Is the Essential Eight mandatory?

It is mandatory for many Australian federal government entities. For private businesses it is not legally required, but it is widely used as a benchmark in contracts, supplier security questionnaires and cyber insurance applications, so most businesses are effectively expected to meet some level of it.

What is an Essential Eight maturity level?

Maturity is measured from Level Zero (weaknesses present) through Level One, Two and Three (increasingly strong and adversary-resistant implementation). Level One is the realistic first target for most small and medium businesses.

Does cloud software like Xero cover the backup strategy for me?

No. Cloud platforms protect their own infrastructure, but their terms generally make customer-side backup your responsibility. To satisfy the backup strategy for cloud data you need an independent, isolated copy you control.

The Essential Eight, explained for Australian small businesses

The Essential Eight is the most widely referenced cyber security baseline in Australia. Government, insurers and prime contractors all use it as shorthand for "are you doing the basics?" Here is what the eight strategies actually are — and why backups are the one that saves you when the others fail.

Key takeaways

The Essential Eight is published by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC).
It groups into three goals: prevent attacks, limit their impact, and recover your data.
Maturity is measured on a scale from Level Zero to Level Three.
Regular, tested, isolated backups are the strategy that turns a disaster into an inconvenience.

Where the Essential Eight comes from

The Essential Eight is a set of eight mitigation strategies published by the Australian Signals Directorate (ASD) via the Australian Cyber Security Centre. It distils years of incident response into the controls that stop the largest share of real-world attacks. While it is mandatory for many federal entities, it has become the de facto private-sector benchmark too — referenced in contracts, supplier questionnaires and cyber insurance applications.

The eight strategies

The eight fall into three plain goals.

Prevent malware running

Application control — only approved programs are allowed to execute.
Patch applications — fix known vulnerabilities in software like browsers and PDF readers quickly.
Configure Microsoft Office macro settings — block macros from the internet, a classic malware delivery route.
User application hardening — disable risky features such as Flash, ads and Java in browsers.

Limit the blast radius

Restrict administrative privileges — admin rights are the keys to the kingdom; grant them sparingly.
Patch operating systems — keep Windows, macOS and server OSes current.
Multi-factor authentication (MFA) — a stolen password alone should never be enough.

Recover your data

Regular backups — frequent, tested, and crucially isolated from the systems they protect.

Why the eighth strategy is the safety net

The first seven strategies reduce the chance of an incident. The eighth — backups — decides what happens when one gets through anyway, and one eventually will. The ACSC is explicit that backups must be regular, retained for a useful period, and tested by actually restoring from them. Critically, they must be kept where an attacker who compromises your main environment cannot reach and delete them.

This is exactly where cloud accounting creates a blind spot. Your financial records in Xero are business-critical, but a deletion, a compromised login or a lapsed subscription can lose them — and that is your responsibility, not the platform's. An independent backup of your Xero data is how you satisfy the spirit of strategy eight for the systems that run your business.

How to start

Pick a target maturity level honestly, measure where you are against each strategy, and close the biggest gaps first. For most small businesses, Maturity Level One is the right initial goal. Whatever you do elsewhere, get backups right early — it is the cheapest insurance in the entire framework.