What are the Essential Eight?
The Australian Cyber Security Centre, part of the Australian Signals Directorate, has published an Essential Eight framework. It is designed to help prevent cyber security incidents, and if they do occur, mitigate the damage caused to your business, as well as your stakeholders (i.e. prevent leakage of consumer data).
What are the Essential Eight?
- patch applications
- patch operating systems
- multi-factor authentication
- restrict administrative privileges
- application control
- restrict Microsoft Office macros
- user application hardening
- regular backups

Essential Eight in a Zoho Landscape
Assuming a Zoho-only landscape, compliance to the Essential Eight is simplified significantly. In a mixed environment (i.e. having other cloud or on premise software, or a local area network (LAN) with a shared drive) you will have to implement additional steps to eliminate the weak points. Let's look at each of the eight steps, and see how to apply appropriate mitigation).
Essential Eight Security Control | Zoho Applications | Other Applications |
---|---|---|
Patch applications | If you run Zoho from the browser exclusively, the applications are patched. If you downloaded the applications (including the Browser) - patch notifications are sent to each user to update. If you use EndPoint Central (from Zoho's sister company ManageEngine) or equivalent end point management tools- this can be centrally controlled. Zoho's mobile applications tend to upgrade based on the application store of your mobile phone operating system. | Other cloud applications are patched by the vendor. Locally installed applications must be patched either manually, or if available via an endpoint management suite. |
Patch operating systems | Modern operating systems tend to have functionality to automatically update. For further central control (i.e. preventing unpatched machines due to user action), EndPoint Central or equivalent could be implemented. | In lieu of a Zoho Operating System - an OS is by definition provided by a third party. |
Multi-factor authentication | Via Zoho Directory (as part of Zoho One), multi-factor authentication can be mandated. | Other cloud applications can be part of the Zoho Directory application partners, in which case it is a single-sign on via Zoho Directory (like all Zoho applications). Alternatively, you can use a third party Identity Management tool for single-sign on with multi-factor authentication - or use the settings in that particular application (this will be a separate identity control to the Zoho Directory). You could use Zoho Vault to store the credentials and time-based one time password (TOTP) used for authentication. |
Restrict administrative privileges | Setting roles in Zoho Directory, and link these to the privileges in the individual applications, you have a consistent user authorisation across the application landscape. | Other applications will need to have separate roles and privileges configured for user authorisation. |
Application Control | This is part of the end point management strategy - do you allow users to install un-sanctioned applications or not. Note that applications do provide a risk, in particular mobile device applications, that can request and be granted permissions to upload sensitive data (i.e. contacts) to undisclosed third parties. Zoho One comes with rudimentary mobile device management to segregate the data - or use a comprehensive end point management tool. | This is not specific to Zoho. |
Restrict Office macros | Using the Zoho Workplace productivity suite (included in Zoho One) - there are no Microsoft Office specific vulnerabilities to consider. | If you use Microsoft Office, then this has to be controlled (preferably centrally) to comply. |
User application hardening | The documentation calls out Microsoft Internet Explorer 11 as the key example. Internet Explorer received (as of the time of this writing) the latest update on July 9, 2024, specific for Windows Server (Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2). On the desktop, a more secure option, such as the Zoho Ulaa browser is recommended. | Not specific to Zoho |
Regular backups | All Zoho applications are hosted and mirrored across several data-centres - minimising probability of down time. In addition, regular back-ups are created and distributed across data centres (provide rollback options in case of a catastrophic event). File versioning and retention is implemented at Zoho WorkDrive, and email retention policies are configured in Zoho Mail. | In case there is a non-backed up server application (cloud, hosted, or on-premise) then this needs to be backed up daily. Especially anything on-premise or hosted that does not have file versioning is potentially susceptible to "ransomware" attacks (where the data is encrypted). |
Bringing it to 2025
If you look at the Essential Eight into a little bit more detail, it is obvious that it should cater for today's technology, as well as the technology of yesteryear. Case in point: the reliance on Microsoft Internet Explorer 11 is not something that is built into modern applications (Internet Explorer 11 was introduced with the release of Windows 8.1). Major corporations and government departments may have software that relies on some of Internet Explorer's proprietary functions - applications that are difficult, risky, and expensive to replace (still, it must be done). But this does not occur in small to midsize businesses.
Businesses using the Zoho suite of applications have the tools to implement these with the highest security standards, at a cost that is affordable (both software as well as implementation/maintenance). Zoho One includes:
- Zoho Mail - a highly secure mail server with spam and malware detection
- Zoho WorkDrive - a secure (encrypted) cloud storage solution with versioning and data retention controls
- Zoho Vault - a secure password management suite
- Zoho Directory - governing identity (authentication) and access privilege (authorisation) across Zoho and other Zoho Directory compliant applications
- Zoho's data centres - encrypted, mirrored, backed-up data centres for high availability and resilience