New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

All Articles
Compliance
3 min read

Essential Eight for Teams Without a Security Department

You don't need a SOC, a CISO, or a seven-figure budget to start maturing. Here's a sane order of operations for organisations doing security with their other hat on.

Christina Arcane

The ACSC Essential Eight gets presented like an enterprise programme: eight strategies, four maturity levels, an implied army of specialists. For a thirty- person company where "the IT team" is one person named Dave who also runs the phones, that framing is paralysing. So nothing happens, and "we'll do security properly next year" becomes a tradition.

Here's the reframe: the Essential Eight is a sequence, not a checklist you attack all at once. Most small and mid-size organisations can make genuine, audit-visible progress on three or four strategies without hiring anyone.

What the Eight actually areLink to this section

StrategyThe plain-English versionA realistic first move
Patch applicationsUpdate your softwareTurn on auto-update for browsers and key apps
Patch operating systemsUpdate the machinesEnforce OS updates via your device management tool
Multi-factor authenticationTwo steps to log inMFA on email and admin consoles first
Restrict admin privilegesFewer keys to the kingdomRemove local admin from daily-use laptops
Application controlOnly run approved softwareStart with an allowlist on your most sensitive machines
Restrict Office macrosStop a classic malware pathBlock macros from the internet by default
User application hardeningShrink the attack surfaceDisable Flash, Java, and ads in the browser
Regular backupsBe able to recoverAutomate backups and test a restore

Start where the leverage isLink to this section

If you do nothing else this quarter, do these three.

Patch applications and operating systemsLink to this section

Unpatched software is the boring answer because it's still the right one. Most real-world intrusions walk through a hole that had a fix available months ago. Turn on automatic updates everywhere you can, and put the few that need a human on a recurring calendar invite so they don't quietly rot.

Multi-factor authentication, everywhere that mattersLink to this section

Passwords stopped being a control years ago; they're a placeholder until MFA arrives. Email and admin consoles first – those are the accounts attackers use to reset everything else. Phishing-resistant MFA (passkeys, hardware keys) is the gold standard, but any MFA beats a password alone.

Backups you have actually restoredLink to this section

A backup nobody has tested is a wish with a cron job. Ransomware doesn't care how diligently you copied your data if you can't get it back. Run a real restore drill at least quarterly, time it, and write down who did what.

Where automation and AI quietly helpLink to this section

You don't have the headcount to watch logs all night, so let the tooling do it. Modern endpoint and identity platforms now flag anomalous logins, surface missing patches, and summarise alerts in plain language – work that used to need an analyst. Lean into that. Just remember the flip side: every AI assistant your team adopts is also new software that needs patching, access control, and a line in your asset list. Capability and attack surface arrive in the same box.

Pick a target and mean itLink to this section

Maturity Level One across all eight strategies beats Level Three on two and chaos on the other six. Consistency is the control.

Choose a maturity level, sequence the work, assign each strategy an owner with a date, and review it quarterly. The organisations that mature aren't the ones with the biggest budgets. They're the ones that picked an order and kept showing up.