IN PROGRESS
This guide is intended for small businesses that have a pretty straightforward setup - eg you do not have a server in your back room, you use cloud services by default, and do not do any custom software development.
(If you have a server, or do custom software development, read ahead, and there will be more for you to do than is mentioned here).
There are three sections, each building on the section before:
Easy Mode - you don’t have a cybersecurity plan in place, and you and your team don’t know much about cybersecurity, but you want to sleep better at night.
Get it Done - you just need to get better and more rigorous at doing cybersecurity in your business.
The Journey - your business has some cybersecurity in place and is on the way to becoming certified by an external audit program like ISO27001.
Step 0 - The 6 Knows
Telstra has a great methodology called The Five Knows. I will add one more.
Know why you are embarking on this journey:
How does having good cybersecurity fit into your business values?
What benefit will good cybersecurity have for your business? Eg will it be that you are 20% better than your competitors, or just that you can sleep better at night?
Easy Mode | Get it Done | The Journey |
---|---|---|
Think about who, what, why, when:
| Make lists of data, people, software, logins, hardware, devices:
| Start some Registers:
|
Think about what would you like to be doing better? | Write down something about what being better at cybersecurity will look like. | Plan how you are going to bring your staff along on this journey. |
Step 1 - Knowledge
Easy Mode | Get it Done | The Journey |
---|---|---|
Read the Australian Government Small Business Cybersecurity Guide.
| Decide if SMB1001 Gold self attestation may be good fit for your business.
| Heading for ISO27001? Wanting to do more government Work?
|
Have a read of your current Policies and Procedures.
| Gather all your current policies and procedures in one place, as you will be updating them. | Think about having a centralised place to store and maintain policies and procedures. There are many options. |
Think about risk in your business.
| Start to write down some of the risk scenarios you may face as a business.
| Plan to implement a risk register in the business, along with all that entails (eg updating it regularly). There are great apps to help with this. |
What regulations does your business have to follow? What parts of the Privacy Act scare you? What parts don’t you understand? What do you need to ask your Technical Specialist about? How are you staying up to date with legislation that may affect your business? | What other regulations are impacting you, eg your Suppliers or people you supply to may be subject to regulations that affect the way you do business with them. What parts of the new Cybersecurity Legislation Package (2024) do you need to be factoring into your business? | You are going to need to start maintaining Supplier Agreements, and managing your supply chain, along with being responsible for understanding and complying with all the legislation and regulations that impact your sector. What help do you need to get this done? |
Step 2 - Passwords
Your passwords are the keys to your kingdom. It’s time to stop with the Admin/12345. Start with the passwords that need to be most secure.
Easy Mode | Get it Done | The Journey |
---|---|---|
As you go through your day, think about your passwords.
|
| It may be time to start setting up Single Sign On (SSO) for your main systems. Both Microsoft and Google can be set up for SSO.
|
Start using a Password Manager, even the free version of LastPass.
| Get onto the team plan of LastPass or 1Password.
|
|
Step 3 - People
Yes, I put People behind Passwords. The first part of educating People will be to talk about Passwords.
Easy Mode | Get it Done | The Journey |
---|---|---|
Just as you have had to check what you didn’t understand and ask for help, start this process with your team also. https://www.cyber.gov.au/learn-basics
| You may want a few key team members to become “cyber wardens” but take the course yourself first. Be aware that this is not everything you need to know, and it can be a bit too simplistic at times. Talk to your IT specialist about what cybersecurity training they recommend. Never recommend training that shows your team as the “weakest link” or the “first line of defence” or any other scare tactics. It’s your job to get your business to a position that a team member clicking on a link does not grind your business to a halt. Training must also include Data Privacy and your obligations under the Privacy Act. | Cybersecurity training is a core part of your business. Your team has cybersecurity training as one of their measurable points. You may have cybersecurity training included as part of some of the software you have already. But just watching a few videos per year, or watching a video if you happened to click on a phishing test that your IT provider sent out, is not enough. Cybersecurity and data privacy is a key part of business as usual for you and your team, and it is a key part of your business values, and therefore you are helping your suppliers and customers with their cybersecurity challenges also. |
Add Comment