Essential Eight ML2 Uplift for Sydney SMBs: Closing the Ransomware Gap Between Maturity Level 1 and Maturity Level 2

You did the ML1 work last year. Patching is mostly happening, MFA is on email, backups are running, and the auditor stopped frowning. Then a finance contractor opens a macro-enabled document from a “prospective client”, a local admin account that nobody got around to scoping down does its job, and by Sunday night your file server is encrypted and the threat actor wants payment in Monero. ML1 is the floor, not the ceiling — and ransomware operators have spent the last three years industrialising attacks against exactly the gap between ML1 and ML2. Essential Eight ML2 Uplift from Cyber by Exegesis is the engagement that closes that gap.

The problem

The ACSC Essential Eight Maturity Model is explicit that ML1 is calibrated against opportunistic attackers using commodity tradecraft, while ML2 is calibrated against adversaries willing to invest more time and effort in a specific target. Most Australian ransomware incidents reported to ACSC look like ML2-class tradecraft hitting ML1-class defences: a foothold via macro or phishing, privilege escalation through an under-scoped admin account, lateral movement through unrestricted application execution, and then mass encryption.

The eight mitigations are the same at every level — application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, regular backups — but the bar rises sharply at ML2. Patching SLAs tighten. Macro execution moves from “blocked from the internet” to “only signed and trusted”. Admin accounts require separation from standard accounts and MFA on every privileged action. Application control moves from a vague intention to a maintained allow-list. The ACSC Small Business Cyber Security Guide is clear that this is where most Australian SMBs stall, and it is also where ransomware operators do their best work.

What Essential Eight ML2 Uplift does

Cyber by Exegesis runs a fixed-scope project to lift an SMB already operating at ML1 to ACSC Essential Eight Maturity Level 2:

• A baseline assessment against the ACSC Essential Eight Maturity Model, mitigation by mitigation, with explicit ML1-vs-ML2 evidence captured for each control.
• Patching SLA tightening for both applications and operating systems, with internet-facing services and Office productivity suites brought to the ML2 timeframes.
• Administrative privilege handling — separation of privileged and unprivileged accounts, removal of standing local-admin rights, MFA on every privileged action, and a documented re-validation cycle.
• An application control catalogue — moving from “we think we block unknown executables” to a maintained allow-list with a written exception process.
• MFA extended beyond email to remote access, privileged actions, and any internet-facing service that authenticates a user.
• A written ML2 attestation pack — control-by-control evidence suitable for an insurer, a customer due-diligence request, or a board paper.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is the uplift project itself; we set the controls to ML2, hand over the evidence pack, and step back.

How it works

1. We confirm scope on a short call, identify the in-scope tenants and endpoints, and request read-only access to your identity provider, endpoint management, and patching tooling.
2. We run the ML1-vs-ML2 baseline across all eight mitigations and produce a gap report — what is already at ML2, what needs tightening, and what is missing.
3. We sequence the uplift across a four to six week window: patching SLAs first, then admin privilege handling, then macro and user application hardening, then the application control catalogue.
4. We extend MFA to the remaining touchpoints (privileged actions, remote access, internet-facing services) and document the configuration.
5. We deliver the written ML2 attestation pack with the evidence captured per mitigation and a 90-day review window for drift.

Why this matters in Sydney

Sydney concentrates the SMB segments that ransomware operators prefer — professional services, healthcare practices, logistics, and engineering firms — businesses with enough revenue to make payment plausible and enough operational dependency on shared file storage to make encryption painful. A Sydney SMB at ML1 is a viable target; the same business at ML2 is materially harder to compromise, materially harder to escalate inside, and materially better positioned if an incident does trigger the OAIC Notifiable Data Breaches scheme. Insurers, enterprise customers running supplier due diligence, and government tenders are increasingly asking for ML2 evidence rather than ML1 — and Sydney is where those conversations happen first.

Sources

• ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme (in the event a ransomware incident results in an eligible data breach): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Essential Eight ML2 Uplift (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Essential Eight ML2 Uplift for Sydney SMBs

We are sequencing engagements by sector and by current maturity evidence. Join the waitlist with your sector and a short note on which mitigations you believe are already at ML1 — we will tell you when we are ready to take a brief from your business.