Someone has probably said the words “Essential Eight” to you by now. Maybe it was your cyber insurer, tucked into a renewal form. Maybe an auditor, or a question buried in a tender you were trying to win. You nodded, wrote it down, and moved on, because there were client deadlines and the term sounded like something IT would handle.
Here’s the thing worth sitting with for a moment: the Essential Eight exists because of how firms like yours do get breached, and almost none of it is about firewalls or hackers in hoodies. It’s about everyday settings on everyday machines, the kind nobody checks because everyone assumes someone else already did.
So before anyone quotes you a price to “get you compliant,” it’s worth understanding what you’re being asked to do and why it lands on accounting firms harder than most.
What is the Essential Eight?
The Essential Eight is a set of eight mitigation strategies published by the Australian Cyber Security Centre (ACSC). They are designed to be the baseline defences that stop the most common ways businesses get compromised. Not the exotic stuff, the ordinary stuff that works, over and over, because most organisations leave the door open.
A few things it is not, because the misunderstandings here are common:
- It's not a certification. You don't sit an exam, pass, and frame the certificate. It's a standard you align to and keep aligning to.
- It's not a product you buy. No single piece of software makes you compliant, whatever a vendor tells you.
- It's not a one-off project. Software updates, staff changes, and new devices mean alignment is something you maintain, not something you finish.
It’s a baseline. The floor, not the ceiling. And for a small accounting firm, the floor is exactly where most of the risk lives.
Not sure why accountants need industry-specialised support? We’ve made a fair argument: General IT vs. Accounting-Firm IT: What’s the Difference?
The Essential Eight and Accountants: Why You Should Care
The ACSC sits inside the Australian Signals Directorate (ASD), which is the government agency responsible for cyber security at a national level. Over the years, they catalogued the methods used to break into Australian organisations and noticed something: the same small number of techniques kept showing up. So they distilled a much longer list of recommendations down to eight strategies that, implemented properly, block the overwhelming majority of attacks.
Why This Matters in Accounting Firms
An accounting firm is a concentrated store of exactly what attackers want. You hold tax file numbers, bank account details, financial statements, identity documents, and in many cases the logins your clients use for their own systems. Compromise one practice and you’ve potentially compromised every business on its books. That makes a firm a far more valuable target than its size suggests, and the people who do this for a living know it.
There’s a second reason, and it’s getting louder. Cyber insurers now ask about the Essential Eight before they’ll quote, and some price the answer in. Clients are starting to ask too, especially larger ones with their own compliance obligations. Whether you set out to chase the framework or not, it’s the thing other people use to decide if you’re safe to deal with.
The Essential Eight Strategies and What They Mean In Your Firm
1. Application Control
This means only approved programs are allowed to run on your machines. Everything else is blocked by default, including the malicious file an attacker tries to launch after they’ve talked someone into clicking it.
For your firm: if a staff member opens a dodgy attachment, application control is often what stops it dead. The unknown program simply isn’t on the approved list, so it never runs.
2. Patch Applications
“Patching” is just keeping software up to date. The catch is that updates frequently fix security holes, and the gap between a hole being made public and a firm getting around to the update is when attackers walk in.
For your firm: that PDF reader, that browser, that little add-on nobody remembers installing. Each one is a way in if it’s left unpatched, and “we’ll get to it” is how most firms stay exposed for months.
3. Configure Microsoft Office Macro Settings
Macros are small automated scripts inside Office files. They’re useful, and they’re also one of the oldest and most reliable ways to deliver malware, because a spreadsheet looks harmless until the macro inside it runs.
For your firm: you live in Excel, so this one is close to home. The strategy is about disabling macros except where they’re genuinely needed and trusted, so a poisoned workbook from a spoofed client email can’t quietly execute.
4. User Application Hardening
Hardening means switching off the risky features in everyday software that you don’t actually use. Old web technologies and browser add-ons are a frequent culprit, because they were built for a different era and attackers still exploit them.
For your firm: most of these features bring you nothing and cost you risk. Turning them off removes a chunk of attack surface without anyone in the practice noticing a difference in their day.
5. Restrict Admin Privileges
Admin accounts can install software, change settings, and reach almost anything. The strategy is to give those powers only to the people who genuinely need them, and only when they need them.
For your firm: if your practice manager runs day to day on an admin account, a single mistake on that login hands an attacker the keys to everything. Restricting admin rights contains the damage when something goes wrong, and something eventually does.
6. Patch Operating Systems
Same idea as patching applications, aimed at Windows and macOS themselves. Operating system updates regularly close serious security gaps, and an unpatched machine is a known, documented target.
For your firm: the laptop that’s been putting off its update for three weeks is a liability sitting on your network. Keeping operating systems current is dull and unglamorous, which is precisely why it gets skipped.
7. Multi-Factor Authentication (MFA)
MFA means a password alone isn’t enough to log in. You also need a second proof, usually a code or a prompt on your phone. So even if a password is stolen or guessed, the attacker is stopped at the second step.
For your firm: this is the single most effective thing on the list, and it matters most where your sensitive data lives. Email, Xero, your practice management system. A leaked password without MFA is an open door. With MFA, it’s a door that needs a key the attacker doesn’t have.
8. Regular Backups
Backups are copies of your data you can restore if the original is lost, corrupted, or held to ransom. The strategy isn’t just having them. It’s keeping them safe from the same attack and testing that they actually work.
For your firm: if ransomware locks your files on a Friday, a tested backup is the difference between restoring by Monday and paying a stranger for the privilege of maybe getting your clients’ records back. Untested backups have a habit of failing at the exact moment you need them.
The Essential Eight Maturity Levels: Where Should Your Firm Sit?
Aligning to the Essential Eight isn’t a yes or no. The ACSC grades each strategy across four maturity levels, and the level tells you how well a strategy is actually working, not just whether you’ve made a start on it.
- Maturity Level Zero: there are real gaps. The strategy is missing, half done, or so loosely applied that it wouldn't hold up.
- Maturity Level One: the basics are in place and would stop an attacker using widely available, off-the-shelf methods.
- Maturity Level Two: stronger again, holding up against attackers willing to put in more effort and target you specifically.
- Maturity Level Three: the most robust, built to resist skilled, determined attackers who adapt when the first attempt fails.
Two things tend to surprise firms here. The first is that maturity is measured per strategy, so you can be Level Two on MFA and Level Zero on backups at the same time. Your overall position is only as good as your weakest one.
The second is that most firms sit lower than they assume. “We’ve got MFA” sounds like a tick, but if it’s only on email and not on Xero, the box isn’t really ticked. The level you need depends on what data you hold and who’s asking, and for a firm holding client financials, Level One is a starting point rather than a finish line.
Why “We’re in the Cloud” Doesn’t Get You There
Plenty of firms hear “Essential Eight” and just assume they’re covered because everything runs in Microsoft 365 and Xero. It’s an easy mistake, and an expensive one.
Your cloud provider secures the building, but they don’t decide who gets a key. Microsoft keeps its data centres running and its platform patched, but whether MFA is switched on, whether staff laptops are updated, whether admin rights are handed out like sweets, and whether your backups have ever been tested, all of that is still yours.
The cloud handles a slice of the Eight and leaves the rest sitting squarely with you. Being in the cloud is a sensible place to start, but it is not the same as being aligned, and assuming otherwise is how firms get caught believing they’re safe.
Go From “We’ve Heard of It” to “Yes, We’re Fully Aligned”
The honest first step is finding out what maturity level you stand at now, strategy by strategy. It’s rarely as good as the firm expects and rarely as bad as the worst case.
As an accounting practice-only IT provider, Worktopia builds Essential Eight alignment into every client’s baseline. Not as an add-on, not as a line item that appears when you ask the awkward question, but as the standard we start from. If you’ve read this far and you’re not sure where your firm sits, that’s worth knowing before your next insurance renewal or client tender.
Our Readiness Review tells you exactly that: where you stand against all eight strategies, and what it would take to close the gaps. Reach out for a consultation; there’s no obligation to do anything with it, but at least you’ll know.