Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This is a very high level overview of what each Standard, Guide, Tool, or Program aimed at small business includes. Just to compare which controls are mentioned in each Tool.

Area

Control

SMB1001 Tier 3 - Gold

SMB1001 Tier 5 - Diamond

Cybersecurity Small Business Guide

CyberWardens Action Plan / Toolkit / Reflections

ID Care Resilience Plan Questionnaire

Essential Eight Maturity Level 1

Technology Management

Technical Support Specialist

(tick)

(tick) plus add a SLA with MSP

(tick) (mentioned)

(tick) Specifies MSP

Firewall

(tick)

(tick)

(tick)

Anti Virus Software

(tick)

(tick)

(tick) (scans)

(tick)

(tick) Specifies phones also (which is not a thing).

Malware Detection

(tick)

Devices Patched

(tick)

(tick)

(tick)

(tick)

(tick)

(tick) Auto Vuln Scanner

TLS / SSL Certificate on Website

(tick)

(tick)

(tick)

Protect Domain Names

(tick)

Servers Patched

(tick)

(tick)

(tick) Automatic Updates

(tick) Includes online services and vendor mitigations. Includes internal Office Suites

Scan Websites for Vulnerabilities

(tick)

(tick) (mentioned)

(tick) Vuln Scanner on internal and External Assets, inc Email, Browsers, Office Suites etc

Data Encrypted At Rest

(tick)

(tick) does not mention at rest specifically

Application Control

(tick)

(tick) only certain applications to be downloaded (what about installed by other methods)

(tick) Including on Workstations. Restricts Access to Excecutables etc

Disable Microsoft Office Macros

(tick) can be disabled with notification

(tick) Except where demonstrated business Environment. With AV Scanning

Lock Devices

(tick) (Good!) plus secure mobile phones

(tick) Physical Security of devices. Good!

Conduct Penetration, Vulnerability and Social Engineering Testing

(tick)

Remove Online Services No Longer In Use

(tick)

(tick)

Remove OS that are no longer supported by Vendors

(tick)

Browser Hardening

(tick) Internet Browser Protections

(tick) No IE11, No Java, No Web Ads, no changes by users.

Education and Training

Cybersecurity Training

(tick)

(tick) more involved

(tick)

(tick) The Cyber Wardens program

(tick) Soft Skills for Cyber Wardens. Good!

(tick) Understand latest scams and threats

Understand consequences of an incident

(tick) Good!

Review regularly

(tick) Good!

Access Management

Change Passwords Routinely

(tick)

(tick)

(tick) (strong passwords)

No Admin Access

(tick)

(tick)

(tick) RBAC, Remove users (Good!)

(tick) Changes to IT Environment by one person or role

(tick) Validate Requests for Access. Separate Account solely for Admin Usage. Privileged Users Internet Access Restricted. Separate Operating Environments

Individual User Accounts

(tick)

(tick)

(tick) (limit)

Password Manager

(tick)

(tick)

(tick)

(tick) strong push for passphrases

MFA on Email

(tick)

(tick) no text, email or voice

(tick)

(tick)

(tick)

(tick) All Organisation Online Services

MFA on Business Applications and Social Media

(tick)

(tick) no text, email or voice

(tick)

(tick)

(tick) All Third Party Online Services

RDP over VPN

(tick)

(tick)

Remote Access Cloud Credentials Management

(tick) including setting up SSO and IAM

MFA for Digital Data

(tick) all important digital data no text, email or voice

MFA on VPNs

(tick) no text, email or voice

MFA on RDP

(tick) no text, email or voice

Wifi Passwords

(tick) Separate Guest networks. Good!

Website

(tick) Update your Website! Good!

Backup and Recovery

Backup and Recovery

(tick)

(tick) more involved, including testing

(tick)

(tick) Includes testing Recovery! Good!

(tick) Weekly

(tick) more involved including no access to backups of other data by unprivileged users.

Business Cyber Insurance

(tick)

Policies, Processes and Plans

Digital Asset Register

(tick)

(tick) more details

(tick) (understand your data, consolidate your data! Good!)

(tick) Where is your data hiding. Good!

(tick) Device Audit. Good!

(tick) Very privacy focused. Good!

Automated Asset Discovery

Confidentiality Agreement for Employees

(tick)

(tick)

Invoice Fraud Policy

(tick)

(tick)

(tick) BEC scams

(tick)

Privacy Policy

(tick)

Visitor Register

(tick)

(tick)

Cybersecurity Policy

(tick)

(tick)

Incident Response Plan

(tick)

(tick) including testing and more details

(tick)

(tick) Data Breach Response Plan

(in higher maturity levels)

Secure Physical Document Destruction

(tick)

(tick)

Secure Device Disposal

(tick)

(tick)

(tick)

Digital Trust Program for Suppliers

(tick)

(tick) Encourage suppliers to do Cyber Wardens also

Police Vetting for Employees with Admin Access

(tick)

SMB1001 is

  • An International Standard.

  • Whole of business focused.

  • People focused.

  • Risk focused.

  • Not overly prescriptive.

  • Can just get started.

  • Can do good enough (Levels 1 to 3).

  • Build in an Incident Response plan from the ground up.

  • Built with small businesses in mind.

  • Can be done with limited specialised software (eg Backup may be needed).

  • Not the only things that can and should be done.

...