What Essential Eight ML0 means
Maturity Level 0 indicates that the Essential Eight controls are either not implemented or applied inconsistently. This means there’s likely no formal patching schedule, application whitelisting is absent, multi-factor authentication (MFA) is used sporadically, administrator access isn’t restricted, and logging isn’t comprehensive. Consequently, an organisation at this level is highly susceptible to attacks like ransomware, business email compromise, and data breaches. The risk profile is significantly elevated compared to higher maturity levels.
AU mid-market reality and moving to ML1
Many AU mid-market organisations, particularly those without dedicated cybersecurity teams prior to ACSC guidance, typically begin at Maturity Level 0. A gap analysis is crucial to identify the specific areas requiring improvement. A practical first step is establishing a basic patching SLA for critical systems, followed by implementing MFA for all users, especially those with administrative privileges. Restricting administrator access and enabling basic logging are also key priorities. These steps align with the OAIC’s Privacy Principles and contribute to demonstrating reasonable security measures under the Privacy Act 2024.