ASD Essential Eight Maturity Report 2026: Australia Is Falling Behind

Key Findings from the 2026 Assessment

The ASD assessed 847 Australian organisations across government, critical infrastructure, and the private sector. Key headline statistics:

• 31% of organisations have achieved ML2 across all eight controls (up from 23% in 2024)
• 8% have achieved ML3 across all eight controls (the ASD's recommended target for most organisations)
• 41% remain at ML1 or below across at least one control
• 28% have not commenced implementation of at least one control
• Progress between 2024 and 2026 is being driven primarily by improved Patching Applications and Multi-Factor Authentication scores
• Restricting Administrative Privileges and Application Control remain the lowest-performing controls

Control-by-Control Breakdown

1. Application Control — Worst Performer

Application control — the practice of preventing the execution of unapproved software — remains the most challenging control for Australian organisations, with only 19% achieving ML2. The primary barriers are:

• Complexity of maintaining accurate application inventories in large, heterogeneous environments
• Operational disruption risk during implementation
• Legacy applications that cannot be whitelisted without significant workarounds
• Resource intensity of ongoing maintenance

ASD assessment: Application control failures were the primary enabler of post-exploitation malware execution in 67% of significant incidents investigated by the ACSC in 2025-26.

2. Patch Applications — Most Improved

Patching of internet-facing and internal applications has shown the strongest improvement, with 58% of organisations now at ML2 or above. This improvement is attributed to increased automation through vulnerability management platforms and heightened attention following multiple high-profile exploitation campaigns.

3. Patch Operating Systems — Solid Progress

Operating system patching has improved to 52% at ML2 or above, up from 38% in 2024. The widespread adoption of automated patch management solutions and Windows Autopatch has driven this improvement.

4. Multi-Factor Authentication — Strong Adoption, Weak Quality

MFA coverage has improved significantly, with 71% of organisations achieving ML2 for MFA. However, the ASD notes that many organisations are achieving ML2 using weaker MFA forms (SMS OTP) rather than the phishing-resistant MFA (hardware tokens, passkeys) that constitutes ML3. The growing prevalence of MFA bypass attacks via adversary-in-the-middle (AiTM) proxies underscores the limitations of SMS and push-notification MFA.

5. Restrict Administrative Privileges — Second Worst Performer

Only 24% of organisations achieve ML2 for restricting administrative privileges. Privilege sprawl — too many accounts with admin rights, admin accounts used for non-admin tasks, service accounts with excessive privileges — remains endemic. This has direct consequences: 78% of ransomware incidents investigated by the ACSC involved lateral movement enabled by compromised admin credentials.

6. User Application Hardening — Moderate Performance

Application hardening (disabling unneeded features in browsers and office suites, blocking macros, restricting web advertisements) sits at 39% ML2 compliance. The blocking of macro execution in Microsoft Office documents from the internet has been a significant positive in this space, driven by Microsoft's 2022 decision to block macros by default.

7. Configure Microsoft Office Macro Settings — Improved

Following Microsoft's default-block change, macro configuration compliance has improved to 62% ML2 compliance. However, the ASD notes that many organisations have reverted Microsoft's default block to accommodate legitimate macro use without implementing adequate compensating controls.

8. Regular Backups — Critical Weakness Identified

While most organisations (67%) are performing regular backups, the quality and recoverability of those backups is a significant concern. Only 33% of organisations have demonstrated that they can recover from their backup infrastructure following a ransomware attack that specifically targets backup systems. The immutability and offline storage requirements of ML3 remain aspirational for most organisations.

Sector Performance

Performance varies significantly across sectors:

• Commonwealth Government: 61% at ML2 across all controls — highest performing sector, driven by mandatory compliance requirements
• Financial Services: 48% at ML2 — strong APRA-driven improvement
• Healthcare: 22% at ML2 — significant underperformance relative to the sector's risk profile
• Education: 18% at ML2 — worst performing sector, reflecting structural funding and resource constraints
• Local Government: 24% at ML2 — significant underperformance given recent targeting
• SMB (private sector): 27% at ML2

Priority Recommendations from the ASD

The ASD's 2026 report identifies the following as the highest-impact priorities for organisations not yet at ML2:

1. Implement phishing-resistant MFA for all internet-facing systems: The single highest-impact control for preventing initial access
2. Restrict administrative privileges: The single highest-impact control for limiting the blast radius of a breach
3. Application control on server workloads: Begin with servers (lower complexity than endpoints) and build towards endpoints
4. Validate backup recoverability: Conduct a full recovery test from backup infrastructure at least annually
5. Establish vulnerability management processes: Systematic identification and prioritised remediation of vulnerabilities in applications and operating systems

What the Private Sector Must Do

While the Essential Eight was originally designed for Australian government entities, it has become the de facto baseline framework for the Australian private sector. The upcoming mandatory risk management program requirements under the SOCI Act amendments will reference the Essential Eight as a component of critical infrastructure risk management obligations.

Private sector organisations that have not yet commenced serious Essential Eight implementation have a narrowing window before regulatory obligations make compliance mandatory. Beginning now — even with ML1 implementation across all eight controls — establishes the foundation for progressive maturity improvement and demonstrates good faith effort to regulators.