Introduction:
Achieving Essential Eight Maturity Level 2 (ML2) is a pivotal step for Australian organisations. It marks the transition from baseline hygiene to consistent, enforced controls that materially reduce adversary success. However, many organisations stall because ML2 is approached as a documentation exercise rather than a measurable uplift in security posture.
The key to ML2 success is focusing on controls that deliver visible, auditable improvement — not just policy intent.
Below are three tactics that consistently drive measurable uplift to ML2.
1. Enforce Application Control Where It Matters Most
Application control is often the most challenging Essential Eight control — and the most powerful when implemented correctly.
To reach ML2, organisations don’t need perfection across every endpoint. They need effective enforcement in high-risk areas, such as:
-
Internet-facing user endpoints
-
Systems used for administrative tasks
-
High-value servers and application hosts
Measurable uplift comes from:
-
Blocking execution of unapproved executables by default
-
Preventing user-writeable directories from launching code
-
Actively logging and reviewing blocked execution attempts
Metrics that demonstrate ML2 uplift include:
-
Percentage of endpoints with enforced application control
-
Reduction in successful execution from user-writeable paths
-
Number of blocked malware and script executions
When attackers can no longer run arbitrary code, their ability to establish persistence or deploy ransomware collapses.
2. Patch to Timeframes That Actually Reduce Exploitability
ML2 requires patching to defined timeframes — not “best effort.”
This means:
-
Operating system patches applied within ACSC-recommended windows
-
Applications such as browsers, PDF readers, and office software patched rapidly
-
Internet-facing services prioritised for remediation
The measurable difference between ML1 and ML2 is consistency.
Organisations at ML2 can demonstrate:
-
Mean time to patch (MTTP) within defined thresholds
-
Patch compliance rates across user and server fleets
-
Rapid remediation of critical vulnerabilities
From an adversary perspective, delayed patching is an invitation. ML2 dramatically reduces exposure to known exploits used in ransomware and initial access campaigns.
3. Separate Privilege and Enforce MFA on All External Access
Credential misuse remains one of the fastest paths to compromise. ML2 directly targets this by strengthening identity controls.
Measurable uplift includes:
-
Separate administrative and standard user accounts
-
Multi-factor authentication enforced for all internet-facing services
-
Restricted use of privileged accounts to hardened systems
Organisations can evidence ML2 by tracking:
-
Percentage of admin accounts protected by MFA
-
Reduction in standing privileged access
-
Number of services enforcing MFA
This separation limits the impact of credential theft and prevents attackers from turning a single compromised user into full environment control.
What Measurable ML2 Uplift Really Delivers
When these three tactics are implemented together, organisations achieve demonstrable reductions in risk:
-
Fewer successful phishing and malware execution events
-
Lower exploitability of known vulnerabilities
-
Reduced lateral movement and privilege escalation
-
Smaller ransomware blast radius
ML2 is not about theoretical alignment with the Essential Eight. It is about provable, operational security improvement.
By focusing on application control enforcement, disciplined patching, and hardened identity access, organisations can move confidently to ML2 — and show clear evidence that their security posture has genuinely improved.
