Essential Eight ML1 Uplift for Australian SMBs: Closing the Controls Gap That BEC Attackers Walk Through

Your bookkeeper forwards an invoice to you for sign-off. It looks fine — supplier you know, amount in the usual range, only the bank account on the bottom is new. You approve it. A fortnight later the real supplier rings, the money is gone, and your insurer wants to know which baseline controls you had in place at the time. You realise the honest answer is “we never wrote them down.” Essential Eight ML1 Uplift from Cyber by Exegesis is the engagement that takes an Australian SMB from no defined baseline to ACSC Essential Eight Maturity Level 1 across all eight mitigation strategies — specifically tuned to close the gaps that business email compromise depends on.

The problem

ACCC Scamwatch consistently reports business email compromise among the highest-loss scam categories for Australian businesses. The mechanism is unglamorous: an attacker compromises a mailbox, sits quietly on top of an auto-forwarding rule, watches a real invoice thread, and then swaps the bank details at the right moment. Or they don’t bother compromising anything and simply spoof a domain that has no DMARC enforcement.

The ACSC Essential Eight Maturity Model exists because most Australian SMBs do not have a defined cyber baseline at all. ML1 is the starting line — application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. Each one of those eight, done to ML1, removes a step the BEC attacker is relying on: MFA stops the credential-phish, macro settings stop the malware-laden invoice, admin restrictions stop the mailbox-rule abuse, backups give you a path back if it goes wrong anyway. The ACSC Small Business Cyber Security Guide says the same thing in plainer language.

The gap is not that SMBs don’t know the Essential Eight exists. The gap is that nobody has sat down, scored where they actually are, and built the 90-day plan to get to ML1.

What Essential Eight ML1 Uplift does

Cyber by Exegesis runs a fixed-scope engagement that takes you from undefined to ML1 across all eight:

• A gap assessment against each of the eight mitigation strategies at ML1 — scored honestly, with current evidence noted against each.
• A prioritised implementation plan sequenced by BEC-relevance: MFA on email and remote access first, macro settings and user application hardening second, then patching cadence, admin privilege restriction, application control, and backup verification.
• Configuration changes applied (or specified for your IT provider to apply) across Microsoft 365 or Google Workspace, your endpoints, and your backup target.
• An evidence pack — screenshots, policy text, and tenant settings — that you can hand to an insurer, an auditor, or the OAIC if you ever need to demonstrate the controls were in place.
• A 60-minute walkthrough with the owner or operations lead so the controls are understood, not just configured.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope is the ML1 baseline. We are deliberate about not blurring into ML2 or ML3 territory; ML1 is what most Australian SMBs need first, and pretending otherwise wastes your budget.

How it works

1. We confirm scope on a short call, identify your email tenant, endpoint fleet, and backup arrangement, and request read-only access to the relevant admin consoles.
2. We run the ML1 gap assessment across all eight strategies and deliver a scored baseline report within the first week.
3. We sequence the implementation plan — BEC-relevant controls first — and either apply changes directly or hand specifications to your existing IT provider.
4. We verify each control with evidence (settings exports, MFA enrolment counts, backup restore test) and assemble the evidence pack.
5. We run the 60-minute walkthrough with you, document the residual gaps that sit beyond ML1, and leave you with a 90-day review window.

Why this matters in Australia

Every Australian SMB that holds customer personal information sits under the Privacy Act, and any business with turnover above $3 million (plus several specific sectors regardless of turnover) is subject to the OAIC Notifiable Data Breaches scheme. A BEC incident that exposes customer data is not just a financial loss — it is a notifiable event with a regulator timeline attached. ACSC built the Essential Eight as the prioritised baseline precisely because it is the cheapest, fastest way for an Australian organisation to reduce the likelihood of the incident in the first place, and to demonstrate due diligence if one occurs. ML1 is the floor, not the ceiling — but the floor is where most Australian SMBs are not yet standing.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML1 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML1 Uplift for Australian SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, headcount, and current email tenant — we will tell you when we are ready to take a brief from your business.