Close this search box.

The ASD Essential 8: What you need to know


Businesses and other organisations have a lot on their plates. From getting their marketing mix right to maintaining employee morale, all why trying to make a profit, appropriate management can often seem overwhelming.

When you add in the ever-growing threat that comes from cyber attacks, handling all of these aspects at once seems almost impossible. Thankfully, the government has stepped in to help with the last problem, publishing the Essential 8 as a quick guide to help businesses orientate themselves appropriately in our complex and every-changing cyber landscape.

What Is the Essential 8?

The Essential 8 is a set of strategies that help organisations mitigate cyber threats, bolstering their security and improving their resilience. It was initially established in 2017 by the Australian Signals Directorate (ASD), to replace the “Top 4 Mitigation Strategies”. The Essential 8 was updated earlier this year, so its measures are still appropriate for combating the latest threats.

These strategies were developed with the understanding that business leaders already have a lot of other things to worry about, and often lack the knowledge, skills or resources to appropriately handle their cyber defences. Most people have a limited knowledge of information security, and the rapid pace of the industry makes it all but impossible for anyone but experts to keep up.

The Essential 8 gives organisations a quick and pragmatic way to reduce their cyber risks. The strategies give businesses the guidelines they need to prioritise their defences and customise their protective measures in a way that suits their unique situations.

The steps are prioritised and give businesses an outline that makes it easy to achieve an adequate security baseline, which significantly minimises the risks that they face.

Before Implementing the Essential 8

Before your organisation rushes into the essential 8, the ASD has three questions that companies should ask themselves. These can help organisations understand what threats they face, as well as how they can use the Essential 8 to mitigate them.

Which Systems Require Protection?

Your organisation should look at which of its systems are involved in dealing with sensitive or valuable information, and which need the most protection.

What Kind of Adversary Is Most Likely to Target These Systems?

If your organisation deals with incredibly sensitive or valuable information, such as government or military secrets, then it may be targeted by nation states. In other situations, the most likely threats may come from malicious insiders or cybercriminals.

What Level of Protection Do These Systems Need?

Given the threats that each system faces, determine the appropriate level of security to keep them reasonably safe.

The Essential 8 Mitigation Strategies

Once organisations have determined the risks that they face, they can begin implementing the Essential 8. The first four strategies aim to prevent malware delivery and execution, the next three aim to limit the impacts of cybersecurity incidents, while the final strategy is focused on data recovery and system availability.

Application Whitelisting

Whitelisting trusted programs prevents non-approved applications from executing malware.

Patch Applications

All applications should be using the latest versions. When security vulnerabilities are discovered, developers patch the flaws and then push them out as updates. Neglecting the latest updates leaves your organisation at risk to these vulnerabilities.

Configure Microsoft Office Macro Settings

Block macros from the internet and only allows those that have been vetted. This prevents Office macros from being used to execute malicious code on your organisation’s systems.

User Application Hardening

Java, Flash and ads are commonly used to infect systems. Blocking these and other unneeded features can help to minimise your organisation’s risks.

Limit Administration Privileges

Only grant your organisation’s users access to the systems and resources that they need to complete their tasks. Allowing wider access makes it possible for both hackers and malicious insiders to do far more damage to your systems if an attack occurs.

Patch Operating Systems

Just like your organisation’s applications, its operating systems are at risk to the latest vulnerabilities. Updating them as soon as possible plugs up these security holes.

Multi-Factor Authentication

Single factor authentication is relatively easy for attackers to breach. Adding a second factor, such as an authenticator app or security token, makes it much harder for attackers to work their way into your organisation’s systems.

Daily Backups

Performing frequent backups to data and systems helps to protect your organisation from ransomware and other attacks, as well as system failure.

Keeping your organisation safe

While the Essential 8 gives organisations a decent foundation to build their defences on top of, it can still be difficult to navigate the ever-changing security threats that they face. If you need help managing your organisation’s risks, Gridware can analyse its needs and provide security services that evolve alongside your organisation and the latest attacks.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →