Resources Blogs Applying the Essential 8 to Microsoft 365: A Cybersecurity Primer for Financial Services

Applying the Essential 8 to Microsoft 365: A Cybersecurity Primer for Financial Services

author
calendar09/01/2025
clock 7 min read
feature image

book open Table of Contents

The question is no longer if a data breach will happen, but when — and whether your organisation is ready. In 2025, the Australian Prudential Regulation Authority (APRA) reported that operational systems in the country’s financial services face heightened vulnerability to cyberattacks and technological outages. This alert comes at a crucial time, as the previous year saw the financial services sector rank among the top five industries for data breaches, highlighting the need to act now.  

To reinforce guardrails around critical information assets, the Australian Cyber Security Centre’s (ACSC) Essential 8 provides baseline principles to mitigate risks. These strategies are particularly relevant for the Microsoft 365 platform, which has become ubiquitous in Australian financial organisations.

In this blog, we elaborate on how financial organisations can build on Microsoft 365’s native capabilities to satisfy the Essential 8 requirements. We’ll also show how this approach helps them meet APRA CPS 234 – Information Security mandates and Australia’s Privacy Act 1998 obligations.

The Essential 8: A Practical Cybersecurity Baseline for Australia’s Financial Services

The Essential 8 consists of baseline mitigation strategies designed by the ACSC. Initially, the ACSC had drafted these principles for government agencies. Today, these principles have become a widely adopted framework to help organisations protect themselves against the most common cyberthreats. Australia’s financial services industry, for example, now follows the Essential 8, demonstrating the framework’s adaptability and effectiveness.

The Essential 8 includes several controls: 

  • Implementing application controls prevents the execution of unauthorised or malicious applications, helping financial firms maintain a secure software environment.
  • Patching applications and operating systems fixes known vulnerabilities that could expose customer data and payment systems to exploitation.
  • Configuring Microsoft 365 macros reduces the risk of macro-based malware that often targets financial documents containing sensitive information.
  • Hardening user applications limits exposure to exploit kits commonly used to target browsers and PDF readers handling financial transactions.
  • Restricting administrative privileges minimises the potential impact of a compromised account by limiting a user’s access to only what they need to do for their job, preventing lateral movement by attackers.
  • Adding multi-factor authentication (MFA) provides a crucial layer of verification to user accounts, significantly reducing the risk of a breach even if a password is stolen — a common attack vector in financial services.
  • Running daily backups ensures recoverability of critical data, including customer records, transaction histories, and regulatory documentation. 

Individually, these are technical controls. Together, however, they form a strategic framework to protect sensitive data, maintain client trust, and meet regulatory expectations in an ever-changing threat landscape with growing sophistication. 

Microsoft 365 as a Foundation for Implementing the Essential 8

While the Essential 8 was originally conceptualised for on-premises environments, financial organisations can apply its principles on cyber resilience to proactively mitigate risk and address compliance challenges in Microsoft 365.

The following are native Microsoft 365 capabilities and how they align with Essential 8 principles: 

Endpoint Protection and Application Control

Financial organisations are high-value targets, with remote work and bring-your-own-device (BYOD) protocols expanding attack surfaces. Microsoft Defender for Endpoint and Intune reduce risk by patching systems, controlling application execution, and hardening user environments. This aligns with Essential 8 controls like application control and user application hardening while helping financial institutions meet minimum maturity levels and reduce exposure to phishing and ransomware.

Data Protection and Information Classification

Classifying sensitive financial data is foundational to compliance, audit readiness, and operational transparency. Microsoft Purview enables automated classification, encryption, and data loss prevention (DLP) by automatically identifying and protecting sensitive data like credit card numbers or client personally identifiable information (PII) across emails and documents — aligning with Essential 8 goals to restrict unauthorised access and minimise breach impact. These capabilities support mandates under the Privacy Act 1988, APRA CPS 234, and the Notifiable Data Breaches (NDB) Scheme.

Backup and Recovery Capabilities

Daily backups are a critical component under the Essential 8 to ensure that Australian organisations can recover quickly from accidental deletion, ransomware, or system failure. Although Microsoft 365 has native data retention across Exchange Online, SharePoint, and OneDrive, this capability is often limited by default policies and retention windows. Additionally, when financial organisations enhance their security posture and implement a third-party solution for Microsoft 365 that goes beyond native capabilities, they successfully meet Essential 8 Maturity Level 3. This indicates they’re executing more complex strategies, such as safeguarding modification and deletion for MFA event logs. 

Using Microsoft 365 to Strengthen Compliance with APRA CPS 234

While the Essential 8 provides a critical baseline, Australian financial organisations must elevate their security posture to meet industry-specific regulatory requirements. APRA CPS 234 – Information Security is not simply a compliance checklist; it serves as a strategic framework designed to ensure that entities such as banks, insurers, health insurers, and superannuation funds maintain an information security posture that aligns with their specific vulnerabilities and threat landscape.

This standard mandates a forward-looking approach, including: 

  • Clearly defined roles and responsibilities for information security across the board, as well as across senior management and even operational teams.  
  • Effective implementation of controls to protect data availability, confidentiality, and integrity.  
  • Systematic testing of the above controls to ensure effectiveness.  
  • Timely notification to APRA of any information security incident.

Microsoft 365 supports the above requirements with the following features:  

  • Role-based access controls (RBAC) that limit system access to authorised personnel
  • Unified audit logs providing detailed and traceable records of user activities
  • Advanced threat detection tools that continuously monitor and help mitigate emerging risks 

Integrating Microsoft Purview and Azure enables secure cloud adoption with strong visibility and granular control over sensitive data assets. This allows organisations to safeguard information while leveraging cloud innovation and scalability.

Aligning Microsoft 365 with Essential 8 and APRA CPS 234 establishes a defensible security posture. The benefits are two-fold: streamlined compliance and effective regulatory obligation management.

For instance, implementing comprehensive backup strategies that exceed Microsoft 365’s native capabilities satisfies Essential 8 requirements while creating enhanced alignment between cybersecurity frameworks and compliance mandates. 

Enhancing Privacy Act Compliance Through Microsoft 365 Capabilities

Australia’s Privacy Act 1988 outlines 13 Australian Privacy Principles governing responsible, secure, and transparent management of personal information. These principles require organisations to ensure data accuracy, safeguard sensitive information, and uphold individuals’ rights to access and correct their data.

Microsoft 365’s built-in compliance tools empower financial organisations to meet these obligations effectively. Capabilities such as DLP, Microsoft Purview Information Protection, and Customer Data Residency controls help organisations:

  • Prevent unauthorised data sharing through policy-based controls.
  • Classify and protect sensitive information across emails, documents, and collaboration platforms.
  • Maintain data residency compliance by ensuring data stays within Australian borders.  

By leveraging these, financial organisations reduce data exposure risks while maintaining regulatory alignment and fostering trust through transparent data handling practices. 

Strengthening Australia’s Financial Sector with Integrated Cybersecurity

Is your organisation’s security posture a proactive defence or a series of compliance checkboxes? As cyberthreats grow in sophistication, this question defines your resilience. Aligning your Microsoft 365 environment with the Essential 8 is the crucial first step for meeting regulations like APRA CPS 234 and the Privacy Act, but its true value is far greater.

Regulations are not administrative burdens — they are architectural building blocks for a resilient digital ecosystem. The intersection of frameworks like the Essential 8 with regulatory mandates creates a comprehensive defence foundation protecting individual organisations and Australia’s entire financial ecosystem.

To truly lead in this security landscape, financial organisations must bridge the gap between reactive risk identification and proactive remediation. This requires a unified platform providing complete visibility over all Microsoft 365 data, from customer information to transactional records. Only by integrating security and compliance can you move beyond surviving cyberthreats to thriving with confidence.

author

Amy Sukkar

Amy Sukkar is a Solution Engineer at AvePoint, where she drives strategic initiatives and delivers forward-thinking solutions and outcomes to organisations. With a background in data security, she is dedicated to helping customers understand, protect, and maximise their data's value. She holds a Master's degree in Technology Management, majoring in Cybersecurity, with a focus on driving technological innovation through artificial intelligence and cybersecurity. Amy is dedicated to excellence and continuous improvement in her field.

Essential 8Microsoft 365cybersecurity