Book An Appointment

Brisbane's Trusted IT Partner – Vent Tech

Menu
Contact Us

Essential Eight for Not-for-Profits: A Plain-English Guide

Leave a Comment / Cybersecurity, Not-for-Profits / By

If you’ve heard the term “Essential Eight” thrown around and thought it sounded like something only big corporations and government agencies need to worry about — you’re not alone. Most not-for-profit leaders we speak to have either never heard of it, or assume it doesn’t apply to them.

It does. And understanding it could be the difference between your organisation weathering a cyber attack and being devastated by one.

Here’s the Essential Eight explained in plain English, with practical context for NFPs.

What Is the Essential Eight?

The Essential Eight is a set of cybersecurity strategies developed by the Australian Signals Directorate (ASD) — the same agency responsible for national cybersecurity. It’s designed to help organisations protect themselves against the most common cyber threats.

It’s not a product you buy. It’s a framework — a prioritised list of eight things you should be doing to protect your systems and data. Think of it as a cybersecurity checklist, ranked by effectiveness.

The ASD recommends it for all Australian organisations. And while it’s not yet mandatory for most NFPs, it’s rapidly becoming the expected standard — especially for organisations that handle sensitive data or receive government funding.

The Eight Strategies — In Plain English

1. Application Control

What it means: Only approved software can run on your computers.

Why it matters for NFPs: Volunteers sometimes install random software on shared computers — free tools, games, browser extensions. Any of these could contain malware. Application control prevents unapproved programs from running, even if someone tries to install them.

In practice: Your IT provider sets up a whitelist of approved applications. Everything else is blocked automatically.

2. Patch Applications

What it means: Keep your software up to date.

Why it matters for NFPs: Outdated software — your web browser, PDF reader, accounting package — often has known security holes. Attackers exploit these holes. Patching closes them.

In practice: Critical updates should be applied within 48 hours. A managed IT provider handles this automatically so your team doesn’t have to think about it.

3. Configure Microsoft Office Macro Settings

What it means: Block or restrict macros in Office documents.

Why it matters for NFPs: Macros are small programs embedded in Word or Excel files. They’re a favourite delivery method for malware — especially via email attachments. “Please review the attached invoice” with a macro-laden spreadsheet is a classic attack.

In practice: Disable macros for most users. Only enable them for specific people who genuinely need them, with proper security controls.

4. User Application Hardening

What it means: Lock down web browsers and other applications to reduce their attack surface.

Why it matters for NFPs: Things like Flash, Java applets, and unrestricted web ads are common attack vectors. Hardening means disabling features that attackers exploit but your team doesn’t need.

In practice: Configure browsers to block ads, disable unnecessary plugins, and prevent automatic downloads. Most users won’t notice the difference — except that they’re safer.

5. Restrict Administrative Privileges

What it means: Not everyone gets admin access.

Why it matters for NFPs: This is a big one for NFPs. We regularly see organisations where every user has full admin rights to their computer — or worse, shared admin credentials for cloud platforms. If one of those accounts gets compromised, the attacker has the keys to everything.

In practice: Give people the minimum access they need to do their job. Admin accounts are separate, monitored, and used only when necessary.

6. Patch Operating Systems

What it means: Keep Windows, macOS, and other operating systems up to date.

Why it matters for NFPs: Same logic as patching applications, but for the operating system itself. An unpatched OS is an open door. We still see NFPs running computers on Windows 10 that haven’t been updated in months — or worse, machines still on unsupported versions.

In practice: Automated updates managed centrally, with critical patches applied within 48 hours.

7. Multi-Factor Authentication (MFA)

What it means: Require a second form of verification beyond just a password.

Why it matters for NFPs: Passwords get stolen, guessed, and reused. MFA means that even if someone gets your password, they still can’t log in without the second factor (usually a code on your phone or a hardware key).

In practice: Enable MFA on everything — email, cloud storage, CRM, banking, social media accounts. It’s free on most platforms and is the single most effective security measure you can implement today.

8. Regular Backups

What it means: Back up your data regularly and make sure you can actually restore it.

Why it matters for NFPs: Ransomware encrypts your files and demands payment. If you have tested, working backups, you can recover without paying. If you don’t, you’re at the attacker’s mercy — and paying the ransom doesn’t guarantee you’ll get your data back.

In practice: Automated daily backups, stored separately from your main systems (so ransomware can’t encrypt them too), with regular restore testing to make sure they actually work.

Maturity Levels — You Don’t Have to Be Perfect on Day One

The Essential Eight uses a maturity model with four levels:

  • Maturity Level Zero — Significant weaknesses. This is where most NFPs start, and that’s okay.
  • Maturity Level One — Basic controls in place. Addresses the most common attack techniques. This is the realistic first target for most NFPs.
  • Maturity Level Two — Stronger controls, addressing more sophisticated threats.
  • Maturity Level Three — Comprehensive controls, aligned with the full framework.

The goal isn’t to jump straight to Level Three. It’s to understand where you are now, and take deliberate steps to improve. Moving from Level Zero to Level One is a significant improvement in your security posture — and it’s absolutely achievable on an NFP budget.

How to Get Started

The first step is an assessment — understanding where your organisation currently sits against each of the eight strategies. This gives you a clear baseline and a prioritised roadmap for improvement.

Here’s what that typically looks like:

  1. Assessment — Review your current IT environment against the Essential Eight framework
  2. Gap analysis — Identify where you’re exposed and what needs attention first
  3. Remediation plan — A practical, budgeted plan to close the gaps, prioritised by risk
  4. Implementation — Roll out the improvements in stages
  5. Ongoing management — Cybersecurity isn’t a one-off project. It requires continuous monitoring and maintenance

Get a Free Essential Eight Assessment

Not sure where your organisation stands? We offer a free Essential Eight assessment for not-for-profits — a straightforward review of your current cybersecurity posture against the ASD framework, with clear recommendations you can act on.

No jargon. No sales pitch. Just an honest picture of where you are and what to do next.

Book your free Essential Eight assessment →

Learn more about how Vent Tech supports not-for-profits →

Leave a Comment

Your email address will not be published. Required fields are marked *

Hello, World! Venturer technology
Subscribe to Our Newsletter

Join our newsletter for the latest updates.

Join our newsletter

Stay in the loop by filling out this form to receive our latest newsletters, updates, and offers by email.
 
 
 
I agree to receive marketing emails from Venturer technology
I agree to receive marketing emails from Venturer technology
*Required fields