If you've been asked by a client, insurer, or auditor about your firm's 'Essential 8 maturity' and weren't entirely sure what that meant, you're not alone. The Essential 8 is a set of eight prioritised strategies published by the Australian Cyber Security Centre (ACSC) to help organisations reduce the risk of a cyber incident.

The eight strategies are: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. Each has a maturity level from zero to three, based on how consistently and thoroughly it's implemented.

For a law firm, accounting practice, or engineering consultancy, the Essential 8 isn't an abstract government framework — it's increasingly the reference point clients and insurers use to ask, 'are you actually secure, or do you just have a policy that says so?'

The good news is that most mid-sized firms don't need every control at the highest maturity level to materially reduce risk. A prioritised, realistic roadmap — closing the biggest gaps first — gets you further than trying to do everything at once. That's the approach we take with every firm we assess.