Let’s get your team trained and using Microsoft Copilot and moving your business forward. Click here to book +61 3 4803 4915Client PortalRemote Support
Belton IT Nexus
NZ AU
Contact us
01 Run

We become your IT department and own the day-to-day.

Managed IT Your whole environment, owned Managed Devices Endpoints, patched & tracked Microsoft 365 The workplace, managed Cloud & Azure Networks, Wi-Fi, voice
02 Protect

Security operations you can verify, and show.

24-Hour CyberSOC Security ops that don't clock off Compliance Reviews Aligned to Essential 8 & ISO Backup & Recovery Provably restorable Identity & Email MFA enforced, threats stopped
03 Improve

Honest strategy and predictable budgets.

IT Advisory & vCIO Honest, predictable plans AI & Copilot Where it genuinely helps Compliance & Governance Audit-ready evidence Projects & Consulting Build what you can't buy
Belton · Run / Protect / ImproveView all services ›
Professional Services

Firms that run on trust, time and confidential data.

Accounting Ledgers & client data Legal Privilege & matter files Business Advisory Plans & reporting Mortgage & Finance Loan files & AML/CFT Insurance Claims & client records Insurance Brokers Cover & premiums
Built & Made

Site, studio and floor, where uptime is the product.

Construction Sites & project files Architecture Drawings & large models Quantity Surveyors Cost data & big files Manufacturing Floor & ERP uptime Healthcare Patient data & privacy
Trade & Technology

Fast-moving operations that can't carry downtime.

Logistics Fleet, orders & tracking Retail & Wholesale POS & storefronts Technology Cloud-native teams Distribution Inventory & systems
Belton · Sector-specialised IT & securityAll industries ›
Guides & Frameworks

Plain-English playbooks for the controls that matter.

Essential Eight ASD's eight, explained DIY Cybersecurity Lock down the basics Cyber Standards Guide ISO, SMB1001 & more M365 Selection Guide Pick the right licences
Tools & Assessments

Self-serve checks that map where you stand.

Security Assessment Score your posture Network Assessment Find the weak spots M365 Security Checklist Find the gaps Cyber Insurance Readiness Be claim-ready
Reading & Learning

Get more from the tools you already pay for.

SME Tech Outlook 2026 Where NZ tech heads next Copilot Learning Hands-on with Copilot FAQ Straight answers CEO's Blog Plain-English views
Belton · Knowledge, not gatekeepingResource library ›
The Firm

A senior team with the skills and scale for any project.

About Belton Who we are, plainly How We Work Our delivery process Who We Work With The fit we look for Leadership Jason & Amy Agnew + team
Proof & Partners

The evidence behind the claims, and ways to build with us.

Case Studies Real outcomes, named Accreditations The proof behind the practice Industries Sector-specialised White-label / Partners Our bench, your brand
Connect

Real people, fast, no ticket-queue runaround.

Contact Us Talk to a human, today Book a Session A 90-minute discovery Find Us Newmarket, Auckland Remote Support Get help now
Belton IT Nexus · Est. 2004 · Newmarket, AucklandAbout us ›
Home/ Resources/ Essential Eight

The Essential Eight explained

A practical framework for cybersecurity. Developed by Australian experts, increasingly adopted across New Zealand.

8Mitigation strategies 3Maturity levels 85%Of intrusions prevented ACSCRecognised framework

The Essential Eight is a cybersecurity framework developed by the Australian Cyber Security Centre. It identifies eight key strategies that organisations should implement to protect against the majority of cyber threats. While originally designed for Australian government agencies, the framework has become a benchmark for businesses across Australasia.

The framework works because it focuses on what matters most. Rather than trying to address every possible threat, it targets the techniques attackers actually use. Studies show that implementing these eight strategies can prevent over 85% of targeted cyber intrusions.

The framework
§01

Eight strategies that matter

Each addresses an attack vector
01 Application control Only approved applications can run on your systems. This prevents malware from executing, even if it reaches your devices. Attackers cannot run their tools if your systems only allow authorised software.
02 Patch applications Keep applications updated with security patches. Vulnerabilities in common software like browsers, PDF readers, and Microsoft Office are frequent attack vectors. Patching within 48 hours of critical updates eliminates these entry points.
03 Configure Microsoft Office macros Disable macros from the internet, only allow vetted macros in trusted locations. Malicious macros remain one of the most common ways attackers deliver malware through seemingly innocent documents.
04 User application hardening Configure web browsers to block Flash, ads, and Java from the internet. Disable unneeded features in PDF readers and Office. Reducing the attack surface makes exploitation harder.
05 Restrict administrative privileges Limit who has admin access and what they can do with it. Attackers target privileged accounts because they provide the most access. Minimising admin accounts limits the damage from any breach.
06 Patch operating systems Keep Windows, macOS, and server operating systems current. Operating system vulnerabilities can give attackers complete control of devices. Regular patching closes these doors.
07 Multi-factor authentication Require more than just passwords for sensitive access. Stolen credentials are useless without the second factor. Essential for email, VPN, cloud services, and any internet-facing applications.
08 Regular backups Maintain offline, tested backups of critical data and systems. When prevention fails, backups enable recovery. They are your last line of defence against ransomware and destructive attacks.
Maturity model
§02

Three levels of implementation

Stronger protection at each tier
Level one
Basic implementation
Protects against commodity malware and opportunistic attackers using widely available tools. This is where most organisations should start, and for many smaller businesses it offers sufficient protection against the threats they are most likely to face.
Level two
Enhanced controls
Your organisation can defend against attackers who invest time and effort specifically targeting you. They may modify their tools or adapt their techniques. Organisations handling sensitive data or facing industry-specific threats typically need this level.
Level three
Comprehensive protection
Designed to resist sophisticated attackers with substantial resources and expertise: state-sponsored groups, advanced criminal organisations, and persistent adversaries. Government agencies and critical infrastructure organisations often require this level.

Most businesses should aim for at least Maturity Level One across all eight strategies. This provides solid protection against the majority of threats. The right level for your organisation depends on your risk profile, the data you hold, and who might want to compromise it.

How we help
§03

Essential Eight implementation

Assess, then improve

Assessment and planning

We evaluate your current security posture against each of the eight strategies. This is not a checkbox exercise. We look at how controls are actually implemented, where gaps exist, and what risks they create.

You receive a clear picture of where you stand. More importantly, you get a prioritised roadmap. Not all gaps are equally urgent. We help you focus on what matters most for your situation, considering risk, budget, and operational impact.

  • Current state assessment
  • Gap analysis by strategy
  • Risk-prioritised roadmap
  • Budget considerations

Implementation and ongoing support

We configure the controls, deploy the tools, and make the changes needed to achieve your target maturity level. This is hands-on work, not just recommendations. Our team has implemented these controls across dozens of organisations.

Security requires continuous attention. We maintain your controls, apply patches, review configurations, and ensure your protection stays current as threats evolve. The Essential Eight is not a one-time project. It is an ongoing commitment that we manage on your behalf.

The framework provides structure. We provide the expertise to make it real.

Already working with us? If you are a managed services client, we continuously work toward Essential Eight alignment as part of your service. Your security improves progressively without separate project costs.

Assess your Essential
Eight maturity.

A discovery & security session that shows where you stand against all eight strategies, names the real gaps, and gives you a clear, risk-prioritised path to improve.

Book the session Talk to a human
NEW ZEALAND OWNED & OPERATED EST. 2004
Sovereign by design

New Zealand owned and operated.

Sovereign data centres across New Zealand and Australia, with your data kept onshore wherever it's required. Our team understands New Zealand, and our leaders have built, scaled and secured businesses right across the New Zealand landscape.

Sovereign data centres · New Zealand & Australia
  • Auckland
  • Christchurch
  • Sydney
  • Melbourne
  • Brisbane
  • Perth
International data-centre operations
  • Singapore
  • Germany
  • Netherlands
  • USA

Servers available in minutes, not days.

Explore data centres & hosting →
Accredited partners
Microsoft Solutions Partner Fortinet Partner Lenovo Partner HP Partner Apple Business Manager