Essential Eight ML1 Uplift for Brisbane SMBs: Build the Baseline That Blocks Business Email Compromise

Your bookkeeper forwards an invoice to you for sign-off. The supplier name checks out, the amount looks right, and the bank details are “updated for the new financial year”. You approve the payment. A fortnight later the real supplier rings about an overdue account, and you start working backwards through your email tenant trying to figure out whether someone read your mail, whether macros ran on a finance machine, whether your admin accounts had MFA, and whether any of this is reportable to the OAIC. Essential Eight ML1 Uplift from Cyber by Exegesis is the engagement designed to put that baseline in place for a Brisbane SMB before the invoice lands.

The problem

Most Brisbane SMBs have not been measured against the ACSC Essential Eight, let alone hit Maturity Level 1 across all eight mitigation strategies. The gaps that BEC attackers depend on — unmanaged macros in Office, no application control, patchy multi-factor authentication on email and remote access, admin privileges handed out years ago and never reviewed, operating systems and applications patched on no fixed schedule, no usable backup of the email tenant — are exactly the gaps the Essential Eight Maturity Model targets at ML1.

BEC is the loss event that exposes the baseline. ACCC Scamwatch consistently ranks business email compromise among the highest-loss categories reported by Australian businesses. The ACSC Small Business Cyber Security Guide makes the same point in plainer language: a small set of practical controls, properly implemented, closes most of the door. ML1 is the level the ACSC describes as defending against adversaries using widely available tradecraft — which is exactly what BEC operators use.

What Essential Eight ML1 Uplift does

Cyber by Exegesis runs a fixed-scope engagement to lift a Brisbane SMB from no defined baseline to ACSC Essential Eight Maturity Level 1 across all eight mitigation strategies:

• A gap assessment against ML1 for each of the eight: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.
• A prioritised implementation plan sequenced to close the controls BEC depends on first — MFA on email and admin accounts, Office macro settings, and admin privilege restriction — before moving through the remainder.
• Configuration work in your Microsoft 365 or Google Workspace tenant and on the endpoints in scope.
• An evidence pack documenting the ML1 state of each mitigation, what was changed, and what your staff need to keep doing.
• A 45-minute handover session for the owner and whoever runs IT, focused on what ML1 means and what ML2 would later require.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. We are scoped to lift you to ML1 and hand you a defensible baseline. We are not your managed IT provider and we are not your incident responder.

How it works

1. We confirm scope on a short call, identify the email tenant, endpoints, and admin accounts in scope, and request the read-only access we need to baseline the current state.
2. We run the gap assessment against ML1 across all eight mitigation strategies and write it up as a single document.
3. We sequence the implementation plan with BEC-relevant controls first — MFA, macro settings, admin privilege restriction — and apply changes across a two to four week window.
4. We work through the remaining mitigations (patching cadence, application control posture, user application hardening, backups) and verify each against the ML1 description in the ACSC maturity model.
5. We deliver the evidence pack and run the handover session, then leave a 90-day review window in place.

Why this matters in Brisbane

Brisbane’s SMB base — construction, logistics, professional services, healthcare practices — moves a lot of money on supplier-invoice cycles, and a meaningful share of it still runs on lightly configured Microsoft 365 tenants set up years ago by whoever was cheapest. That is the environment BEC operators select for. A Brisbane SMB sitting at ML1 across all eight mitigations is materially harder to compromise: MFA blocks the credential-stuffing front door, macro settings and user application hardening blunt the malware path, admin privilege restriction limits what a foothold can do, and backups give you a recovery option if it happens anyway. ML1 is not the ceiling — it is the floor that turns BEC from a likely six-figure loss into a contained incident.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML1 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML1 Uplift for Brisbane SMBs

We are sequencing engagements by tenant type (Microsoft 365 first, Google Workspace second) and by sector. Join the waitlist with your sector, headcount, and current email tenant — we will tell you when we are ready to take a brief from your business.