Essential Eight ML2 Uplift for Adelaide SMBs: Close the BEC Gap Your ML1 Baseline Still Leaves Open

You did the work last year. You got to Essential Eight Maturity Level 1 — MFA on the main accounts, patching mostly current, macros locked down, admin accounts at least nominally separated. Then your bookkeeper got an email that looked exactly like one from a long-standing supplier, with a quietly updated BSB on the invoice. ML1 is a real baseline, but it is not the level that stops Business Email Compromise once an attacker is already inside a mailbox or has fully studied your domain. Essential Eight ML2 Uplift from Cyber by Exegesis is the engagement that takes an Adelaide SMB from ML1 to ML2 with BEC specifically in mind.

The problem

The ACSC Essential Eight Maturity Model describes ML2 as a step up in both the consistency and the coverage of the eight mitigations — tighter patching SLAs, multi-factor on more touchpoints (not just the front door), restricted administrative privileges that are actually reviewed, and application control with a maintained catalogue rather than a one-off rollout. BEC exploits the gaps that ML1 tolerates: a finance user whose mailbox isn’t covered by phishing-resistant MFA, a privileged account that is also used for daily email, an unpatched edge device that becomes an inbound foothold, or macro and application settings inconsistent across the fleet.

ACCC Scamwatch continues to rank business email compromise among the highest-loss scam categories reported by Australian businesses. The ACSC Small Business Cyber Security Guide is direct about why: BEC defence depends on layered controls working together, not any single product. ML1 gets one layer in place. ML2 is where the layers start reinforcing each other.

What Essential Eight ML2 Uplift does

Cyber by Exegesis runs a fixed-scope uplift project against the eight mitigations, with the BEC threat model held in mind throughout:

• A current-state assessment against each of the eight controls, mapped to the ML2 descriptors in the ACSC Essential Eight Maturity Model — so the gap from ML1 to ML2 is documented before any change is made.
• Patching SLA tightening for operating systems and applications, with a measurable internal target and a monitoring approach you can sustain.
• Administrative privilege hardening — separate accounts for admin work, no email or web browsing from privileged sessions, and a review cadence.
• Multi-factor authentication extended to all internet-facing services and to privileged users, not just the main identity provider login.
• An application control catalogue stood up and maintained, rather than a one-off allow-list that drifts.
• A short written report mapping each control to its ML2 evidence, what was changed, what remains, and a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. We set the controls to ML2 and step back; we are not your IT provider and we are not your incident responder.

How it works

1. We confirm scope on a short call, agree the systems and identities in scope, and request read-only access to your identity provider, endpoint management, and patching tooling.
2. We baseline each of the eight mitigations against the ML2 descriptors and produce a current-state gap report.
3. We sequence the remediation across the eight controls — patching SLAs and MFA coverage first, then privileged access, then application control catalogue, with each change validated before the next.
4. We sit with your finance and operations leads for 30 minutes to confirm BEC-specific behaviours: how supplier bank-detail changes are verified, how privileged accounts are used day to day.
5. We deliver the written report with ML2 evidence per control and the 90-day review window.

Why this matters in Adelaide

Adelaide’s SMB base — defence-adjacent suppliers, manufacturers, professional services, and an expanding health and research cluster — increasingly sits in supply chains that ask hard questions about cyber maturity. An ML1 attestation is a baseline; an ML2 posture is what larger primes, government buyers, and insurers are starting to expect. The same uplift that helps an Adelaide SMB answer those questions is the one that closes the door BEC attackers walk through: covered MFA, disciplined privileges, current patches, and application control that actually holds.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• OAIC Notifiable Data Breaches scheme (in the event a BEC incident results in an eligible data breach): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML2 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML2 Uplift for Adelaide SMBs

We are sequencing engagements by current maturity (confirmed ML1 first) and by identity provider. Join the waitlist with your sector, employee count, and identity provider — we will tell you when we are ready to take a brief from your business.