Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

More about Cybersecurity Assurance

Status
colourYellow
titleIN PROGRESS

I run a small business where I am the sole director and sole employee. I work in the technology space and help my clients with their software, business systems, and information security needs.

...

Yes it is straightforward, and simple, but that does not mean that it wasn’t challenging for me, and required me to make some major significant changes before I could hand-on-heart attest that yes I do do X and I do have a policy on Y.

I chose to use the Assuredly Starter Plan as I needed to have the platform guide me through the process. Plus they have Assuredly has excellent templates for policies that really helped (again, it’s just me, I don’t really need policies, but it was a great exercise to do, regardless).

Info

Personal vs Business

Being a sole director company, with my main office now at home (I reluctantly had to give up my office after it shut down after the pandemic), there is a vast overlap between personal and business, especially around devices, accounts etc. So I can’t separate out keeping my personal data safe online vs keeping my business data safe. Eg the


The Australian Government’s new basic message to individuals to “Act Now. Stay Secure” is good advice if you are just thinking about your personal devices (but when they tell you to “change your password” after your data has been breached an every bit of your personal information is “out there” it’s then not so good).

But unless you work for a top tier organisation that has a significant security budget and either issues you with a work device or has installed some software on your personal devices, then you may want to think beyond just your personal information, and think about how you access your work through your personal devices and home computers.

I now have attained the SMB1001 Gold Certification and the end result was that I had no increase in the cost of my cyber and business insurance, but with the added bonus of 4 times the cybersecurity coverage value as previous, so I think that is worth it.

For me out of the 26 controls:

  • 10 controls I was already doing and could just check off, this includes using a password manager, MFA on all accounts

  • A few of the controls needed written documentation, which being only me was not really necessary (I do have a business addendum to my will, to address how my business will be wound down, and to give my executor a head start when the situation arises). Thankfully Assuredly had templates to help me write the documents, but I still did have to write parts of them and ensure they fit with my business.

  • Three controls I needed to work on.

Admin accounts for all my services. I already has two users for Google and Microsoft from when I had a staff member. I had to sacrifice a user account on each one of those services to set up myself as an Admin account, distinct from my user account. I'm not convinced there is much benefit in this given that I have MFA on both of them, but there are some things that I have to just say, yep, I agree this is best practice, and it was not a lot of money.

I was logging into my laptop as an administrator account, and yeah I don't fully agree with not logging in as Admin every day, but the heightened risk of ranswomware installs happening without knowing, makes it worthwhile. It is annoying having to enter the username and password often, but it is just a reminder as to why I'm doing this whole process.

Info

This is where we need to put the pragmatic layer over the top of these standards. I heard of a situation where a company had three staff who were "System Administrators" for their Salesforce org, bit their regular accounts were not System Administrators, they would log into one separate Salesforce Account as System Administrator to do any Admin work. Whilst this may be the "letter of the law" it removes every aspect of the features of Salesforce which is to have an Audit trail of who dies what, and it violates the other control of every user must have their own login. So unless you are going to have two full logins for each of your three Admins (values at around $6k per year), you have to be pragmatic, and say that the control built into Salesforce of having full audit tracking of changes made, and logging in as System Administrator, is the better option.

Backups. I had a backup set up for my regular files, but I purchased a backup plan for Google, Microsoft, and Salesforce. It wasn't that expensive, and is a good reassurance because I think losing my email would be the hardest thing to recover from for business continuity.

Digital Asset Register, and secure destruction, it wasn't that I was not doing it, it was that I was over doing it. I am on the hoarderish side of redundancy. I had three backup Android devices, two backup laptops etc. So it was the case of getting to one good known backup device for Windows and Android, then wipe and securely dispose of the others.

Costs

Here’s what I paid for over and above regular email and cloud services.

For SMB1001 Gold

  • Assuredly Starter Plan $990/year

  • SMB1001 Gold Certification $395/year

  • Backup - Email and Cloud Apps $115/yr

  • Secure Document Destruction $82

  • I was already paying for:

    • SSL Certificate $69/yr

    • 1Password $75/yr

    • Backup - Files $150/yr

    • Additional Microsoft M365 Licence

    • Additional Google Workspace Licence

Additional Security tools:

  • Email and Web Security Monitoring $330/yr

  • Website Monitoring $168/yr