What Essential Eight ML1 Does
Maturity Level 1 of the ACSC’s Essential Eight defines a set of eight baseline controls designed to significantly reduce an organisation’s attack surface. These controls address common attack vectors and provide a practical starting point for improving cybersecurity posture. They include application control on workstations, timely patching of applications and operating systems (critical patches within two weeks, others within one month), macro configuration, hardening user applications, restricting administrative privileges, multi-factor authentication (MFA) for internet-facing and privileged accounts, and regular data backups.
Essential Eight ML1 in Australian Tenants Today
For AU mid-market organisations, achieving Essential Eight ML1 isn’t just a best practice; it’s increasingly becoming a de facto requirement, particularly given OAIC guidance and the potential for data breach reporting obligations under the Notifiable Data Breach scheme. Microsoft 365 tenants can leverage existing components like Intune for application patching and device management, Entra ID for MFA implementation, and Microsoft Defender for Endpoint to automate and enforce many of these controls. While achieving full ML1 requires ongoing effort and validation, the M365 stack provides a solid foundation for AU mid-market tenants.