Essential Eight ML2 Uplift for Australian SMBs: Close the Ransomware Gap Between Maturity Level 1 and Maturity Level 2
Your IT provider tells you that you are “at Essential Eight ML1” — patching happens, MFA is on for email, backups exist. Then on a Tuesday morning a finance laptop runs a macro from a Word document an attacker sent in reply to a months-old email thread, an admin account gets reused on three servers, and by Wednesday your file shares are encrypted and a ransom note is sitting on every desktop. ML1 is a starting line. Essential Eight ML2 Uplift from Cyber by Exegesis is the engagement that takes an Australian SMB from that starting line to the maturity level the ACSC describes as designed to resist adversaries operating with a modest step-up in tradecraft — the level where most opportunistic ransomware operators lose interest.
The problem
Ransomware remains the highest-impact cyber loss category for Australian SMBs. The ACSC Essential Eight Maturity Model frames the defence in terms of three maturity levels, and the gap between ML1 and ML2 is where most ransomware incidents actually land: patching cadences slip past the ML2 window, application control is unconfigured or set to audit-only, Office macros are not centrally restricted, administrative privileges are still attached to day-to-day user accounts, and MFA is enabled on email but not on the remote-access and privileged paths an attacker actually uses.
An SMB at ML1 has the right list of controls. An SMB at ML2 has those controls tightened to the point that the common ransomware playbook — phishing → macro or browser execution → privilege escalation → lateral movement → encryption — runs out of room. That tightening is what the ACSC describes in the ML2 column of the maturity model, and it is rarely something an internal IT function gets to in the normal run of work.
What Essential Eight ML2 Uplift does
Cyber by Exegesis runs a fixed-scope engagement to lift a business already operating at ML1 to ACSC Essential Eight Maturity Level 2 across the eight mitigation strategies:
- Patch applications and patch operating systems — tightened SLAs aligned to the ML2 timeframes described in the ACSC maturity model, with a written exception register for what cannot meet the SLA and why.
- Application control — moving from audit-only or absent to an enforced catalogue on workstations, scoped to your actual line-of-business applications rather than a generic allowlist.
- Configure Microsoft Office macro settings — central restriction to vetted, signed macros only, with the exceptions documented.
- User application hardening — browser and Office hardening aligned to ML2, including blocking Flash, ads, and Java where present, and restricting web browsers from processing the content categories the maturity model calls out.
- Restrict administrative privileges — separating administrative accounts from day-to-day accounts, removing standing local-admin rights, and putting privileged access behind MFA on a hardened path.
- Multi-factor authentication — extending MFA from email to the remote-access, privileged, and important-data-repository touchpoints the ML2 column requires.
- Regular backups — verifying backup frequency, retention, and (critically) that restoration has actually been tested against a ransomware-style scenario.
We deliver a written ML1-to-ML2 gap assessment, a remediation plan sequenced by ransomware risk reduction, the implementation across a fixed window, and a closing report stating the maturity level achieved per mitigation strategy.
Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is the ML2 uplift itself. We work alongside your existing IT provider or internal IT; we are not replacing them.
How it works
- We confirm the engagement scope on a short call and request read-only access to your identity tenant, endpoint management, patching tooling, and backup console.
- We produce a written ML1-to-ML2 gap assessment across all eight mitigation strategies, mapped line-by-line to the ACSC maturity model.
- We sequence the remediation plan by ransomware risk reduction — application control, macro restriction, admin privilege separation, and MFA extension typically lead.
- We implement the changes across a defined window (usually four to eight weeks), coordinated with your IT provider so business operations are not disrupted.
- We close with a written report stating the ML2 position achieved per strategy, the exceptions on record, and a 90-day review window to confirm the controls held.
Why this matters in Australia
Australian SMBs sit inside two regulatory and threat conditions that make the ML1-to-ML2 jump worth doing properly. First, the OAIC Notifiable Data Breaches scheme applies to a ransomware incident the moment personal information is accessed or exfiltrated and serious harm is likely — and modern ransomware almost always exfiltrates before it encrypts. Second, the ACSC publishes the Essential Eight Maturity Model as the national reference standard; insurers, larger customers, and government buyers increasingly ask SMBs to attest to a maturity level against it. Getting to ML2 — and being able to show the gap assessment and remediation record that got you there — is the answer to both pressures at once.
Sources
- ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
- ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
- OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
- Cyber by Exegesis — Essential Eight ML2 Uplift (waitlist)
Join the waitlist
We are sequencing engagements by current maturity baseline and by endpoint estate size. Join the waitlist with your current ML1 status (self-assessed or externally assessed) and headcount — we will tell you when we are ready to take a brief from your business.