Cyber Security – the hottest topic and biggest challenge in the business world right now. In response to client requests for assistance with their Cyber Security, we thought we’d take the opportunity to delve into three different frameworks to consider implementing within your business, which you may or may not have heard of before. Each of these frameworks play a crucial role in enhancing cyber security, but they serve different purposes and distinct features with each having minimum controls required to be assessed. Some of these frameworks can be complex, expensive to implement and maintain, and sometimes overwhelming so hopefully we are able to quell your curiosity and ease you into it.
Cyber Security Certification Australia SMB1001 (CSCAU SMB1001:2023)
The SMB1001:2023 standard is a multi-tiered cyber security certification framework specifically designed for small and medium-sized businesses (SMBs). The dynamic standard was developed by Cyber Security Certification Australia (CSCAU) to enhance SMB’s resilience against evolving cyber threats. The five levels of SMB1001 from Bronze to Diamond are stepping stones toward achieving more comprehensive standards, such as ISO27001.
With six controls required to be assessed for the SMB1001 Bronze Level, this could be the simplest place to start your cyber security framework journey. It provides a structured approach for businesses to improve and enhance their cyber security posture and best practices.
Consider how many of the below controls you have potentially already achieved. Perhaps one, three or all six?
Key features of the Bronze Level include:
- Technology Management
-
- Engage a technical support specialist for your business.
- Install and configure a Firewall.
- Install anti-virus software on all business devices.
- Automatically install tested and approved software updates and patches.
-
- Access Management
-
- Change passwords routinely.
-
- Backup and Recovery
-
- Implement a backup and recovery strategy for important digital assets.
-
There are several benefits of the Bronze Certification, including affordability, a structured approach with known and measurable standard guides SMBs and their IT Provider to reach a known albeit basic level of Cyber Security preparedness.
Once Bronze has been achieved, business owners can consider investment in higher certifications to eventually be prepared for alignment with the ISO27001 or more complex certifications in the future. You’re probably now thinking, what is CSCAU’s role in this? They ensure that the SMB1001 standard is relevant and effective whilst following robust governance structures and aligning with accreditation best practices.
In summary, the SMB1001 provides SMBs with a foundational cyber security framework, emphasising technology management, access control and education. By achieving this certification, businesses take a significant step toward improving their overall security posture.
International Organisation for Standardisation 27001 (ISO27001)
The ISO27001 is an international standard for information security management systems (ISMS), providing a systematic approach to manage sensitive company information, ensuring its confidentiality, integrity, and availability. Not only is this certification internationally recognised, but it also displays that your commitment to data security is serious and can increase levels of trust from your customers and vendors alike.
A significant step up from the SMB1001, and with a minimum of 123 controls to be assessed, some of the key components of ISO27001 include:
- Risk Assessment and Treatment – Identifying and assessing risks related to information security.
- Information Security Policy – Defining the businesses commitment to security.
- Asset Management – Managing information assets throughout their lifecycle.
- Access Control – Controlling access to information and systems.
- Incident Management – Handling security incidents effectively.
- Compliance with Legal and Regulatory requirements – meeting legal obligations related to information security.
And that’s just the tip of the iceberg! Investing in implementing the ISO27001 framework will vary due to the size and scale of your business, so whilst it may not be suitable for you, ISO27001 is widely adopted by various industries to enhance information security, including the IT Industry, Finance, Telecommunications, and Government departments.
Australian Cyber Security Centre Essential Eight (E8)
Developed by the Australian Cyber Security Centre (ACSC), the Essential Eight provides a baseline of eight essential mitigation strategies to protect against cyber threats. While no set of strategies can guarantee complete protection, implementing the Essential Eight significantly raises the bar for bad actors attempting to compromise systems.
The framework includes different maturity levels to guide businesses in their cyber security efforts, helping you to assess your current security posture and gradually improving it.
The eight key security controls in the Essential Eight are:
- Application Control – Restricting the execution of unauthorised software.
- Patch Applications – Regularly applying security patches to software.
- Restrict Microsoft Office Macros – Managing macros to prevent malicious code execution.
- User Application Hardening – Configuring web browsers and email clients securely.
- Restrict Administration Privileges – Limiting administrative access to authorised personnel.
- Patch Operating Systems – Keeping operating systems up to date with security patches.
- Multi-Factor Authentication (MFA) – Enhancing authentication security.
- Regular Backups – Regularly backing up critical data to prevent data loss.
With four different maturity levels, there are several controls for assessment, for example, a total of 43 controls exists for Maturity Level 1 alone and by Maturity Level 3 they increase to 146.
Maturity Level 0 (Baseline): At this level businesses have weaknesses in their overall cyber security posture that, that when exploited could lead to compromise of their data or availability of their systems.
Maturity Level 1 (Intermediate): Businesses at this level have enhanced their security posture to focus defending against bad actors that use commodity tradecraft which is widely available. by going beyond the basics.
Maturity Level 2 (Advanced): In level two, businesses are implementing security with the intent of defending against bad actors who are willing to invest time and resources in targeting specific organisations.
Maturity Level 3 (Mature): At this highest mature level, businesses are defending against the bad actors who are less reliant on commodity and public tools. Such bad actors would have significant time and resources to develop their own tools and techniques to evade detection and solidify their presence.
Industries that have implemented these strategies include Government, Finance, Healthcare and Medical, Energy and Utilities, Manufacturing, and Industrial sectors, which are usually much larger than your small to medium sized businesses.
Usually, a maturity level of the Essential Eight would be implemented alongside another Cyber Security Standard such as SMB1001 or ISO27001.
In summary, the Essential Eight focuses prescribing specific practical security controls to implement, ISO27001 provides a comprehensive framework for managing information security, and SMB1001 aims to enhance cyber security practices specifically for small and medium-sized businesses in a more cost-effective way. Businesses should consider their unique needs and regulatory requirements when choosing among these frameworks.
We’re very proud to have recently achieved the SMB1001:2023 Level 3 Gold Cyber Security Standard! Our next challenge is alignment with the Essential Eight Maturity Level 1, and further into the future is ISO27001.
If you’re considering aligning the IT in your business with a Cyber Security Framework, we can work with you to determine if any of these options are suitable for you and your business. We encourage you to book in a free initial consultation with our team today. For more information about this service or any other IT solution call us on (03) 7036 2470 or email hello@concordit.com.au.
