Essential Eight ML2 Uplift for Adelaide SMBs: Closing the Ransomware Gap Between Maturity Level 1 and 2

Your bookkeeper comes in on Monday morning to find every file on the shared drive renamed with a strange extension, a text file on the desktop demanding payment in cryptocurrency, and your line-of-business application refusing to open. You have backups — probably — but you are not sure when they were last tested, and the attacker’s note says they have already copied your customer data. You did an Essential Eight ML1 assessment last year and ticked most of the boxes. ML1 was not enough. The Essential Eight ML2 Uplift from Cyber by Exegesis is the engagement designed to close that gap for Adelaide SMBs before the Monday morning phone call.

The problem

The ACSC Essential Eight Maturity Model is explicit that ML1 is calibrated against opportunistic attackers using widely available tradecraft, while ML2 is calibrated against adversaries willing to invest more time and effort — which is the bracket most ransomware crews now operate in. A business sitting at ML1 typically has patching cadences measured in months, broad local-admin rights, application control either absent or in audit-only mode, and multi-factor authentication on email but not on every internet-facing service or privileged action.

That is the exact configuration ransomware affiliates look for. They land via a phished credential or an unpatched edge device, escalate using a local admin token that should not exist, disable defences using tools that application control would have blocked, and reach the file server before anyone notices. The ACSC Small Business Cyber Security Guide and the Essential Eight maturity model together describe what ML2 looks like in practice — tightened patching SLAs, hardened admin privilege handling, an application control catalogue, and MFA extended to more touchpoints. That is what this engagement delivers.

What Essential Eight ML2 Uplift does

Cyber by Exegesis runs a fixed-scope engagement to lift a business already broadly at ML1 to ML2 across the eight mitigation strategies:

• A current-state assessment against each of the eight strategies, calibrated against the ACSC Essential Eight Maturity Model definitions for ML2 specifically — not ML3, and with the boundary documented in writing.
• Patching SLA tightening for operating systems and applications, with the cadence shortened to match ML2 expectations and a register of internet-facing services patched on the faster track.
• Privileged-access redesign — removing standing local-admin rights, separating privileged accounts from day-to-day accounts, and re-validating who actually needs what.
• An application control catalogue moved from audit-only or absent to enforced on workstations, with an exception process your business can actually live with.
• MFA extended beyond email to remote access, privileged actions, and your important business systems.
• A short written report mapping each control change to the ML2 definition, plus a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. This engagement is preventive uplift. We set the controls to ML2 and step back; we are not your MSP and we are not your incident responder.

How it works

1. We confirm scope on a short call, identify your tenant (Microsoft 365 or Google Workspace), your endpoint estate, and any line-of-business systems in scope.
2. We run the ML1-to-ML2 gap assessment across all eight strategies and produce a baseline report with each gap mapped to the ACSC maturity definitions.
3. We sequence the uplift work into a four to six week plan — patching and MFA first, privilege redesign second, application control catalogue last — so production disruption is staged.
4. We apply the changes alongside your IT provider (or directly, if you do not have one), with each step signed off against the ML2 definition.
5. We deliver the written report, walk your leadership through what changed and what remains out of scope for ML3, and leave you with the 90-day review window.

Why this matters in Adelaide

Adelaide’s SMB base skews toward manufacturing, defence-adjacent services, professional services, and healthcare — sectors where ransomware downtime translates directly into missed delivery windows, breached contracts, and in healthcare an almost-certain Notifiable Data Breaches scheme obligation under the Privacy Act. An Adelaide SMB at ML1 is defended against opportunistic attackers; an Adelaide SMB at ML2 is defended against the tradecraft that actually shows up in Australian ransomware incidents. The cost of the uplift is small against the cost of a week of downtime and a notification to the OAIC.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme (in the event a ransomware incident results in an eligible data breach): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML2 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens ML2 Uplift for Adelaide SMBs

We are sequencing engagements by sector and by current maturity state. Join the waitlist with your sector, your approximate headcount, and whether you have a prior ML1 assessment on file — we will tell you when we are ready to take a brief from your business.