Essential Eight ML1 Uplift for Melbourne SMBs: Build the Baseline That Stops BEC Before It Reaches Your Accounts Team

Your bookkeeper forwards you a supplier invoice with “updated banking details” and a polite note to pay by Friday. The email address looks right. The signature block is right. The PDF is right. You pay. Ten days later the real supplier calls and the money is already gone. What that incident usually exposes is not a single missing control — it is the absence of a defined baseline. Essential Eight ML1 Uplift from Cyber by Exegesis is the engagement designed to give a Melbourne SMB that baseline across all eight ACSC mitigation strategies, in one fixed-scope project, before a BEC email finds the gap.

The problem

ACCC Scamwatch consistently ranks business email compromise among the highest-loss scam categories reported by Australian businesses each year. The attack itself is simple — a compromised or spoofed mailbox, an invoice intercepted or fabricated, a payment redirected — but the reason it works against most SMBs is structural. There is no defined baseline. Multi-factor authentication is on for some staff and not others. Microsoft 365 or Google Workspace administrator accounts are shared. Macros are unrestricted. Patches lag by months. Backups exist but have never been tested. Application control is not in place.

The ACSC Essential Eight Maturity Model defines three maturity levels (ML1, ML2, ML3) across eight mitigation strategies. ML1 is the entry-level baseline appropriate for most Australian SMBs — it is achievable, it is evidence-based, and it closes the structural gaps that BEC and adjacent attacks (ransomware, credential theft) depend on. The ACSC Small Business Cyber Security Guide is explicit that an SMB without this baseline is making attackers’ work easy.

What Essential Eight ML1 Uplift does

Cyber by Exegesis runs a fixed-scope engagement to take a Melbourne SMB from no defined baseline to ACSC Essential Eight Maturity Level 1 across all eight mitigation strategies:

• A gap assessment across the eight strategies — application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups — measured against the ML1 criteria in the ACSC Essential Eight Maturity Model.
• A prioritised implementation plan sequenced so the BEC-relevant controls (MFA on all internet-facing services, admin privilege restriction, macro settings, user application hardening) land first.
• Implementation guidance and configuration changes inside your Microsoft 365 or Google Workspace tenant, your endpoint patching regime, and your backup verification process.
• An evidence pack documenting what was changed, screenshots and configuration exports, and the ML1 criteria each change satisfies — the document your insurer, auditor, or future incident responder will ask for.
• A 90-day review window to confirm the controls are still in place.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. The scope here is ML1 and only ML1. We do not blur the line into ML2 territory and we do not claim controls we have not implemented.

How it works

1. We confirm scope on a short call, identify in-scope systems (email tenant, endpoint fleet, server estate if any, backup target), and request read-only access to the tenant and endpoint console for the assessment.
2. We run the gap assessment against the eight strategies at ML1 and deliver a baseline report — current state, target state, and the gap between them — usually within the first week.
3. We sequence the implementation plan so MFA, admin restriction, macro settings, and user application hardening — the controls that most directly defeat BEC and credential theft — go first.
4. We implement or guide implementation across a 4–6 week window, with weekly check-ins, change windows agreed in advance, and rollback steps documented.
5. We compile the evidence pack, walk your owner or operations lead through it, and set the 90-day review window.

Why this matters in Melbourne

Melbourne hosts a dense population of professional services, light manufacturing, healthcare, and not-for-profit SMBs — organisations that hold customer PII, run accounts payable on a weekly cycle, and frequently fall under the OAIC Notifiable Data Breaches scheme if their turnover exceeds $3M or their sector triggers coverage. A Melbourne SMB without an Essential Eight ML1 baseline is exposed on two fronts at once: the BEC loss itself, and the notifiable data breach obligation if the compromise touches personal information. ML1 closes the structural gap on both. It is the cheapest defensible position an Australian SMB can hold.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML1 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML1 Uplift for Melbourne SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, headcount, and current email tenant — we will tell you when we are ready to take a brief from your business.