The Australian Cyber Security Centre's Essential Eight has become the de facto security baseline for Australian organisations. But there's a significant gap between "implementing Essential Eight" and actually improving security posture.
This guide focuses on practical implementation—what actually works versus what just ticks boxes.
The Maturity Model Reality
Essential Eight defines four maturity levels (0-3) across eight mitigation strategies. Most organisations aim for Maturity Level 2 or 3 without understanding what that actually requires:
Maturity Level 1: Partly aligned with intent. Basic implementation, significant gaps.
Maturity Level 2: Mostly aligned with intent. Broader coverage, some exceptions remain.
Maturity Level 3: Fully aligned with intent. Comprehensive implementation across the environment.
The jump from ML2 to ML3 is significantly harder than ML1 to ML2. Many organisations underestimate this.
Application Control: The Hardest One
Application control is consistently the most difficult Essential Eight control to implement:
Why it's hard: Every organisation has unique applications, many poorly documented. Users expect to install what they need. IT teams lack visibility into what's actually running.
The wrong approach: Enabling application control in "audit mode" forever, never moving to enforcement because the exception list keeps growing.
The right approach: Start with servers (more controlled), move to standard desktops, address power users separately. Accept that initial implementation will cause complaints—plan for rapid response to legitimate exceptions.
Technical reality: Microsoft WDAC or AppLocker are the typical tools. Both require significant investment in policy management, testing, and exception handling.
Organisations that claim ML3 application control but have extensive exception lists aren't actually at ML3.
Patching Within the Timeframes
Essential Eight patching requirements are aggressive:
Extreme risk vulnerabilities: 48 hours for internet-facing systems
High risk vulnerabilities: Two weeks
All other vulnerabilities: Monthly
Why organisations fail: Manual patching processes can't keep pace. Testing requirements delay deployment. Legacy systems can't be patched without breaking them.
What works: Automated patch deployment for standard systems, risk-based prioritisation for systems requiring testing, compensating controls for unpatchable systems (with documented acceptance of risk).
The ML3 challenge: 48-hour patching for extreme vulnerabilities requires near-continuous operations. Most organisations don't have the staffing model to support this.
MFA Implementation Gaps
Multi-factor authentication seems straightforward but has common gaps:
Administrative accounts: Often has MFA, but may have exceptions for service accounts or legacy systems.
VPN and remote access: Usually covered, but check for legacy VPN concentrators or modem pools that bypass MFA.
Cloud services: Microsoft 365 and major SaaS often have MFA, but check for legacy protocols that don't support it (SMTP, IMAP, older mobile clients).
Internal applications: The gap is usually here. Legacy internal applications often have no MFA capability.
ML3 requirement: MFA or something "more secure" (like smartcard authentication) for all privileged access. "More secure" is harder than it sounds.
Backup and Recovery Testing
The backup mitigation strategy isn't just about having backups—it's about tested recovery capability:
Common failure: Backups run successfully but have never been tested for actual recovery. When ransomware hits, discovery that backups are corrupted or incomplete.
ML3 requirement: Backups tested "at least once when initially implemented and each time fundamental information technology infrastructure changes occur."
What this means: Regular recovery testing to isolated environments, documented recovery procedures, tested recovery time objectives.
Air-gapped backups: ML2+ requires backups that can't be accessed from the network being backed up. This is harder than it sounds in practice.
The Assessment Reality
Essential Eight maturity is supposed to be assessed by qualified assessors. In practice:
Self-assessment: Many organisations self-assess, often generously. There's no certification body verifying claims.
Assessment variability: Different assessors may reach different conclusions on the same environment. The standard allows interpretation.
Point-in-time snapshots: Assessment reflects a moment in time. Continuous compliance is harder than passing a periodic assessment.
The honest approach: Acknowledge gaps rather than paper over them. A genuine ML1 with a roadmap to ML2 is more valuable than a claimed ML3 that wouldn't survive scrutiny.
Implementation Sequencing
Not all Essential Eight controls are equally impactful or equally difficult:
Start here (high impact, moderate difficulty):
- Patching applications and operating systems (if automation exists)
- MFA (for systems that support it)
- Daily backups with offline storage
Next phase (high impact, higher difficulty):
- Application control (start with servers)
- Restricting admin privileges
- User application hardening
Hardest (often deferred):
- Complete MFA coverage including legacy systems
- ML3 patching timeframes
- Comprehensive application control including endpoints
Beyond Compliance
The Essential Eight is a baseline, not a comprehensive security program. Organisations that treat E8 as their entire security strategy are missing:
- Detection and response capabilities
- Security awareness and culture
- Third-party and supply chain risk
- Physical security
- Business continuity planning
E8 implementation should be part of a broader security program, not a substitute for one.
The Muon Approach
We help organisations implement Essential Eight in ways that actually improve security, not just satisfy compliance requirements. Our assessment approach identifies genuine gaps, prioritises remediation based on risk, and builds sustainable controls rather than audit-time fixes.
Security maturity is a journey. The goal isn't claiming the highest maturity level—it's continuously improving protection against real threats.