Essential 8 for HR-heavy SMEs — the cyber baseline your insurer now expects

Because for a HR-heavy SME — 10 to 50 staff, no internal IT — the cyber side is now part of your workplace compliance load whether you wanted it or not.

Three things have shifted in the last two renewal cycles. First, cyber insurance premiums roughly doubled across Australian SMEs between 2023 and 2025, and insurers responded by getting much pickier about what they'll cover. Most renewals now ask "are you aligned to the ACSC Essential 8 at maturity level 1?" If you're not, you either pay a higher premium, get a lower coverage limit, or both. Second, larger clients increasingly require Essential 8 alignment in their procurement / RFP processes — especially government, healthcare, financial services and aged care. If you supply those sectors, your sales cycle now has a cyber questionnaire in it. Third, the Notifiable Data Breach scheme + the Privacy Act mean a breach of HR or payroll data is a notifiable event with a regulator investigation attached.

For a 25-staff workplace holding payroll, tax file numbers, medical certificates, performance records, and emergency contact details for every employee, that's a real legal + financial exposure. Essential 8 is the recognised baseline for managing it.

The Australian Cyber Security Centre's Essential 8 is eight specific controls that, between them, block the majority of common cyber incidents. Each has four maturity levels — ML0 (none), ML1, ML2, ML3 — with ML1 the baseline most insurers want and ML2 the level the federal government recommends for businesses holding sensitive data (which most HR-heavy SMEs do).

1. Application control. Only approved software can run. Stops random executables a user clicks in an email.
2. Patch applications. Web browsers, email clients, Office, PDF readers — patched within 48 hours of an extreme-risk vulnerability disclosure.
3. Configure Microsoft Office macro settings. Macros blocked except where signed by a trusted source. Cuts the "dodgy spreadsheet" risk.
4. User application hardening. Web browsers configured to block ads, Flash, Java + risky web content. Office configured to block stuff that pretends to be a document but is actually an executable.
5. Restrict administrative privileges. Admin accounts are for admin work only. Most users (including HR) should not have local admin rights on their laptops.
6. Patch operating systems. Same as #2 but for Windows / macOS itself.
7. Multi-factor authentication. MFA on every business-account login. Most insurers now require phishing-resistant MFA (passkeys / FIDO2, not SMS) for ML2.
8. Regular backups. Daily backups of important data, tested quarterly, with at least one offline + segregated copy. Ransomware recovery without backups = pay the ransom or close the doors.

ML1 (baseline — insurance default). Office macros from the internet blocked, MFA on internet-facing services + privileged accounts, OS + applications patched within 30 days of high-risk vulnerability disclosure, daily backups retained for 1-3 months, application allow-listing on workstations + servers, admin privileges restricted, basic browser + Office hardening. Most Microsoft 365 Business Premium tenants are 60-70% of the way to ML1 out of the box — the remaining 30-40% is configuration the standard tenant doesn't set for you.

ML2 (federal government recommendation). Adds: macros blocked unless signed by a trusted source, MFA for all users (not just privileged), 48-hour patching for extreme-risk vulnerabilities, monthly backup-restore testing, restricted scripting (PowerShell etc.), and event log forwarding. ML2 is where the workload jumps — usually you need either a part-time IT contractor or a managed-service provider to maintain it.

ML3 (advanced). Targeted at organisations with high-impact data (defence, intelligence, large finance). Rarely required for SMEs.

Need the technology side handled? FairWork Mate's IT partner Frontrow Tech runs Modern Workplace, Copilot rollouts and Essential 8 cyber for Australian businesses — from sole traders setting up Microsoft 365 properly all the way to multi-site enterprise HR teams. Mention FairWork Mate when you contact them.

The pattern that works for a 25-staff workplace: start with the Microsoft 365 controls you've already paid for. M365 Business Premium includes Defender for Business, Conditional Access, Intune (MDM), and Purview — all of which contribute directly to Essential 8 ML1.

From there, the gaps are typically:

• Application allow-listing — not configured by default; needs setup
• Macro hardening — needs an Office policy
• MFA enforcement on every user — needs a Conditional Access policy
• Patch management for non-Microsoft apps (e.g. payroll software, Adobe, browser extensions) — needs an MDM rollout
• Tested backups — needs a third-party backup tool because M365's built-in retention is NOT a backup
• An incident response plan — needs writing + a tabletop exercise

Most SMEs hit ML1 in 4-8 weeks of focused work with the right MSP. ML2 is another 6-12 weeks on top.

If you hold HR + payroll data and you suffer a data breach, three legal exposures kick in at once. Privacy Act + Notifiable Data Breach scheme — the OAIC will investigate; remediation costs + civil penalties up to $50M apply to serious or repeated interferences. Fair Work Act s.535 record-keeping — your employee records still need to be accurate, accessible, and retrievable after the breach. General protections (s.340) — if an employee raises the breach internally and is retaliated against, that's an adverse action claim.

Essential 8 doesn't make you breach-proof. It makes you defensible — you took reasonable steps. That's what the Privacy Act and your insurer are both looking for.

If you want the workplace-law side of a specific scenario (e.g. "we had a breach, what do we owe affected employees, what does our policy need to say?"), ask the FairWork Mate AI advisor. For the Essential 8 implementation, talk to Frontrow Tech.