Essential Eight ML2 Uplift for Brisbane SMBs: Close the Ransomware Gap Between ML1 and ML2

Your office manager rings on a Monday morning. Nobody can open the shared drive. Files have weird extensions. A text file on the desktop is asking for payment in cryptocurrency and giving you 72 hours. Your IT provider tells you that, yes, you had MFA on email and yes, you were patching servers — but the workstation in reception was a month behind, the marketing user was a local admin, and once the attacker got in, application control was not enforced. You were nominally at ACSC Essential Eight Maturity Level 1. ML2 is what would have stopped this. Essential Eight ML2 Uplift from Cyber by Exegesis is the engagement that closes that gap.

The problem

The ACSC Essential Eight Maturity Model defines three implementation levels (ML1, ML2, ML3) across eight prioritised mitigation strategies. Most Brisbane SMBs that have done any cyber work sit somewhere around ML1: MFA on email, patching happening but not on a tight SLA, application control either off or in audit mode, admin accounts only loosely separated from day-to-day user accounts. ML1 stops opportunistic attacks. It does not reliably stop the targeted ransomware operators who now treat Australian SMBs as a viable revenue stream.

ML2 is where the controls tighten in the specific ways ransomware exploits: shorter patching windows for internet-facing services and operating systems, application control enforced (not just logged), admin privileges separated and revalidated, MFA extended beyond email to remote access and important data repositories, and macro execution constrained. None of these are exotic. All of them require deliberate project work — which is why most SMBs never finish the climb from ML1 to ML2 on their own.

If a ransomware incident exfiltrates personal information before encrypting it (which is now the norm), the OAIC Notifiable Data Breaches scheme is also in play, and your 30-day assessment clock starts at the point you reasonably suspect a breach.

What Essential Eight ML2 Uplift does

Cyber by Exegesis runs a fixed-scope project to take a Brisbane SMB already operating at ML1 up to ACSC Essential Eight Maturity Level 2 across all eight controls:

• A baseline assessment against the current ACSC Essential Eight Maturity Model, mapping each control to its current maturity and the specific ML2 gap.
• Patching SLA tightening — internet-facing services and operating systems brought onto the ML2 timeframes, with a deployment ring and a verification step that did not exist before.
• Application control moved from audit-only or off to enforced on workstations, with a catalogue documented so your IT provider can maintain it.
• Administrative privilege handling redesigned — separate admin accounts, no email or web browsing from admin sessions, periodic revalidation.
• MFA extended to remote access, privileged actions, and important data repositories beyond just email.
• Microsoft Office macro settings constrained per ML2 guidance, and user application hardening applied to browsers and PDF readers.
• A written report stating which controls are now at ML2, which are partial, and the 90-day re-test window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind DRMO. Our scope here is the uplift project itself. We work with your existing IT provider rather than replacing them.

How it works

1. We confirm scope on a short call, then run a two-week baseline assessment with read-only access to your Microsoft 365 tenant, endpoint management, and patching tooling.
2. We deliver the gap report — each of the eight controls, current maturity, target ML2 state, and the work required to close the gap.
3. We sequence the work across roughly six to ten weeks, taking the highest-ransomware-impact controls first (patching, application control, admin privileges).
4. We work alongside your IT provider for the implementation, with weekly checkpoints, and we validate each control as it reaches ML2.
5. We hand over the final report, the application control catalogue, and the documented processes, then schedule the 90-day re-test.

Why this matters in Brisbane

Brisbane’s SMB base is heavy on construction, logistics, professional services, and health — sectors where downtime from a ransomware event translates directly into lost contracts, missed regulatory deadlines, and (for health providers and any business over the turnover threshold) an OAIC notification obligation. The ACSC Small Business Cyber Security Guide is explicit that the Essential Eight is the right baseline for Australian SMBs, and ML2 is the level at which the controls genuinely raise the cost of a ransomware operation against you. A Brisbane SMB at ML2 is not unhackable — but it is no longer the path of least resistance.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML2 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML2 Uplift for Brisbane SMBs

We are sequencing engagements by current maturity and endpoint platform (Microsoft-first environments first). Join the waitlist with your sector, headcount, and a one-line description of your current ML1 state — we will tell you when we are ready to take a brief from your business.