Essential Eight ML1 Uplift for Perth SMBs: Build the Baseline That Stops Business Email Compromise

Your bookkeeper forwards an “updated remittance” email from a long-standing supplier and pays the invoice the same afternoon. The bank details were wrong. The mailbox they came from had been quietly compromised for three weeks, with an auto-forwarding rule attackers set up while nobody was looking. You start asking the obvious follow-up questions — does anyone here use MFA, when were our laptops last patched, what’s our admin account situation — and realise your Perth SMB has no defined cyber baseline at all. Essential Eight ML1 Uplift from Cyber by Exegesis is the engagement that fixes that, with BEC as the specific threat we are designing the controls against.

The problem

The ACSC Essential Eight Maturity Model defines three levels of implementation across eight mitigation strategies — patching applications, patching operating systems, multi-factor authentication, restricting administrative privileges, application control, restricting Microsoft Office macros, user application hardening, and regular backups. Maturity Level 1 (ML1) is the baseline the ACSC considers proportionate for SMBs facing opportunistic, non-targeted attackers — and BEC is exactly that kind of attacker.

Most Perth SMBs we see do not sit cleanly at ML1. They sit at “some of these, some of the time, on some of the laptops”. MFA might be on the email tenant but not on the accounting system. Patching is “when the laptop nags us”. Admin rights have been left on the founder’s day-to-day login since 2019. Backups exist but have never been restored. The ACSC Small Business Cyber Security Guide is clear that this in-between state is where BEC lands hardest — the attacker only needs one unpatched browser, one shared password, or one mailbox without MFA to get the foothold they convert into a redirected invoice and, potentially, an OAIC-notifiable data breach.

What Essential Eight ML1 Uplift does

Cyber by Exegesis runs a fixed-scope project to lift a Perth SMB from no defined baseline to ACSC Essential Eight Maturity Level 1 across all eight mitigation strategies, with BEC defence woven through every control:

• A gap assessment against each of the eight strategies, scored honestly against the ACSC Essential Eight Maturity Model — not a vendor self-assessment.
• A prioritised implementation plan that sequences the controls BEC attackers exploit first: MFA on email and remote access, application and OS patching cadence, admin-rights restriction, and Microsoft Office macro controls.
• Hands-on implementation alongside your IT provider (or, if you have none, with the tenant access we are given) — we configure, you operate.
• An evidence pack: a written record of what was configured, the policy settings applied, and the screenshots and exports needed to demonstrate ML1 to an insurer, a client procurement team, or a future auditor.
• A 90-day review window to check controls have held and nothing has drifted.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is to get you to ML1 cleanly and to leave you with evidence you actually sit there. We are explicit that this is ML1, not ML2 or ML3 — those are separate engagements with materially heavier control requirements.

How it works

1. We confirm scope on a short call, list your systems in scope (email tenant, endpoints, line-of-business apps, backup target), and request read-only access for the assessment phase.
2. We run the gap assessment against all eight Essential Eight strategies and deliver a baseline report scoring you against ML1.
3. We agree the implementation sequence with you in priority order, BEC-relevant controls first, and book the change windows.
4. We implement alongside your IT provider, document each change, and produce the evidence pack as we go.
5. We close out with a walkthrough of the evidence pack and set the 90-day review date.

Why this matters in Perth

Perth’s SMB economy leans heavily on resources-sector supply chains, professional services, and engineering consultancies — businesses that pay and receive large invoices on predictable schedules, often across time zones that delay phone-based verification. That operating pattern is what makes Perth SMBs attractive to BEC operators, and ACCC Scamwatch consistently ranks BEC among the highest-loss scam categories reported by Australian businesses. An Essential Eight ML1 baseline closes the foothold paths BEC depends on — unpatched browsers, MFA-less mailboxes, over-privileged admin accounts — before the redirected-invoice email ever lands. It also gives you a defensible position with the OAIC if an incident later results in an eligible data breach.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML1 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML1 Uplift for Perth SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, headcount, and current email tenant — we will tell you when we are ready to take a brief from your business.