Essential Eight ML1 Uplift for Adelaide SMBs: Build the Baseline That Stops BEC From Becoming a Six-Figure Loss

Your bookkeeper forwards you an invoice from a supplier with “updated banking details — please use these going forward.” It looks right. The logo is right, the language is right, the amount is in the usual range. You authorise the transfer. A week later the real supplier calls. The money is gone, and when your insurer asks what cyber baseline you had in place, the honest answer is: none that you could name. Essential Eight ML1 Uplift from Cyber by Exegesis is the fixed-scope engagement that takes an Adelaide SMB from “no defined baseline” to ACSC Essential Eight Maturity Level 1 across all eight mitigation strategies — the baseline that closes the doors business email compromise depends on.

The problem

Business email compromise is consistently among the highest-loss scam categories that ACCC Scamwatch receives from Australian businesses. The reason BEC works on SMBs is rarely sophistication — it is the absence of a defined baseline. Multi-factor authentication is configured for some staff but not all. Macros are still enabled in Office by default. Application and OS patching slips behind by months. Admin accounts double as everyday mailboxes. Application control is undefined. Backups exist but have never been tested for restore.

The ACSC Essential Eight Maturity Model defines three maturity levels, with ML1 as the baseline appropriate for SMBs facing opportunistic and commodity attackers — exactly the threat profile behind most BEC attempts on Adelaide businesses. ML1 is not a high bar. But until you have actually measured against it, named the gaps, and closed them with evidence, you do not have a defensible position to your insurer, your customers, or — if a BEC incident exposes customer PII — to the OAIC under the Notifiable Data Breaches scheme.

What Essential Eight ML1 Uplift does

Cyber by Exegesis runs a fixed-scope engagement that takes an Adelaide SMB to ACSC Essential Eight Maturity Level 1 across all eight mitigation strategies:

• A gap assessment against ML1 for each of the eight strategies — application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.
• A prioritised implementation plan that sequences the work by BEC-relevant risk first — MFA across all mailboxes and remote access, macro restriction, and admin-privilege separation typically lead.
• Implementation support across the eight strategies, with changes staged so your operations are not disrupted.
• An evidence pack documenting the ML1 state of each strategy — configuration screenshots, policy references, and a register of any accepted residual risk — that you can hand to an insurer, a customer’s procurement team, or a regulator.
• A 45-minute staff briefing covering MFA, macro warnings, and the supplier-bank-detail change pattern BEC depends on.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the parent company behind the DRMO product. Our scope here is a defined ML1 baseline. We are explicit about the maturity level: this engagement delivers ML1, not ML2 or ML3, and the evidence pack says so.

How it works

1. We confirm scope on a short call, identify the systems in scope (typically your Microsoft 365 or Google Workspace tenant, endpoints, and any line-of-business application), and request read-only access to assess current state.
2. We run the gap assessment against ML1 for each of the eight strategies and produce a baseline report naming every gap.
3. We propose a prioritised implementation plan, leading with the strategies that most directly close BEC pathways — MFA, macro settings, and admin-privilege separation.
4. We implement the changes across a two to four week window, staged to avoid operational disruption, and validate each strategy reaches ML1.
5. We deliver the evidence pack and run the 45-minute staff briefing, leaving you with a 90-day review window.

Why this matters in Adelaide

Adelaide’s SMB base is concentrated in defence supply chain, professional services, health, and education-adjacent organisations — sectors where customer PII and supplier-payment relationships are routine. That combination is exactly what BEC attackers target, and it is also the combination most likely to trigger an OAIC notification obligation if an email compromise spills into a data breach. An Adelaide SMB at ACSC Essential Eight ML1 has a named, evidenced baseline against the eight strategies the ACSC has prioritised — and a defensible answer when an insurer, a prime contractor, or a regulator asks what you had in place before the incident.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML1 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML1 Uplift for Adelaide SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, headcount, and current email tenant — we will tell you when we are ready to take a brief from your business.