If you have read our introductory guide to the Essential Eight, you know it is a set of eight security controls published by the Australian Cyber Security Centre (ACSC). What you might not know is what you actually need to do to meet Level 1, the baseline maturity level.
Level 1 is not about perfection. It is about getting the fundamentals in place so your business is not an easy target. Most small and mid-sized businesses in Sydney are sitting well below Level 1 right now. That is not a criticism. It is a starting point.
Here is what each of the eight controls looks like at Level 1 maturity, and what it means in your office.
1. Application Control
Application control means only approved software can run on your work computers. At Level 1, this applies to workstations, your staff laptops and desktops.
In practice, this stops an employee from accidentally running a malicious program they downloaded from a dodgy link. It also stops ransomware from executing even if it lands on a machine.
What you need to do: configure your devices so only approved applications can run. Microsoft provides built-in tools for this (AppLocker or Windows Defender Application Control). Your IT team sets the rules. Your staff should not notice any difference, unless they try to install something they should not be installing.
2. Patch Applications
Patching means updating your software to fix known security holes. At Level 1, you need to patch applications that face the internet, browsers like Chrome and Edge, Microsoft Office, PDF readers, and similar tools, within two weeks of a patch being released.
If a vulnerability is being actively exploited in the wild, you need to patch within 48 hours. Applications that are no longer supported by the vendor (no more updates available) need to be removed.
What this looks like in your office: your browsers and Office apps update regularly, and someone is checking that those updates actually apply. Not “auto-update is turned on and we hope for the best.” Checked and confirmed.
3. Configure Microsoft Office Macro Settings
Macros are small programs that run inside Office documents like Excel spreadsheets and Word files. Attackers use macros to deliver malware. You receive a spreadsheet, open it, click “enable content,” and the damage is done.
At Level 1, you need to block macros from the internet. That means if someone emails your accounts team a spreadsheet with macros embedded, those macros do not run. If your business genuinely needs macros for internal tools, those specific macros can be allowed through a trusted list.
What you need to do: configure your Microsoft 365 environment to block macros from untrusted sources. This is a policy setting your IT provider can push out in an afternoon.
4. User Application Hardening
Hardening means turning off features that attackers exploit. At Level 1, this covers web browsers and PDF readers.
In plain terms: disable Flash (it should already be gone), block ads in browsers, disable Java in browsers, and block web-based content that your staff do not need for their jobs.
What this looks like: your browsers are configured with sensible security defaults. Your staff can still browse the web and open PDFs. They just cannot run risky content that has no business purpose.
5. Restrict Administrative Privileges
Admin accounts can install software, change settings, and access everything on a system. If an attacker compromises an admin account, they own your network.
At Level 1, admin accounts should only be used for administrative tasks, not for reading emails or browsing the web. Regular staff should have standard user accounts. Admin access should be limited to the people who genuinely need it, and those accounts should be reviewed regularly.
What you need to do: make sure your staff are not logging in as administrators for their day-to-day work. Your IT provider should have separate admin accounts that are only used when needed. This is one of the most effective controls and one of the most commonly ignored.
6. Patch Operating Systems
Same principle as patching applications, but for the operating system itself, Windows, macOS, or whatever your devices run.
At Level 1, you need to patch operating systems on internet-facing services and workstations within two weeks. Actively exploited vulnerabilities need to be patched within 48 hours. Operating systems that are no longer supported (like Windows 10 after October 2025) need to be replaced.
What this means for you: if your business is still running old machines on unsupported operating systems, this is the control that flags it. Those machines are a liability.
7. Multi-Factor Authentication (MFA)
MFA means needing two things to log in, your password plus a second factor, like a code from an app on your phone. It stops attackers who have stolen or guessed a password from getting into your accounts.
At Level 1, MFA is required for all users on internet-facing services. That includes Microsoft 365, VPNs, and any cloud applications your business uses.
What you need to do: turn on MFA for every user in Microsoft 365 and any other cloud platform your team uses. Yes, your staff will grumble. It adds a few seconds to their login. It also blocks the vast majority of automated attacks. The trade-off is not close.
For more on rolling out MFA without a revolt, see our guide on MFA for small business.
8. Regular Backups
At Level 1, you need backups of important data, software, and configuration settings. Backups need to be performed and tested regularly. They need to be kept in a way that an attacker cannot access them if they compromise your network.
This is where the 3-2-1 backup rule comes in: three copies of your data, on two different types of media, with one copy stored offsite. At Level 1, your backups also need to be retained long enough to allow recovery.
What this looks like: your data is backed up daily (at minimum), backups are stored somewhere an attacker cannot reach, and, this is the part most businesses skip, someone has actually tested a restore to confirm the backup works.
Where Most Businesses Fall Short
The eight controls are straightforward on paper. Where businesses struggle is in three areas: they do not know what they currently have in place, they have no one checking that controls are actually working, and they treat security as a one-off project rather than an ongoing discipline.
A good starting point is understanding where you stand right now. Our IT Maturity Assessment gives you a clear picture of your current state across all eight controls, with no jargon and no pressure.
What to Do Next
Level 1 is achievable for any business with the right support. You do not need a security team. You do not need a massive budget. You need someone who understands the framework, knows how to implement the controls, and checks that they stay in place.
If you want to know where your business sits today, take our free IT Maturity Assessment. It takes five minutes, and you will get a clear report showing which controls you have in place and which ones need attention. No obligation, no sales pitch. Just a straightforward picture of where you stand.
