Essential Eight ML2 Uplift for Perth SMBs: Close the Ransomware Gap Between “We Have MFA” and Maturity Level 2

Your IT provider tells you that you have multi-factor authentication, your antivirus is up to date, and your backups run nightly. Then a staff laptop runs a macro from a Word document attached to what looked like a quote request, and forty-eight hours later your file server is encrypted, your backups are encrypted with it because they were on the same network share, and a ransom note is sitting on every desktop. You were probably at Essential Eight Maturity Level 1 — or close to it — but ML1 was never designed to stop a determined ransomware operator. Essential Eight ML2 Uplift from Cyber by Exegesis is the engagement that takes a Perth SMB from “we have the basics” to the maturity level the ACSC defines as resistant to targeted, well-resourced attackers.

The problem

Ransomware remains the highest-impact cyber loss category facing Australian SMBs. The ACSC Essential Eight Maturity Model is the most widely adopted framework for measuring how exposed an organisation is — and the jump from ML1 to ML2 is where the bulk of ransomware defence actually lives. ML1 stops opportunistic attackers using commodity tooling. ML2 raises the bar for attackers willing to invest time and money in your business specifically.

Most Perth SMBs we see are sitting at ML1 with gaps. Patching happens, but not within the ML2-defined timeframes for internet-facing services and operating systems. Multi-factor is on email, but not on remote access, privileged accounts, or important data repositories. Administrative privileges are handed out for convenience and never revalidated. Application control either doesn’t exist or runs in audit mode and nobody reads the logs. Each gap on its own is survivable. Combined, they are the path a ransomware operator walks from initial access to your backups.

What Essential Eight ML2 Uplift does

Cyber by Exegesis runs a fixed-scope uplift engagement targeting the eight controls at Maturity Level 2 specifically — not ML3, not “ML2-ish”:

• A baseline assessment of your current posture across all eight mitigation strategies, scored against the ACSC ML2 definitions.
• Patching SLA tightening — internet-facing services patched within the ML2 window, operating systems and applications brought onto a defined schedule with evidence of compliance.
• Privileged access hardening — separate admin accounts, removal of standing local admin, validated requests, and re-authorisation on a defined cycle.
• Multi-factor extension beyond email — remote access, privileged actions, and access to important data repositories all brought under MFA, using phishing-resistant methods where the platform supports them.
• Application control catalogue — built from your real usage, deployed in enforcement mode (not audit) on user workstations, with a documented exception process.
• Microsoft Office macro restriction and user application hardening, configured to ML2 settings.
• Backup configuration review — backups isolated from the production network, restoration tested, retention aligned with ML2 expectations.
• A written report mapped control-by-control to the ACSC Essential Eight Maturity Model, with what was changed, what remains, and a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope is the uplift project. We are not replacing your IT provider; we are setting the controls and the evidence trail, then handing the steady-state back to them.

How it works

1. We confirm the engagement scope on a short call, identify the systems in scope, and request read-only access to your identity provider, endpoint management, and patching tooling.
2. We run the baseline assessment against the eight ML2 control definitions and produce a gap report — what is already at ML2, what is at ML1, and what is below.
3. We sequence the uplift work across a four to six week window, lowest-disruption controls first (patching SLAs, MFA extension) and application control last in a staged rollout.
4. We test backup restoration end-to-end at least once during the engagement so you have evidence the recovery path works.
5. We deliver the written report, the ML2 evidence pack (for insurers, clients, or your board), and the 90-day review window.

Why this matters in Perth

Perth SMBs sitting in the resources services, engineering, and professional services supply chains are increasingly being asked by larger clients to demonstrate cyber maturity against the Essential Eight as a condition of doing business — not just as a nice-to-have. ML1 is no longer enough for those conversations. The time-zone gap with the rest of Australia also means a Perth SMB hit by ransomware overnight loses several business hours before its incident response options open on the east coast, which makes prevention disproportionately valuable. And under the OAIC Notifiable Data Breaches scheme, a ransomware event that exposes customer PII is a notifiable breach — the cost of which lands well beyond the ransom itself.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML2 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML2 Uplift for Perth SMBs

We are sequencing engagements by sector and by current maturity baseline (organisations already at a clean ML1 first, organisations needing partial ML1 remediation second). Join the waitlist with your sector and a short note on your current state — we will tell you when we are ready to take a brief from your business.