The Essential Eight, explained for accounting firms.
What the ACSC's Essential Eight actually means for a practice holding client TFNs and financials, and how to reach a sensible maturity level without slowing the firm down.
Nathan James
Founder, Worktopia
18 June 2026•8 min read
Eight controls · four maturity levels · one clear target
If your firm has ever filled in a cyber-insurance renewal, tendered for a larger corporate client, or simply worried about the day a staff login ends up on the wrong side of a phishing email, you have already brushed up against the Essential Eight. It is fast becoming the common language for “are you actually secure?” in Australia, and accounting firms are squarely in the frame.
Here is the plain-English version: what it is, why a practice can't wave it away, and what reaching a sensible maturity level really takes.
Why a practice can't wave it away
Accounting firms hold exactly the data attackers want: tax file numbers, bank details, financials, and a direct line into client money movements. That makes a practice a high-value target and a high-consequence breach, the kind that damages client trust long after the systems are back up.
You may never be formally audited against the Essential Eight, but you are effectively assessed against it anyway, by three groups who increasingly speak its language:
Your insurer
Renewal questionnaires now map closely to these controls. Weak answers mean higher premiums, exclusions, or no cover.
Your bigger clients
Corporate and listed clients run vendor-security checks before they hand over their books. The Essential Eight is the yardstick.
Your regulators
With AML/CTF obligations widening, documented, proactive data handling is no longer a nice-to-have for practices.
So what is the Essential Eight?
It's a set of eight practical mitigation strategies published by the Australian Signals Directorate's Cyber Security Centre (ACSC). They aren't exotic. They're the controls that stop the overwhelming majority of real-world intrusions, the phishing, the ransomware, the stolen-password logins, before they turn into a bad week.
Each control is measured across four maturity levels, from ML0 (not really doing it) to ML3 (hardened against a determined, adaptive attacker). Your firm's overall maturity is the lowest level at which you've fully implemented all eight, so one weak control drags the whole score down.
The eight controls, in plain English
1
Application control
Only approved software is allowed to run. Random downloads and dodgy installers simply don't execute.
2
Patch applications
Keep browsers, PDF readers and line-of-business apps up to date, quickly, so known holes get closed before they're exploited.
3
Configure Microsoft Office macros
Block untrusted macros. It's one of the oldest tricks for slipping malware into an office, and one of the easiest to shut down.
4
User application hardening
Turn off the risky bits browsers and apps don't need, like Flash, ads and Java in the browser, that attackers love to abuse.
5
Restrict administrative privileges
Admin rights only for those who genuinely need them. If one account is compromised, the blast radius stays small.
6
Patch operating systems
Keep Windows and macOS current and on supported versions. Unpatched machines are the front door most breaches walk through.
7
Multi-factor authentication
The single highest-impact control. A stolen password alone can't get in, and stolen passwords are the number-one way accounts fall.
8
Regular backups
Tested, recent, and kept out of reach of ransomware. Good backups turn a catastrophe into a recovery exercise.
If you only start three today, make them MFA, patching and backups. They cover the most ground for the least disruption.
The four maturity levels
ML0
Gaps you can drive through
The control isn't in place, or has holes big enough that it doesn't really count. A common honest starting point.
ML1
Covers the everyday attacker
Protects against widespread, opportunistic attacks using known tricks. A reasonable first target for most firms and a fair answer to many insurers.
ML2
Covers the patient attacker
Stands up to adversaries who invest more effort, targeted phishing, credential testing, privilege escalation. Where regulated and larger firms are heading.
ML3
Covers the adaptive attacker
For those under specific, high-stakes obligations. If ML3 applies to you, you've almost certainly been told so in writing.
For most Australian accounting firms without a specific regulatory mandate, ML1 is a sensible, honest first target, with a clear path toward ML2 as insurers and corporate clients keep raising the bar.
The Essential Eight isn't a certificate you frame on the wall. It's eight habits, kept up every week, which is exactly where advice-only security falls over.
“Implemented and maintained” beats “advised”
Plenty of providers will hand a firm a report full of recommendations and call it security. But a maturity level isn't a document, it's a live state of your systems. MFA has to be on and enforced. Patches have to actually land, on every machine, every week. Backups have to be tested, not assumed.
That's the difference between being told what to do and having it done and kept up. It's why we treat the Essential Eight as an operating standard baked into how we run a firm's IT, not a slide in a proposal.
A sensible path for most firms
Step 1
Get an honest baseline. A short audit tells you where each of the eight controls really sits today, no guessing, no wishful thinking.
Step 2
Bank the quick wins. Enforce MFA everywhere, tighten patching, and get backups tested. This is most of the risk gone, fast.
Step 3
Harden the rest. Application control, macro settings, admin restrictions and app hardening, the controls that take a little more planning.
Step 4
Maintain and reassess. Review quarterly. New staff, new software and new devices all move the score, maturity is a practice, not a milestone.
The short version
→You're already being assessed against the Essential Eight, by insurers, big clients and regulators.
→Start with MFA, patching and backups. They remove the most risk for the least disruption.
→ML1 is a sensible first target for most firms; plan toward ML2 as the bar rises.
→A maturity level is a live state, not a report. It has to be maintained, every week.
Nathan started Worktopia after years inside a Brisbane accounting firm, moving it off legacy systems and into the cloud. He writes about the practical side of security and IT for practices that would rather be doing the work.
Not sure where your firm sits?
We'll score your eight controls, show you the gaps in plain English, and map the path to a maturity level you can stand behind.