Essential Eight ML3 Uplift for Melbourne SMBs: Hardening Against Ransomware When You Already Sit at ML2

You already did the hard work. You moved your Melbourne business off the back foot, implemented the Essential Eight to Maturity Level 2, and survived an audit or a tender questionnaire that asked for it. Now a client — a hospital network, a defence prime, a major bank — is asking whether you sit at ML3. Or your board has read enough about ransomware crews targeting Australian healthcare and finance that ML2 no longer feels like enough. Essential Eight ML3 Uplift from Cyber by Exegesis is the engagement to take an ML2 business to ML3 against the ransomware threat model that actually warrants it.

The problem

The ACSC Essential Eight Maturity Model is explicit that ML3 is not “ML2 with extra paperwork”. It is calibrated against adversaries who are adaptive, well-resourced, and willing to invest time in a specific target — the threat profile behind the ransomware campaigns that have hit Australian hospitals, logistics operators, and professional services firms. At ML3, application control is enforced from a hardened ruleset rather than a tolerated one. Microsoft Office macros are blocked from the internet without exception paths your users have quietly learned to abuse. Privileged access is segmented, just-in-time, and logged centrally with integrity protection. Multi-factor authentication is phishing-resistant. Patching windows tighten from weeks to 48 hours for internet-facing services.

Most Melbourne SMBs that think they are at ML2 are honestly at ML1 with ML2 ambition. Moving to genuine ML3 is a capital project, not a tick-box exercise — and the consequences of getting it wrong show up the morning your file shares are encrypted and your backup tenant is logged into from an attacker’s machine.

What Essential Eight ML3 Uplift does

Cyber by Exegesis runs a fixed-scope uplift engagement aligned to the ACSC Essential Eight Maturity Model:

• A current-state assessment confirming that each of the eight controls is genuinely at ML2 (we frequently find one or two are not) and mapping the gap to ML3 across application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.
• A prioritised uplift plan sequenced by ransomware risk reduction — application control and privileged access segmentation first, then phishing-resistant MFA, then backup integrity controls.
• Implementation support across your Microsoft 365 tenant, endpoint management, and identity provider — we work alongside your IT provider or internal team rather than replacing them.
• Centralised logging configuration so that the events ML3 requires you to capture are actually being captured, retained, and protected from tampering.
• A written attestation describing what was done, where residual risk sits, and what ongoing operational discipline ML3 demands. This is the document your enterprise clients and your insurer are asking for.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. This is a senior engagement; we scope it carefully and we are honest about whether ML3 is the right target for your business.

How it works

1. We run a half-day current-state workshop with your IT lead and a representative from operations, confirming scope across in-scope systems and identifying any controls misclassified as ML2.
2. We produce a gap report mapping every ML2-to-ML3 delta to a concrete change, with effort estimates and a sequencing recommendation.
3. We work through the uplift in two- to four-week sprints, starting with application control and privileged access — the two highest-impact controls against ransomware.
4. We validate each control with an evidence pack: configuration exports, log samples, and test results, not screenshots.
5. We deliver the written ML3 attestation, a 12-month operational checklist, and a 90-day review point to confirm controls have not drifted.

Why this matters in Melbourne

Melbourne hosts a disproportionate share of Australia’s healthcare, defence-supply-chain, and financial-services SMBs — the exact sectors that ML3 is calibrated for, and the exact sectors that ransomware crews target because the operational impact of downtime forces fast payment decisions. An ML2 Melbourne SMB in one of these sectors is not under-resourced; it is under-aligned with the threat model it actually faces. The ACSC Small Business Cyber Security Guide flags ransomware as the dominant impact category for Australian businesses, and where an incident exposes customer PII the OAIC Notifiable Data Breaches scheme obligations follow within 30 days. ML3 is the maturity level designed to make that 30-day timeline a notification of a contained incident rather than a disclosure of a catastrophic one.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML3 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens ML3 Uplift for Melbourne SMBs

We are sequencing ML3 uplift engagements by sector (healthcare and defence supply chain first, financial services second) and by current maturity evidence. Join the waitlist with your sector and your most recent Essential Eight assessment — we will tell you when we are ready to take a brief from your business.