Essential Eight ML2 Uplift for Brisbane SMBs: Closing the BEC Gap That ML1 Leaves Open

You did the ML1 work last year. Multi-factor on email, patched operating systems, daily backups, the basics. Then last month your office manager nearly paid a fake invoice — the email came from what looked like a director’s mailbox, replied into a real thread, asking to push through a supplier payment “before close of business”. You caught it on a phone call. Next time you might not. Essential Eight ML2 Uplift from Cyber by Exegesis is the engagement that takes a Brisbane SMB from ML1 — enough to deter opportunistic attackers — to ML2, which is where the controls start to bite on targeted business email compromise.

The problem

ACCC Scamwatch consistently ranks business email compromise among the highest-loss scam categories reported by Australian businesses. The attacker pattern that defeats ML1 is not exotic: a stolen session token from a phished staff member, a mailbox rule that auto-forwards anything containing the word “invoice”, or a privileged account used for daily email as well as administration. ML1 stops bulk, opportunistic attacks. It does not reliably stop an attacker who has already done five minutes of reconnaissance on your business.

The ACSC Essential Eight Maturity Model defines ML2 as the point where controls assume a more capable adversary — one willing to invest time to compromise a specific target. For an SMB, that translates to tighter patching SLAs, phishing-resistant multi-factor on more than just email, application control with a managed catalogue rather than a default-allow posture, and the hard separation of privileged accounts from day-to-day mailboxes. Each of those controls directly raises the cost of the BEC kill chain.

What Essential Eight ML2 Uplift does

Cyber by Exegesis runs a fixed-scope project to lift a business already operating at ML1 to ACSC Essential Eight Maturity Level 2:

• Patching SLA tightening — operating systems and internet-facing applications brought onto an ML2-aligned patch window, with evidence of cadence rather than ad-hoc updates.
• Privileged access separation — admin accounts removed from daily-use mailboxes, the most common foothold an attacker pivots from in a BEC compromise.
• Application control catalogue — a managed allowlist for workstations, replacing the implicit trust most SMBs run by default. This is the control that stops a malicious attachment from ever executing the credential-stealer that starts most BEC incidents.
• Multi-factor expansion — phishing-resistant MFA pushed beyond email to remote access, privileged actions, and any system handling customer PII.
• Microsoft 365 or Google Workspace hardening — mailbox auto-forwarding rules audited, legacy authentication disabled, conditional access tuned to the ML2 bar.
• Written ML2 evidence pack — what was changed, what remains, the gap to ML3, and a 90-day review.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same parent company behind the DRMO live product. This engagement is preventive. We set the controls, document the evidence, and step back.

How it works

1. We run a short scoping call to confirm you are genuinely at ML1 across the eight controls (a quick gap-check, not a full audit) and identify the systems in scope.
2. We pull a baseline against the ACSC Essential Eight Maturity Model — what is at ML1, what is partially at ML2, where the gaps sit.
3. We sequence the uplift across four to six weeks: privileged access separation and MFA expansion first (highest BEC impact), application control catalogue second, patching SLA tightening third.
4. We work alongside your IT provider or internal admin — we are the consultancy setting the bar, not the hands replacing them.
5. We deliver the written ML2 evidence pack, sit through a 45-minute walkthrough with the owner and the accounts team, and leave you with the 90-day review window.

Why this matters in Brisbane

Brisbane’s SMB base — construction, logistics, professional services, healthcare practices supporting the South East Queensland growth corridor — runs on supplier-invoice schedules and project-milestone payments. That is exactly the operating pattern BEC targets. A Brisbane SMB at ML1 has stopped the bulk attacker; ML2 is what stops the attacker who has read your website, knows who your project manager reports to, and has already phished a staff credential. The Notifiable Data Breaches scheme adds a second cost layer — a BEC incident that exposes customer PII is reportable to OAIC, and ML2 evidence is what your board, your insurer, and the regulator will ask to see.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML2 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML2 Uplift for Brisbane SMBs

We are sequencing engagements by current ML1 evidence quality and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, headcount, and a short note on where you think your ML1 baseline sits — we will tell you when we are ready to take a brief.