Insights Β· Cyber
Essential 8 ML1 β a 30-minute self-assessment.
Australian cyber insurance underwriters now ask Essential 8 maturity questions on every renewal. The Australian Signals Directorate publishes the official model; we've turned it into a self-assessment that takes about 30 minutes to walk through, no consultant needed.
The output isn't "your maturity score is X". It's an honest list of where you're already there, where you're close, and where you're a long way off β useful for two things: (1) deciding which controls to fix first, and (2) being able to answer the broker's questionnaire without bluffing.
For each control below, the test is simple: read the plain description, then read the "Yes" and "No" definitions. If your answer to "Yes" is honest, you're at ML1 on that control. If you can only say "No, butβ¦", you're not.
Application control
Stop laptops running software your team didn't install.
YES β at ML1
Defender Application Control or AppLocker is enforcing an allow-list across all endpoints; users cannot run unsigned executables from Downloads.
NO β gap
Anyone can install anything. Or you 'have antivirus' but no allow-list.
Patch applications
Apply browser, Office, Adobe and Java patches within 48 hours.
YES β at ML1
Third-party app patching runs automatically (e.g. Defender for Endpoint vulnerability management, PDQ, Patch My PC). Latency from CVE to deployed patch is measured.
NO β gap
Browsers update themselves; everything else is whenever someone notices.
Configure MS Office macros
Block Excel/Word macros from the internet. They're a top ransomware vector.
YES β at ML1
Office Trust Centre policy enforced via Intune or GPO: macros from internet locations blocked, signed macros only.
NO β gap
Macros work everywhere; no policy in place.
User application hardening
Turn off Flash, Java, ad networks. Limit browsers from running risky stuff.
YES β at ML1
ASR (Attack Surface Reduction) rules enabled; legacy plugins removed; browser hardening baseline applied.
NO β gap
Default browser settings everywhere.
Restrict admin privileges
Day-to-day work runs without admin rights. Even for IT.
YES β at ML1
Standard users do not have local admin. Privileged role activations are time-bound (Entra PIM or equivalent). Quarterly review of admin accounts.
NO β gap
Most users β or all of IT β have permanent admin rights.
Patch operating systems
Windows + macOS patched within 14 days of release. No more "we'll do it tomorrow".
YES β at ML1
Windows Update for Business or Intune patch rings; deferred max 14 days; monthly compliance report.
NO β gap
Users patch when they remember; servers patch when something breaks.
Multi-factor authentication
Phone-confirm or hardware key for every login. No exceptions for the principal.
YES β at ML1
MFA enforced via Conditional Access for 100% of accounts including admins. Phishing-resistant MFA (FIDO2 / Windows Hello) for privileged roles.
NO β gap
MFA is optional, or principals/admins are exempted.
Regular backups
Tested restores on a published schedule. Yes, including the M365 mailbox.
YES β at ML1
M365 + endpoint + server backed up immutably. Restore-tested at least quarterly with written sign-off. RPO β€ 24h, RTO β€ 4h.
NO β gap
You have backups. You have not restored from them in 12 months.
What to do with the result
Count your "Yes" answers. If you got 8/8, congratulations β you're at ML1 across the board, which is the baseline most cyber insurers now expect. Most Melbourne SMBs we audit score 3β5/8 the first time, which is normal and totally fixable.
The order to fix things is usually: MFA first (highest impact, lowest cost), then regular backups + tested restores (because if everything else fails this is what saves you), then patch applications and OS (automatable, low ongoing effort), then the harder ones β application control, macro hardening, admin privilege restriction.
If you'd like the assessment in writing β done by a real engineer, with a remediation plan and a price for getting to ML1 β that's what our Identity-First 2-Hour Audit ($390) exists for. Two hours of an engineer's time, written report by end of day, prioritised by risk.
Or if you already know you want to be at ML1 in 90 days with bound evidence at the end, our 90-day Essential 8 program is $7,500 fixed, money back if ML1 isn't achieved.