TL;DR:
- Implementing the ACSC Essential Eight controls helps small and medium businesses defend against common cyber threats.
- Prioritizing multi-factor authentication, tested backups, and rapid patching is essential for effective cyber hygiene.
A cyber hygiene checklist is a practical set of priority security actions that small and medium-sized businesses can implement right now to defend against the most common cyber threats. The recognised industry standard for Australian SMEs is the ACSC Essential Eight framework, which defines eight specific controls that stop the majority of attacks before they cause damage. In 2025, getting these controls right matters more than ever. Cyber insurers are tightening their requirements, regulators are raising expectations under the Cyber Security Act 2024, and attackers are not slowing down. This guide walks you through every step, in plain language, with no fluff.
1. What is the cyber hygiene checklist 2025 baseline for Australian SMEs?
The ACSC Essential Eight is the definitive cyber hygiene baseline for Australian businesses. It covers eight controls that, when implemented together, stop the vast majority of opportunistic attacks. The Essential Eight framework is not just a government recommendation. Insurers and enterprise clients increasingly require it as a condition of doing business.

The eight controls are: application control, patching applications, configuring Microsoft Office macros, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication (MFA), and regular tested backups. Each one targets a specific attack vector. Together, they form a layered defence that makes your business a much harder target.
Maturity Level 1 mitigates low-skill automated attacks and is the right immediate target for most SMEs. Levels 2 and 3 are designed for organisations facing sophisticated or state-sponsored threats. Chasing Level 3 as a small business is a waste of time and money.
2. Enable multi-factor authentication across every account
MFA is the single highest-return control on the Essential Eight list. It stops credential attacks cold, even when passwords are stolen. We see businesses every week running Microsoft 365 with no MFA enabled. One phishing email later, an attacker has full access to email, SharePoint, and OneDrive.
Enable MFA on every account that supports it: Microsoft 365, Google Workspace, accounting software, banking portals, and remote access tools. Prioritise admin accounts first, then all staff accounts. Do not treat MFA as optional for any user.
SMS-based MFA is vulnerable to SIM-swap attacks, where an attacker convinces a telco to transfer your number to their SIM. Use an authenticator app like Microsoft Authenticator or Google Authenticator instead. For high-privilege accounts, hardware tokens like YubiKey are the gold standard.
Pro Tip: Set a conditional access policy in Microsoft 365 that blocks sign-in entirely if MFA is not completed. This takes about 20 minutes to configure and immediately closes one of the most common attack paths.
3. Test your backups, not just run them
Backups are the most misunderstood control we deal with. Business owners assume they are backed up because a backup tool is installed. Untested backups do not guarantee recoverability. We have seen businesses hit by ransomware discover their backups had been silently failing for months.
Run a restore test at least quarterly. Pick a random file, a folder, and a full system image, and actually restore them to confirm they work. Document the result. This takes a few hours but gives you real confidence in your recovery capability.
Your backup strategy should follow the 3-2-1 rule: three copies of data, on two different media types, with one copy stored offsite or in a separate cloud environment. A backup sitting on the same server as your live data will not survive a ransomware attack.
4. Patch applications within 48 hours of a critical update
Patching is unglamorous but critical. Attackers actively scan for unpatched software and exploit known vulnerabilities within days of a patch being released. The Essential Eight requires critical patches to be applied within 48 hours and all other patches within two weeks.
Start with internet-facing applications: browsers, email clients, PDF readers, and any software that touches the web. These are the most exposed. Then work through internal applications. Use a patch management tool or your RMM platform to automate this where possible.
The application control and macro management controls are harder to implement, so patching first gives you quick, meaningful risk reduction while you plan the more complex work.
5. Patch your operating systems on the same schedule
Operating system patching follows the same 48-hour rule for critical updates. Windows, macOS, and Linux all release security patches regularly. Leaving these unapplied is like leaving a known unlocked door in your building.
Enable automatic updates for workstations where possible. For servers, schedule a monthly maintenance window and apply all outstanding patches. Document what you patched and when. This record matters when an insurer or auditor asks for evidence of your patching practice.
Outdated operating systems are a serious problem. Windows 10 reaches end of life in october 2025, meaning no further security patches from Microsoft. Any business still running Windows 10 after that date is carrying unpatched vulnerabilities indefinitely.
6. Restrict administrative privileges to those who need them
Admin accounts are the keys to your kingdom. Every user with admin rights is a potential entry point for an attacker who compromises their credentials. The Essential Eight requires you to limit admin privileges to only those who genuinely need them, and to use separate admin accounts for administrative tasks.
Audit your admin accounts now. In most SMEs we work with, half the staff have local admin rights they were given years ago for convenience and never had removed. Remove them. Standard users can do their jobs without admin rights in almost every case.
Require admin accounts to be used only for admin tasks, not for browsing the web or reading email. This limits the blast radius if an admin account is compromised.
7. Configure Microsoft Office macros to block untrusted sources
Macros in Microsoft Office documents are a common malware delivery method. Attackers send a Word or Excel file with a malicious macro embedded, and one click from a staff member can execute it. The Essential Eight requires you to block macros from the internet and only allow signed macros from trusted sources.
In Microsoft 365, you can configure this through Group Policy or Intune. Block all macros by default, then create an approved list of signed macros your business actually uses. Most SMEs use very few macros in practice, so the approved list is usually short.
This control does disrupt some workflows, particularly businesses that rely on macro-heavy spreadsheets. That is why change management matters here. Talk to your team before you flip the switch, and have a plan for any legitimate macros that need to be signed and approved.
8. Harden user applications and browsers
User application hardening means removing or disabling features in browsers and applications that attackers commonly exploit. This includes disabling Flash (already gone in most environments), blocking web ads through browser policy, and disabling unnecessary browser extensions.
Configure your browsers to block access to known malicious sites. Microsoft Edge and Google Chrome both support enterprise policies that let you control this centrally. Disable Java in browsers unless a specific business application requires it, and even then, restrict it to only that application.
This control is often overlooked because it feels minor. It is not. Browser-based attacks are one of the most common infection vectors for SMEs, and hardening the browser is a direct defence.
9. Implement application control on workstations
Application control means only approved software can run on your workstations. If a piece of malware lands on a machine, it cannot execute because it is not on the approved list. This is the most powerful control on the Essential Eight list and also the hardest to implement.
Start with a software inventory. Know what is installed and what is actually used. Build your approved list from that. Then use Windows Defender Application Control or AppLocker to enforce it. Expect some disruption initially as staff try to run unapproved tools.
Application control requires a phased rollout and good communication. Do not try to implement it in a day. Pilot it on a small group first, work through the exceptions, then roll it out to the rest of the business.
10. How to roll out these controls in four weeks
A four-week rollout is realistic for most SMEs if you prioritise correctly. Here is how to structure it:
- Week 1: Enable MFA across all accounts. Configure backup jobs and verify they are running. Document your current state.
- Week 2: Audit and apply outstanding patches for applications and operating systems. Remove unnecessary admin privileges.
- Week 3: Configure macro settings in Microsoft 365. Harden browser policies. Communicate changes to staff with a brief explanation of why.
- Week 4: Begin application control in audit mode. Run a full backup restore test. Review what broke and fix it.
The key is not to skip Week 1. MFA and backups give you the most risk reduction for the least effort. Everything else builds on that foundation.
Pro Tip: Run your application control policy in audit mode for two weeks before enforcing it. Audit mode logs what would have been blocked without actually blocking it, so you can tune your approved list before causing disruption.
11. How cyber insurance and regulations raise the stakes in 2025
Cyber insurers are no longer accepting self-declarations of good security. Insurers now mandate MFA, tested backups, and regular patching as conditions for policy coverage and renewal. If you cannot demonstrate these controls, you may be denied coverage or face significantly higher premiums.
The Cyber Security Act 2024 introduced new obligations for Australian businesses, and privacy legislation updates have increased the consequences of a data breach. Regulators are paying attention to whether businesses took reasonable steps to protect data. The Essential Eight is the benchmark for what “reasonable steps” looks like in Australia.
Practical steps to prepare for an insurance review:
- Document your MFA configuration and which accounts are covered
- Maintain a patching log showing dates and what was applied
- Keep records of backup restore tests with dates and outcomes
- Produce a list of admin accounts and the justification for each
- Show evidence of staff security awareness training
Cyber insurers use adherence to the Essential Eight as a baseline for coverage and premium calculations. That means your cyber hygiene posture directly affects your insurance costs. Businesses that can demonstrate Maturity Level 1 are in a much stronger negotiating position at renewal.
The Essential Eight is also increasingly expected beyond government contracts, including by enterprise clients doing vendor due diligence. If you supply services to larger organisations, your cyber hygiene posture may affect whether you win or keep that work.
Businesses that skip MFA and backup testing are not just taking a security risk. They are taking a financial risk. An insurer that finds you did not have basic controls in place at the time of a breach may decline your claim entirely.
Australian small businesses with fewer than 20 employees can access free cyber resilience services including a personalised Cyber Health Check Tool from ACSC. There is no excuse for not knowing where you stand.
Key takeaways
The most effective cyber hygiene strategy for Australian SMEs in 2025 is to reach ACSC Essential Eight Maturity Level 1 by prioritising MFA, tested backups, and patching before tackling more complex controls.
| Point | Details |
|---|---|
| Start with MFA and backups | These two controls give the highest risk reduction for the least effort and are required by insurers. |
| Test restores, not just backups | A backup that has never been tested is not a reliable backup. Run restore tests quarterly. |
| Patch within 48 hours | Critical patches for applications and operating systems must be applied within 48 hours of release. |
| Aim for Maturity Level 1 first | Chasing higher maturity levels too fast causes staff workarounds and reduces overall security. |
| Document everything | Insurance reviews and audits require evidence of controls, not just claims that they exist. |
What I have actually seen working with SMEs on this
Honestly, the gap between what businesses think they have and what they actually have is the biggest problem we face. Every week, a client tells us their backups are fine. We check, and the backup job has been failing silently for three months. Nobody noticed because nobody tested it.
The other thing I see constantly is businesses trying to skip straight to Maturity Level 2 or 3 because they read something about it online. Jumping maturity levels prematurely causes control fatigue. Staff find workarounds. The controls get bypassed. You end up with worse security than if you had just done Level 1 properly.
My honest advice: do not aim for perfect. Aim for done. MFA on every account, backups that you have actually tested, patches applied on schedule, and admin rights locked down. That is 80% of the battle. Get those four things right before you worry about anything else. The businesses I have seen recover well from incidents are not the ones with the most sophisticated controls. They are the ones who had the basics working properly.
The human factor matters too. Technical controls only go so far. A staff member who clicks a phishing link bypasses a lot of your defences. Regular, short security awareness training, not a once-a-year video, makes a real difference. Keep it practical and relevant to what your team actually encounters.
— Matt
How IT Start helps Brisbane SMEs get this right
IT Start works with Brisbane SMEs to implement and maintain the ACSC Essential Eight controls in a way that fits your team and budget. Our managed cybersecurity services cover MFA configuration, patch management, backup monitoring with tested restores, and admin privilege auditing. We also help you build the documentation you need for insurance reviews and vendor due diligence. If you are not sure where your business sits against the Essential Eight, we offer a free assessment to give you a clear picture. No jargon, no overselling. Just practical advice from a team that works with businesses like yours every day.
FAQ
What is the ACSC Essential Eight?
The ACSC Essential Eight is a set of eight cybersecurity controls developed by the Australian Cyber Security Centre to protect organisations against the most common cyber attacks. For most SMEs, reaching Maturity Level 1 is the recommended starting point.
How often should I test my backups?
Restore tests should be run at least quarterly. Monthly testing is better for businesses with high data change rates or those in regulated industries like healthcare or financial services.
Is SMS-based MFA good enough?
SMS-based MFA is better than no MFA, but it is vulnerable to SIM-swap attacks. Authenticator apps like Microsoft Authenticator are more secure, and hardware tokens like YubiKey are the strongest option for high-privilege accounts.
What does cyber insurance require in 2025?
Most cyber insurers now require MFA, regular patching, and tested backups as minimum conditions for coverage. Some also ask for evidence of staff security training and documented incident response procedures.
Can small businesses access free cybersecurity help in Australia?
Yes. Australian small businesses with fewer than 20 employees can access the Small Business Cyber Resilience Service and the ACSC Cyber Health Check Tool at no cost, providing a personalised assessment of their current security posture.

