From Gaps to Essential Eight Maturity
Cybersecurity compliance is a major focus for many Australian organisations, and one community non-profit engaged Vee Tech to uplift their security practices in line with the Australian Cyber Security Centre's Essential Eight framework. When we started, the client had some controls implemented but several gaps remained. Our role was to assess their current posture, highlight the gaps, and help prioritise improvements so they could reach maturity against the Essential Eight model.
Gap Assessment
We began with a detailed audit of the client's status across each of the eight controls. The findings were presented in a simple traffic-light format for the executives: a few items were green (fully implemented), several were yellow (in progress), and a couple were red (not started).
For example, Multi-Factor Authentication (MFA) was already enforced for all users â a big win marked đŠ Complete. Regular data backups were in place both on-premises and in cloud apps, though formal restore testing was still a work in progress (đ¨). On the other hand, Application Control to block unauthorised software hadn't been started yet (đĨ) and was flagged as a priority due to the high risk of malware if left unchecked.
We also noted some admin accounts were still managed outside of the secure password vault, presenting a compliance gap in restricting administrative privileges.
Strategic Improvements
With management buy-in, we helped the client tackle the most critical gaps first. We initiated a project to pilot Microsoft's Windows Defender Application Control across a subset of PCs, aiming to gradually roll out application whitelisting (a key requirement for Essential Eight).
We also assisted in migrating all remaining admin credentials into their password vault and reviewing admin rights across the board (enforcing a strict "least privilege" approach). To improve their backup resilience, we formalised a quarterly recovery test process â essentially conducting fire-drills to restore data from backups and document the results. This gave leadership confidence that backups aren't just happening, but actually usable in a crisis.
Another area of focus was patch management: we integrated third-party application updates into their RMM system so that both Microsoft and non-Microsoft apps would be patched within two weeks of release, as required by the Essential Eight guidelines.
Outcome
Over a span of months, the client's security posture improved markedly. By the time we were done, most of those yellow and red areas had turned green. The organisation achieved a baseline Level 1 Essential Eight maturity across all controls, and we provided a roadmap for reaching Level 2 in the future.
Equally important, we communicated these wins in plain English to the client's board, translating technical controls into business benefits like reduced risk of ransomware or assurance of business continuity. The journey wasn't just about ticking compliance boxes â it was about building a security-oriented culture. This case highlights how a structured framework like Essential Eight, combined with patient consulting and follow-through, can elevate an organisation's cyber resilience from scattered gaps to a solid, sustainable defence.
Key Essential Eight Controls
- Application Control â Restrict which applications can run on systems
- Patch Applications â Keep applications updated with security patches
- Configure Microsoft Office Macro Settings â Disable or restrict macro execution
- User Application Hardening â Configure web browsers and email clients securely
- Restrict Administrative Privileges â Limit who has admin access
- Patch Operating Systems â Keep operating systems updated
- Multi-Factor Authentication â Require additional verification beyond passwords
- Regular Backups â Maintain secure, tested backups
Lessons Learned
- Start with Assessment: A clear picture of current state is essential before planning improvements
- Prioritise by Risk: Address high-risk gaps first, even if they're more complex
- Communicate in Business Terms: Translate technical controls into business benefits for leadership
- Build a Culture: Compliance isn't just about technology â it's about building security awareness
- Test Everything: Regular backup testing ensures you can actually recover when needed
Ready to start your Essential Eight compliance journey? Contact Vee Tech for a free security assessment and Essential Eight gap analysis.