The numbers most Australian businesses don't want to see.

Public data from the OAIC and ASD Annual Cyber Threat Report — published, not estimated.

532
Notifiable data breaches in Australia, H1 2025OAIC NDB Report H1 2025
+8%
Year-on-year increase in notifiable breachesOAIC NDB Report
18%
Of breaches in the health sector — most-targeted verticalOAIC NDB Report
59%
Of breaches caused by malicious or criminal attacksOAIC NDB Report
100k+
Additional SMEs in scope under AML/CTF Tranche 2 from 1 July 2026AUSTRAC reform
$50M
Maximum penalty for serious privacy breachesPrivacy Act amendments

Three deadlines you should already be prepared for.

If your IT provider has not raised any of these, that is a sign in itself.

1 July
2026
Privacy Act amendments + AML/CTF Tranche 2

Mandatory data protection obligations widen to legal, accounting, real estate, conveyancing, jewellers, and high-value goods dealers. Dual exposure under both OAIC and AUSTRAC. Maximum penalty for serious privacy breaches now $50 million.

1 July
2026
Mandatory MFA Phase 2 in Microsoft Entra

All admin actions in Entra Admin Center, Microsoft 365 Admin Center, Exchange Admin, Sentinel and Intune require phishing-resistant MFA. Existing app-password admin sessions stop working.

31 Dec
2026
SMTP Basic Auth retirement

Devices, scanners, alarms and line-of-business apps that send email through your Microsoft 365 tenant with username + password will stop sending. Migration to OAuth2 or Direct Send required.

What we audit.

Aligned to the ACSC Essential 8 — the baseline the Australian Signals Directorate recommends and insurance underwriters expect.

1. Application control

Are unauthorised executables blocked from running on user devices? AppLocker, Intune Application Control or Defender Application Control.

2. Patch applications

Are third-party applications (Chrome, Edge, Java, PDF readers) being patched within 48 hours of vendor release for high-risk vulnerabilities?

3. Microsoft Office macro settings

Are Office macros blocked by default for files originating from the internet? Are macros only allowed from Trusted Locations?

4. User application hardening

Is Java disabled in browsers? Are ads + Flash blocked? Is Office configured to block macros and ActiveX from internet sources?

5. Restrict administrative privileges

Are admin accounts separate from daily-use accounts? Privileged Access Management with time-bound elevation? Periodic admin review?

6. Patch operating systems

Are Windows updates being applied within 48 hours of release for high-risk vulnerabilities? Is Intune Update Rings deployed?

7. Multi-factor authentication

Is MFA enforced on every account, with phishing-resistant authenticator + number matching? Conditional Access blocking legacy auth?

8. Regular tested backups

Are M365, server, and endpoint backups running daily? Immutable, ransomware-resistant copies? Quarterly tested restores documented?

What you get out of the audit.

A 1-hour video call with a senior AyeTech engineer. By the end, you have:

1

Maturity-level read

Where you sit against ML0/ML1/ML2/ML3 across each of the 8 strategies. Honest, evidence-based.

2

Prioritised gap list

What is highest-risk, what is quick to fix, what needs a project. With recommended sequencing.

3

Compliance read

Whether you are positioned for Privacy Act + AML/CTF Tranche 2 commencement on 1 July 2026.

4

Transparent quote

If you decide to engage AyeTech, here is exactly what we would do, what it costs, and how long it takes.

No obligation. No sales pressure. You keep the written summary even if you do not engage us.

Pricing for managed cyber security.

If you decide to remediate gaps with us. Per user per month, AUD ex GST.

Essential
$149 / user / month

Baseline managed IT with antivirus + patching + email security.

  • Australian helpdesk
  • 24/7 monitoring
  • Antivirus + email security
  • MFA enforcement
  • Patch management
  • Quarterly review
Most cyber-relevant
Professional
$199 / user / month

Full cyber baseline aligned to ACSC Essential 8 ML2.

  • Microsoft Defender for Business
  • Conditional Access + MFA
  • Microsoft 365 backup (15 yr)
  • Security awareness training
  • Phishing simulations
  • Monthly review
Get started
Enterprise
$299 / user / month

For compliance-driven sectors (legal, medical, accounting, real estate).

  • Everything in Professional
  • Defender for Endpoint Plan 2
  • Microsoft Purview labelling
  • Privacy Act + AML/CTF support
  • Dedicated account manager
  • 24/7 priority support
Get started

Frequently asked questions.

What is the ACSC Essential 8?
The Australian Cyber Security Centre's Essential 8 is the baseline set of cyber security mitigation strategies recommended by the Australian Signals Directorate. It covers application control, application patching, Microsoft Office macro hardening, user application hardening, restricting administrative privileges, operating system patching, multi-factor authentication, and regular tested backups. Maturity Level 2 (ML2) is the de-facto baseline for Australian SMEs and increasingly required by insurance underwriters and enterprise procurement.
What does the free Essential 8 audit include?
A 1-hour video call with a senior AyeTech engineer. We walk through your current state across each of the 8 strategies. You get a written maturity-level assessment, a prioritised gap list, and a transparent quote if you choose to engage. No obligation.
Why is this important now?
Privacy Act amendments and AML/CTF Tranche 2 commence 1 July 2026. Cyber insurance underwriters now reference Essential 8 maturity in premium calculations. The OAIC reported 532 notifiable breaches in H1 2025 — most preventable with E8 ML2 controls.
How long does it take to lift to Essential 8 ML2?
Typical 4-8 week project for a 20-50 staff business depending on starting state. Application control, OS/application patching, MFA enforcement and tested backups deploy quickly via Intune and Defender. Slower items: Office macro hardening (some legacy apps need tuning) and user application hardening. We sequence work so security improves week-by-week.
What does managed cyber security cost?
Included in Professional ($199/user/mo) and Enterprise ($299/user/mo) plans. Professional includes Defender for Business, MFA, Conditional Access, M365 backup and security awareness training. Enterprise adds Defender Plan 2, Purview labelling, dedicated account management, and explicit Privacy Act + AML/CTF support.
Are you Australian-owned?
Yes. AYE TECHNOLOGIES PTY LTD trading as AyeTech, ABN 70 643 554 438. Australian-owned, Australian helpdesk, Australian engineers.