This is a very high level overview of what each Standard, Guide, Tool, or Program aimed at small business includes. Just to compare which controls are mentioned in each Tool.
Area | Control | SMB1001 Tier 3 - Gold |
---|
SMB1001 Tier 5 - Diamond | CyberWardens Action Plan / Toolkit / Reflections | ID Care Resilience Plan Questionnaire | Essential Eight Maturity Level 1 | ||
---|---|---|---|---|---|
Technology Management | Technical Support Specialist |
No Admin Access
Individual User Accounts
Cybersecurity Training
plus add a SLA with MSP | (mentioned) | Specifies MSP | |||||
Firewall |
| ||||||
Anti Virus Software | (scans) | Specifies phones also (which is not a thing). | |||||
Malware Detection |
| ||||||
Devices Patched | Auto Vuln Scanner | ||||||
TLS / SSL Certificate on Website |
| ||||||
Protect Domain Names | |||||||
Servers |
Patched
RDP over VPN
Devices
Anti Virus Software
Patched
Firewall
Authentication
Change Passwords Routinely
Password Manager
MFA on Email
MFA on Business Applications and Social Media
Protection
Backup and Recovery
Secure Physical Document Destruction
Secure Device Disposal
Policies
Digital Asset Register
Confidentiality Agreement for Employees
Invoice Fraud Policy
Visitor Register
Cybersecurity Policy
Patched | Automatic Updates | Includes online services and vendor mitigations. Includes internal Office Suites | |||||
Scan Websites for Vulnerabilities | (mentioned) | Vuln Scanner on internal and External Assets, inc Email, Browsers, Office Suites etc | |||||
Data Encrypted At Rest | does not mention at rest specifically | ||||||
Application Control | only certain applications to be downloaded (what about installed by other methods) | Including on Workstations. Restricts Access to Excecutables etc | |||||
Disable Microsoft Office Macros | can be disabled with notification | Except where demonstrated business Environment. With AV Scanning | |||||
Lock Devices | (Good!) plus secure mobile phones | Physical Security of devices. Good! | |||||
Conduct Penetration, Vulnerability and Social Engineering Testing |
| ||||||
Remove Online Services No Longer In Use | |||||||
Remove OS that are no longer supported by Vendors | |||||||
Browser Hardening | Internet Browser Protections | No IE11, No Java, No Web Ads, no changes by users. | |||||
Education and Training | Cybersecurity Training | more involved | The Cyber Wardens program Soft Skills for Cyber Wardens. Good! | Understand latest scams and threats | |||
Understand consequences of an incident | Good! | ||||||
Review regularly | Good! | ||||||
Access Management | Change Passwords Routinely | (strong passwords) | |||||
No Admin Access | RBAC, Remove users (Good!) | Changes to IT Environment by one person or role | Validate Requests for Access. Separate Account solely for Admin Usage. Privileged Users Internet Access Restricted. Separate Operating Environments | ||||
Individual User Accounts | (limit) | ||||||
Password Manager | strong push for passphrases | ||||||
MFA on Email | no text, email or voice | All Organisation Online Services | |||||
MFA on Business Applications and Social Media | no text, email or voice |
| All Third Party Online Services | ||||
RDP over VPN | |||||||
Remote Access Cloud Credentials Management | including setting up SSO and IAM | ||||||
MFA for Digital Data | all important digital data no text, email or voice | ||||||
MFA on VPNs | no text, email or voice | ||||||
MFA on RDP | no text, email or voice | ||||||
Wifi Passwords | Separate Guest networks. Good! | ||||||
Website | Update your Website! Good! | ||||||
Backup and Recovery | Backup and Recovery | more involved, including testing | Includes testing Recovery! Good! | Weekly | more involved including no access to backups of other data by unprivileged users. | ||
Business Cyber Insurance | |||||||
Policies, Processes and Plans | Digital Asset Register | more details | (understand your data, consolidate your data! Good!) | Where is your data hiding. Good! Device Audit. Good! | Very privacy focused. Good! | Automated Asset Discovery | |
Confidentiality Agreement for Employees | |||||||
Invoice Fraud Policy | BEC scams | ||||||
Privacy Policy | |||||||
Visitor Register | |||||||
Cybersecurity Policy | |||||||
Incident Response Plan | including testing and more details | Data Breach Response Plan | (in higher maturity levels) | ||||
Secure Physical Document Destruction | |||||||
Secure Device Disposal | |||||||
Digital Trust Program for Suppliers |
| Encourage suppliers to do Cyber Wardens also | |||||
Police Vetting for Employees with Admin Access |
SMB1001 is
An International Standard.
Whole of business focused.
People focused.
Risk focused.
Not overly prescriptive.
Can just get started.
Can do good enough (Levels 1 to 3).
Build in an Incident Response plan from the ground up.
Built with small businesses in mind.
Can be done with limited specialised software (eg Backup may be needed).
Not the only things that can and should be done.
CyberWardens is
Mainly focused on Training.
A bit simplistic in some areas.
But can be good for the very basics.
Information is a bit jumbled and spread out over different areas. Eg I used the Reflections Notebook, the Cyber Security Action Plan the CyberWardens Toolkit documents for this review. Maybe it should all be one document.
Is supported by COSBOA but the COSBOA Cybersecurity page is woeful.
ID Care is
Free to small businesses.
You get to talk to a real person and they ask hard questions, and give very helpful advice.
Pretty comprehensive.
Has the added level of support for breaches or incidents.
They will search for your email addresses that have been compromised and let you know what to do about it.
Only really relevant to government departments, or highly regulated industries.
Not relevant to many businesses.
Designed for a specific purpose - to be the government's controls.
IT Specific, not whole of businesses.
Not people focused.
Easy to be seen as an IT project, not a business implementation.
Doesn’t support the overall culture of Cybersecurity in the Organisation.
Focused on Microsoft products only.
Focused on businesses with On Prem.
Requires specialist software (eg Vulnerability Scanning, Asset Discovery).
Doesn’t easily support BYOD.
Difficult for businesses that are not up to date with technology and using old systems.
Can be disruptive to users.
Very prescriptive.
Doesn’t go broad enough for small businesses.
Does not focus on the basics that small businesses needs.
Is all about product and not about process.