Part 5 of a series

In 2025, there’s really no excuse for treating cyber security like a fire drill—reactive, vague, and mostly about ticking boxes. The threat landscape has matured. Attacks aren’t just more frequent; they’re faster, more targeted, and often far more damaging.

Yet many Australian businesses still struggle to answer a deceptively simple question:

“What’s our actual threat level?”

Not in abstract terms. Not a vague “we take security seriously.” But really:

    • How exposed are we?
    • What kinds of threats are most likely to affect us?
    • And what’s the potential fallout if they do?

If you don’t know the answer, this guide is for you. Here’s how to start working it out.

Step 1: Understand What a Threat Level Actually Is

“Cyber threat level” isn’t about guessing whether a hacker is poking around your firewall today. It’s about understanding:

    • How likely it is that you’ll be targeted,
    • How prepared are you to detect and stop it, and
    • How badly it could hurt if you’re not.

To do that, look at three key ingredients:

    • Threats – Who’s out there, and what are they doing? Think ransomware gangs, phishing campaigns, credential theft, or supply chain compromise.
    • Vulnerabilities – What are they likely to exploit? This includes unpatched systems, misconfigured access, legacy software, or poor user habits.
    • Impact – What happens if they succeed? Lost data? Downtime? Breach of privacy laws? Public embarrassment?

Your “threat level” lives at the intersection of all three.

Step 2: Use the Essential Eight as Your Starting Point

If you haven’t implemented the Essential Eight from the Australian Cyber Security Centre (ACSC), now’s the time.

These eight mitigation strategies cover the most common threat vectors—phishing, malware, credential compromise—and are mandatory for government agencies, highly recommended for everyone else.

Each strategy has maturity levels from 0 to 3. Aim for at least Maturity Level 1 (ML1) across the board. But don’t just tick boxes—treat them as threat-reduction tools. Each one neutralises a specific category of risk.

Already at ML1 across all eight? Great. That’s your security floor. But that doesn’t mean you’ve got a roof.

Step 3: Move Beyond the Essential Eight Without Losing the Plot

Once you’ve hit ML1, you may wonder:

“Do we push for ML2 and ML3? Do we stop here? What’s next?”

This is where the Information Security Manual (ISM) comes in.

The ISM is broader and less prescriptive than the Essential Eight. It contains over 800 controls across physical security, governance, cryptography, personnel, and more. But unlike the Essential Eight, it expects you to assess your own risk and decide what’s relevant.

And that’s the catch.

Organisations that use the clear structure of the Essential Eight often aren’t prepared to prioritise controls in the ISM. There’s no maturity model. No “start here” guidance. Just a buffet of “best practices” and a note that says, “You figure it out.”

This is where many businesses stall—not because they’re lazy, but because they’ve never been taught how to assess their own cyber risk.

Step 4: Get to Know Your Crown Jewels

If you’re serious about understanding your threat level, start by identifying what you’re actually trying to protect:

    • Customer data?
    • Financial systems?
    • Intellectual property?
    • Operational technology?
    • The systems you need to function day-to-day?

This isn’t just a paperwork exercise. Knowing your “crown jewels” allows you to:

    • Understand what attackers are likely to target,
    • Identify which systems must be the most secure, and
    • Prioritise ISM controls accordingly.

From there, work backwards.
If your crown jewels live in a cloud platform used by multiple teams, identity and access controls become top priority.
If they’re in an ageing on-prem system, patching and segmentation matter more.

Step 5: Start with Impact, Not Likelihood

A common trap: businesses try to guess how likely an attack is before they’ve even figured out what’s at stake. That’s backwards.

Instead, assess impact first:

    • What happens if this system is compromised?
    • What’s the financial cost? Downtime? Legal exposure?
    • How long can we be offline before it gets ugly?

Then ask: how exposed is it?

    • Is it internet-facing?
    • Does it require admin rights?
    • Does it lack MFA?

This lets you paint a much clearer picture of real risk, not theoretical risk.

Step 6: Document, Track, and Reassess

Threat levels aren’t static. They change as:

    • New vulnerabilities emerge,
    • Your business grows,
    • Staff turnover occurs,
    • Third-party vendors get introduced,
    • You adopt new tech.

So whatever assessment method you use (spreadsheet, commercial platform, cyber auditing software like Introspectus), make sure it’s repeatable. At least quarterly, you should review:

    • Changes to systems and data flows,
    • Emerging threat trends (ransomware, deepfakes, insider threats),
    • Progress against your mitigation roadmap.

Closing Thoughts

Assessing your threat level isn’t just about understanding who might attack you. It’s about knowing where you’re weak, how badly you could be hurt, and what steps you’ve actually taken to defend yourself.

If the Essential Eight gives you a security foundation, threat assessment is how you start building walls, windows, and doors in the right places. The ISM will show you all the building materials available, but only if you’re ready to make design decisions based on risk.

And if that still sounds overwhelming?

That’s where we come in.

Frame Secure helps Australian businesses bridge the gap between basic compliance and sustainable security maturity. Whether you’re trying to uplift to Maturity Level 2, align with the ISM, or just figure out where to start, we’ll get you moving.

Because “we take security seriously” doesn’t mean much until you can prove it.