The Essential Eight for schools, explained
The Essential Eight is Australia's baseline for cybersecurity. It's a set of eight strategies from the Australian Cyber Security Centre, the federal body that advises organisations on staying safe from cyber threats. If you've heard it mentioned in a board meeting or an audit and weren't quite sure what it actually covered, this is the plain-English version, written for the people who run schools rather than the people who run servers.
Why it matters for your school
Schools are a target, and not by accident. You hold thousands of records of student and staff data, you run on tight budgets, and you often have a small IT team, or none at all. That's exactly the combination attackers look for.
A breach isn't only a technical headache. It's a reportable privacy incident, a hit to the trust parents place in you, and weeks of disruption at a time of year you can't spare.
The Essential Eight is the clearest, most widely recognised way to show your board, your auditors and yourself that your school is doing the sensible things to stay protected. It won't make you invincible. It will close the doors attackers walk through most often.
The eight, in plain terms
- 01
Application control
Only software you've approved can run on school devices. It stops students, staff, or malware quietly installing things that shouldn't be there.
- 02
Patch applications
Keep everyday software like browsers, Office and PDF readers up to date. Attackers exploit known holes within days of them becoming public, so falling behind is genuinely risky.
- 03
Configure Microsoft Office macro settings
Lock down the small automated scripts that live inside Word and Excel files. They're one of the most common ways a dodgy email attachment turns into a full breach.
- 04
User application hardening
Switch off the risky features in browsers and apps that your school never uses but attackers rely on.
- 05
Restrict administrative privileges
Limit who holds the keys to everything. The fewer admin accounts you have, the less damage a single stolen login can do.
- 06
Patch operating systems
Keep Windows, macOS and your servers current, and retire anything too old to still get security updates.
- 07
Multi-factor authentication
A second step at login, like a code or an app approval, so a stolen password on its own isn't enough to get in. For most schools this is the single highest-impact control.
- 08
Regular backups
Back up your data and, just as importantly, test that you can actually restore it. Done properly, ransomware or a dead server becomes an inconvenience rather than a catastrophe.
How it's measured
The Essential Eight is graded across four maturity levels, from Level Zero (not really in place) to Level Three (robust against determined, well-resourced attackers).
Most schools should treat Level One as the floor and work towards Level Two. You don't need to be perfect across all eight. You need to know where you stand and close the gaps that matter most first.
Where schools usually fall short
Across Victorian schools, the same gaps come up again and again. Multi-factor authentication that's switched on for some accounts but not all. Backups that exist but have never been tested. Too many staff carrying administrator access they don't need. And patching that happens when someone remembers rather than automatically.
None of these are hard to fix once you can actually see them.
See where your school stands
You can get a sense of your school's readiness in about two minutes.
Or if you'd rather talk it through, book a school IT review and we'll walk your setup with you and tell you straight what's worth doing, and what isn't.