Essential Eight ML1 Uplift for Sydney SMBs: A Defensible Baseline Against Business Email Compromise

Your bookkeeper forwards you an email from a supplier with new bank details and asks if she should update the payment file. You hesitate, because you have read enough stories to know this is how it starts — but you do not actually know whether your business has the controls in place to stop the next one, or the one after that. You have heard of the ACSC Essential Eight. You have never sat down and worked out where you sit against it. Essential Eight ML1 Uplift from Cyber by Exegesis is the engagement that takes a Sydney SMB from “no defined baseline” to a defensible Maturity Level 1 across all eight mitigation strategies — with BEC explicitly in scope.

The problem

Most Sydney SMBs cannot answer a simple question: which of the eight ACSC mitigation strategies are we actually doing, and at what maturity? The ACSC Essential Eight Maturity Model defines three levels (ML1, ML2, ML3). ML1 is the entry baseline — appropriate for SMBs whose adversaries are opportunistic rather than targeted — and it is the level your insurer, your clients, and increasingly your regulators expect you to be able to demonstrate.

Business email compromise sits at the intersection of several Essential Eight controls. ACCC Scamwatch consistently reports BEC among the highest-loss scam categories for Australian businesses, and the ACSC Small Business Cyber Security Guide flags the same control gaps that BEC exploits: missing multi-factor authentication, unrestricted macro execution, unpatched applications, and user accounts with more privilege than they need. An ML1 uplift is the structured way to close those gaps in one project rather than reactively after an invoice goes to the wrong account.

What Essential Eight ML1 Uplift does

Cyber by Exegesis runs a fixed-scope engagement that takes you from undefined to ML1 across all eight strategies:

• A gap assessment against each of the eight mitigation strategies at ML1 — application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.
• A prioritised implementation plan that sequences the controls with the highest BEC-relevance first — MFA on email and remote access, macro restrictions, and admin privilege restriction.
• Implementation guidance and configuration changes across your Microsoft 365 or Google Workspace tenant, your endpoints, and your backup posture.
• An evidence pack — the artefacts you, your insurer, or an auditor need to demonstrate ML1 against the ACSC maturity model.
• A 60-minute walkthrough with your owner or operations lead so the controls do not silently regress after we leave.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same group behind the DRMO product. The ML1 uplift is a baseline engagement, not an ML2 or ML3 programme; we are explicit about that boundary and we do not imply otherwise in the report.

How it works

1. We confirm scope on a short call, identify the systems in scope (email tenant, endpoints, line-of-business apps, backups), and request read-only access to assess current state.
2. We run the gap assessment against each of the eight strategies at ML1 and document the current maturity per strategy.
3. We deliver a prioritised implementation plan, sequencing controls so the ones most relevant to BEC — MFA, macro settings, admin privilege restriction — land first.
4. We implement or supervise the changes across a defined four to six week window, with a checkpoint at the halfway mark.
5. We compile the evidence pack, walk you through it, and leave you with a 90-day review trigger to confirm controls have not drifted.

Why this matters in Sydney

Sydney’s SMB base is heavy with the kinds of businesses BEC attackers prefer: professional services firms, property and conveyancing practices, brokers, and trade businesses that pay supplier invoices on regular cycles. The pattern in ACCC Scamwatch reporting is consistent — these are the businesses moving money on email-driven instructions, and an attacker who lands in the inbox of one of them has a clear path to a redirected payment. Reaching ML1 against the ACSC Essential Eight is not a silver bullet, but it closes the everyday control gaps BEC depends on, and it gives you something defensible to point at if an eligible breach lands you in front of the OAIC under the Notifiable Data Breaches scheme.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML1 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML1 Uplift for Sydney SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, employee count, and current email tenant — we will tell you when we are ready to take a brief from your business.