Most Australian businesses aren't Essential Eight compliant — and that's not the problem you think it is
If you're an IT manager or business leader who's heard the term 'Essential Eight' and quietly wondered whether your organisation measures up — you're in good company.
The uncomfortable truth is that most Australian businesses, particularly small and mid-market organisations, haven't achieved even the minimum level of Essential Eight compliance. And the security sector largely doesn't talk about this openly.
This isn't a reason to panic. It's a reason to get clear.
The Essential Eight: what most people get wrong
The Essential Eight is a set of baseline cybersecurity controls published by the Australian Signals Directorate (ASD). It's widely cited, well-structured, and genuinely useful. But two things about it are almost never said plainly.
First: for most private businesses, Essential Eight compliance is entirely voluntary — though organisations in critical infrastructure sectors including healthcare and financial services face separate obligations under the SOCI Act that make the Essential Eight effectively the expected baseline.
And even where compliance isn't mandated, the commercial pressure is growing. Cyber insurers are tightening requirements, asking more detailed questions at renewal, and increasingly linking your premium — or your eligibility for cover at all — to evidence of basic controls. Clients, particularly in regulated sectors, are adding security questionnaires to their supplier onboarding. The mandate may not be legal, but the market is creating its own.
Second: ASD itself states that Maturity Level One — the lowest of three meaningful tiers — is generally considered suitable for small to medium enterprises. That's the starting point, not the finish line. And for most SMEs, it's still aspirational.
"For most SMEs, Essential Eight Maturity Level One isn't something they've surpassed — it's something they're still working toward."
Why adoption remains low — even after Optus and Medibank
The 2022 breaches at Optus and Medibank were a genuine wake-up call. Board conversations changed. Budgets shifted. But despite heightened attention following those incidents, substantial security incidents continue to be reported each month across Australian organisations of all sizes.
Industry practitioners consistently attribute this to low Essential Eight adoption among SMEs. The barriers are predictable: no dedicated security resource, competing IT priorities, uncertainty about where to start, and a perception that 'getting compliant' means expensive consultants and years of work.
The reality is more manageable than that perception — but only once you know where you actually stand.
What the Essential Eight doesn't account for: your business
The Essential Eight was designed as a universal baseline, which means it was designed for no organisation in particular. It doesn't consider your operating model, your sector, your supply chain, or the specific ways your business creates and stores value — and therefore the specific ways it could be harmed.
A boutique financial planning firm holding client investment data has a fundamentally different risk profile to a regional healthcare operator managing patient records across multiple sites, which is different again to a manufacturing business with operational technology on the floor. Essential Eight Level One applies to all three equally. The actual risk exposure — and therefore the controls that matter most — is completely different.
In our experience working across healthcare, financial services, utilities, and government, organisations that implement Essential Eight controls in isolation consistently find the same thing: compliance doesn't equal resilience.
The incidents that happen after Essential Eight is implemented tend to come from four areas the framework doesn't adequately address.
And then there's AI…
AI has created a generational shift that the Essential Eight wasn't built for. It was designed before generative AI became a mainstream business tool and a mainstream attack vector. It has no controls for either.
On the attack side, ASD's own 2024–25 report states that AI "almost certainly enables malicious cyber actors to execute attacks on a larger scale and at a faster rate" — and the evidence is already visible in Australia. According to IDC and Fortinet's 2025 Asia-Pacific Cybersecurity Report, 51% of Australian organisations reported encountering AI-powered threats in the past year, with 76% of those seeing threat volume double. Phishing emails are now indistinguishable from legitimate communications. Voice cloning is enabling fraud that bypasses verbal verification. AI is being used to automate the analysis of stolen credentials, compressing the time between initial breach and exploitation.
On the internal side, the risk is quieter but equally real — staff using generative AI tools without policy guidance, sensitive data entered into public AI platforms, and AI integrations adopted without security assessment. Neither risk appears in the Essential Eight framework. For mid-market businesses in 2026, a cyber programme that doesn't account for AI — on both sides of the equation — is already behind.
Four areas the Essential Eight doesn't adequately address
1. Cyber governance and policy
Essential Eight is a set of technical controls. It doesn't establish who is accountable for cyber risk at a leadership level, how incidents are escalated, or how the board is informed. Without governance, controls drift — exceptions accumulate, implementations become inconsistent, and nobody is watching the picture as a whole. In today's environment, consideration must also be given to accountability for AI adoption decisions and ensuring generative AI tools used by staff are covered by policy.
2. Risk assessment
Essential Eight tells you what controls to implement. It doesn't help you understand which threats are most relevant to your business or where to prioritise when budget is limited. A formal risk assessment process — even a lightweight one — is what turns a checklist into a strategy. AI tools adopted without formal assessment represent an emerging blind spot in most organisations' risk registers.
3. Third-party and supply chain risk
Essential Eight secures your environment. It doesn't address the path in through a supplier, SaaS platform, or contractor who has access to your systems or data. For healthcare providers, financial services businesses, and professional services firms, this is frequently where real exposure sits. Public generative AI platforms — ChatGPT, Copilot, Gemini — are essentially ungoverned third parties that staff are already sharing business data with.
4. Data protection
Essential Eight covers backups. It doesn't address how sensitive data is classified, who can access it, how it moves across third-party platforms, or how it is disposed of at end of life. For any business holding client data, patient records, or financial information, data protection deserves its own domain — not a footnote. AI platforms present a specific data exposure risk — sensitive client information, financial data, and personal records entered into public AI tools may be retained, logged, or used for model training.
These four areas form part of Avocado's 12-domain assessment model precisely because we kept seeing them come up in engagements where Essential Eight had been implemented but incidents, near-misses, or board questions persisted.
The real cost of not knowing
The ASD's most recent Annual Cyber Threat Report puts the average self-reported cost of a cyber incident at $56,600 for an Australian small business and $97,200 for a medium business — the latter up 55% on the previous year. These aren't enterprise breach figures. They're the cost of an incident at a business your size, with your team, and your budget to recover from it.
The report received over 84,700 cybercrime reports in a single year — one every six minutes. And critically, the majority of incidents continue to exploit known weaknesses, not sophisticated zero-day attacks.
This is the part that matters most for mid-market businesses: the controls that prevent most incidents are not exotic or expensive. They're the same controls that appear on the Essential Eight checklist. The problem isn't that businesses lack the tools — it's that they lack a clear view of which gaps actually matter for their size, sector, and operating model.
Compliance isn't the goal. Risk reduction is.
This is where many cyber conversations go wrong. The question "are we Essential Eight compliant?" is less useful than it sounds, for two reasons.
First, compliance is binary but risk is not. An organisation can tick every Essential Eight box and still carry significant exposure in governance, third-party access, or emerging areas like AI and cloud that the framework doesn't fully address. Conversely, a business that hasn't formally 'completed' Essential Eight might have the controls that matter most for their specific risk profile already in place.
Second, not every organisation needs the same controls. A regional healthcare provider faces different threats to a manufacturing firm or a professional services practice. A right-sized approach to cyber uplift — one that reflects your sector, operating model, and actual risk exposure — will always outperform a generic framework application.
"The Essential Eight is a baseline, not a strategy. It tells you whether controls exist. The real question is whether they're effective for your business."
Where to start: clarity before controls
The most useful first step for any organisation that's uncertain about its cyber posture isn't buying a tool or engaging a consultancy for a full audit. It's establishing a clear, honest baseline — an objective view of where you actually sit across the controls that matter most.
A good baseline answers three questions:
- Are we exposed to the risks most likely to affect a business like ours?
- Which gaps actually matter, given our size, sector, and operating model?
- What should we fix first to get the biggest reduction in risk per dollar spent?
These questions don't require a long engagement or a formal audit to answer. They require an honest assessment of your current practices against the controls that carry the most weight — and a structured conversation with someone who understands how those controls show up in real operating environments.
The controls that prevent most incidents are not exotic or expensive. The majority of reported cybercrime each year comes from predictable, preventable exposures. Understanding your baseline isn't about compliance theatre — it's about knowing where you're genuinely exposed.
Cyber Resilience Checklist
Whether you're facing a cyber insurance renewal, a client security questionnaire, or just wondering if your business is exposed — this covers the 12 controls that come up most often. Tick what you have in place today. Gaps = priorities.
✓ Tick only if genuinely in place today
Not just in a policy document, partially done, or planned. If you're unsure, leave it blank. Honest gaps are more useful.
▢ Leave blank if not fully in place
Inconsistently applied, only on some systems, or relies on a single person to maintain.
YOUR SCORE /12:
Significant gaps across core controls. Priority action needed before your next insurance renewal or client review.
Some controls in place but inconsistently applied. The question is which gaps carry the most risk for your business.
Strong foundations. Targeted uplift in specific domains will close remaining exposure and strengthen your risk story.
Solid controls in place. The next question is whether they're right-sized for your sector and operating model today.
Take the first step in under five minutes
Avocado's Cyber Maturity Self-Assessment gives you a clear baseline across 12 critical domains — spanning the Essential Eight fundamentals and the broader risks that matter for how organisations actually operate today, including cloud dependency, third-party exposure, identity, governance, and emerging AI risk.
The assessment takes under five minutes. No technical knowledge required. It's followed by a complimentary 30-minute walkthrough with one of our specialists, who will help you understand what your results mean in the context of your business — not just your score.
Take the assessment → Download the whitepaper →
