is, you’re often holding valuable data, and with smaller teams, it can be harder to stay on top of everything. When something does go wrong, it’s not just an IT issue – it can mean lost time, lost income, and a hit to your reputation.

If you’ve ever looked into cyber security and felt a bit unsure where to start, you’re not the only one. There’s a lot of information out there, and it can get overwhelming quickly. The Australian Essential Eight is a great place to begin. It focuses on practical steps that help reduce real, everyday risks, without overcomplicating things.

In this guide, we’ll walk through what the Essential Eight means for your business and how it helps you stay protected in a way that makes sense. We’ll also share a few straightforward wins you can start putting in place now.

The WA threat snapshot for SMBs and NFPs

Here in WA, most of the cyber issues we see don’t come from anything overly complex. It’s usually the same few entry points. Phishing emails and business email compromise are still the quickest way for someone to get access. From there, it can lead to things like invoice fraud or accounts being taken over.

Ransomware is another big one, especially when systems haven’t been updated in a while or backups aren’t set up properly. And when passwords get reused or stolen, it opens the door for attackers to move around easily.

For not-for-profits and community organisations, it can be even tougher. Budgets are often tight, systems might be a bit older, and email plays a big role in day-to-day work, which makes it a common target.

There are also a couple of things we’re seeing more of lately. Cyber insurance providers are asking more questions before offering cover, things like whether you’re using multi-factor authentication, how your backups are set up, and how often systems are updated. At the same time, clients, partners and funders are expecting more transparency around how you’re protecting their data.

The upside is that the steps to reduce your risk are well understood. You don’t need to guess your way through it, and you can make steady improvements without overhauling everything at once.

Understanding the Essential Eight

The Essential Eight (E8) is a set of eight practical security measures put together by the Australian Signals Directorate through the Australian Cyber Security Centre. The goal is straightforward. Help prevent common cyber attacks, reduce the damage if something does get through, and make it easier to recover.

From a business point of view, it comes down to three things:

• Lowering the chances of an attack getting in
• Limiting how far it can spread if it does
• Making sure you can get back up and running without major disruption

The eight strategies themselves are fairly straightforward when you break them down:

Application control: Only allow approved and trusted software to run on your systems.

Patch applications: Keep everyday tools like browsers and Microsoft Office up to date on a regular schedule.

Microsoft Office macro settings: Block macros from the internet and only allow trusted ones internally.

User application hardening: Switch off features in browsers and PDF tools that are commonly used in attacks.

Restrict administrative privileges: Limit who has admin access and keep it separate from normal user accounts.

Patch operating systems: Make sure Windows, macOS and other systems are updated within a reasonable timeframe.

Multi-factor authentication: Add an extra layer of security for important logins like email, remote access and admin accounts.

Regular backups: Keep backups that are reliable, tested, and stored in a way that ransomware can’t get to them.

You might also hear about “maturity levels” from 0 to 3. This is simply a way of measuring how consistently these steps are being applied across your business, from basic through to well managed.

Is it mandatory in Australia?

For most small to medium businesses and not-for-profits, the Essential Eight isn’t something you’re legally required to have in place.

That said, it is strongly recommended, and it comes up more often than people expect. Government organisations, insurers, and larger partners are increasingly using it as a benchmark when they’re looking at your security.

If you’re working with government, handling sensitive data, or operating in areas like healthcare or aged care, there’s a good chance you’ll see Essential Eight requirements show up in contracts, audits or compliance checks.

Even if it’s not a requirement for you, putting these measures in place shows that you’re taking security seriously. It also helps when it comes to things like cyber insurance, where providers are now asking more detailed questions before offering cover.

NIST vs Essential Eight at a glance

Both the Essential Eight and the NIST Cyber Security Framework are designed to help reduce cyber risk. The difference is really in how they’re used.

The Essential Eight is more hands-on. It gives you a clear set of actions to put in place, which makes it a good fit for smaller teams that want to know what to focus on first.

NIST, on the other hand, takes a step back. It looks at cyber security across five areas: Identify, Protect, Detect, Respond and Recover. It’s more flexible and more detailed, but can feel like a lot if you’re starting from scratch.

A simple way to approach it without overcomplicating things:

• Use NIST as a high-level structure for how you think about risk and reporting
• Use the Essential Eight to guide what you implement day to day
• As you get more comfortable, build out the areas NIST covers like incident response plans, monitoring and supplier risk

In practice, there’s a fair bit of overlap. Things like multi-factor authentication, patching and backups tick boxes in both. The key is to keep a record of what you’ve put in place so you can clearly show how it lines up, whether you’re talking to a board, an insurer or a client.

Quick wins and common challenges

A good place to start is with the controls that make an immediate difference and are often asked about in insurance questionnaires.

MFA where it matters most: Set up multi-factor authentication for Microsoft 365, remote access, admin accounts and anything tied to finance. App-based authenticators are generally more secure than SMS.

A patching routine you can stick to: Automate updates for operating systems and browsers, then set a regular monthly window to update other applications. Keep track of anything that can’t be updated straight away and plan around it.

Backups you know will work: Make sure you have at least one backup that’s offline or can’t be altered. Test your backups regularly, not just that they exist, but that you can actually restore from them. It also helps to have a simple understanding of how quickly you can recover and how much data you could lose if something goes wrong.

Starting with application control: You don’t need to roll this out everywhere on day one. Start with higher-risk systems like servers or finance machines, then expand from there.

There are a few common challenges we see when putting this in place. Older systems that don’t play nicely with modern security, team members getting frustrated with extra login steps, and not always having the time to properly test changes.

The best way through it is to take a phased approach, communicate clearly with your team, and lean on vendors or partners where needed. In Microsoft environments, having centralised management in place can make a big difference in keeping everything consistent across the business.

If you’d like a hand getting these basics in place, our cyber security services page breaks down how we approach patching, backups and ongoing protection as part of a managed plan.

How Impact ICT implements and assesses Essential Eight

We take a practical approach to the Essential Eight, based on what works best for local businesses day to day. Our team has completed the Essential Eight assessor course, so we’re not just applying the controls, we’re also looking at how well they’re working across your environment.

A typical engagement usually looks something like this:

Understanding where you’re at: We start with a review of your current setup against the Essential Eight maturity levels. You’ll get a clear picture of any gaps and what they mean for your business.

Focusing on the quick wins first: From there, we prioritise the changes that make the biggest impact early on. This often includes things like multi-factor authentication, patching, and strengthening your backups.

Getting consistency across your systems: We set up baseline configurations across Microsoft 365 and Intune so security settings are applied consistently across devices, not just here and there.

Helping your team play their part: Security isn’t just technical. We run user awareness training with phishing simulations and practical guidance, so your team knows what to look out for and how to respond.

Building a plan you can maintain: Finally, we map out a roadmap to help you reach and maintain your target maturity level, including regular reviews and a clear way to manage changes over time.

For not-for-profits, we also offer a free cyber security audit to highlight any immediate risks and where to focus first, especially where budgets are tight.

If you’re deciding whether to manage this internally or bring in support, our managed IT services page gives a good overview of how we work alongside businesses as their IT team.

And if your focus is more around Microsoft 365, device compliance and tightening up access, our endpoint management services go into how we standardise policies and keep everything running smoothly.

Bringing it together

If you’re looking for a practical place to start, focus on the basics first. Things like multi-factor authentication, patching, backups and limiting admin access go a long way in reducing risk. From there, you can build toward a consistent Essential Eight maturity level over time.

You don’t need to tackle everything at once. Small, steady improvements and regular checks will make a real difference, especially when you’re focusing on the areas that matter most to your business.

If you’re a not-for-profit, you can request our free cyber security audit to get a clear picture of where things stand and what to prioritise. For other organisations, an Essential Eight readiness review is a good way to understand your current position and the quickest steps to strengthen your setup.

We’re based locally and work with businesses across Mandurah, the Peel region and Perth, so our focus is always on what’s practical and achievable. You can contact us on (08) 9520 8666 or [email protected].

FAQ

Is cyber security in demand in Australia?

Yes, and it’s only increasing. We’re seeing more frequent phishing attempts, ransomware incidents and data breaches, along with tighter requirements from insurers and higher expectations from clients and partners. For many small to medium businesses and not-for-profits, it’s no longer a “nice to have”, it’s something that needs ongoing attention and support.

Is the Essential Eight mandatory?

For most private businesses and not-for-profits, it’s not a legal requirement. However, it does come up in certain contracts, especially when working with government or handling sensitive information. Even when it’s not required, it’s widely recommended and helps show that you’re taking reasonable steps to protect your business.

What is the Essential Eight framework?

It’s a set of eight practical security measures developed by the Australian Signals Directorate through the Australian Cyber Security Centre. The focus is on reducing the chances of an attack, limiting the impact if something does get through, and making sure you can recover quickly.

What’s the difference between NIST and the Essential Eight?

NIST takes a broader view and looks at cyber security across areas like identifying risks, protecting systems, detecting issues and responding to them. The Essential Eight is more focused on specific actions you can put in place straight away. A lot of businesses use the Essential Eight to get the basics right, then use NIST as a way to structure policies and reporting.

Who created the Essential Eight?

It was developed by the Australian Signals Directorate and is delivered through the Australian Cyber Security Centre.