Breaking Down the Standards

Area	Control	SMB1001 Tier 6	Cybersecurity Small Business Guide	Essential 8 Maturity Level 1
Technology Management	Technical Support Specialist	plus add a SLA with MSP	(mentioned)
	Firewall
	Anti Virus Software		(scans)
	Malware Detection
	Devices Patched			Auto Vuln Scanner
	TLS / SSL Certificate on Website
	Protect Domain Names
	Servers Patched			Includes online services and vendor mitigations. Includes internal Office Suites
	Scan Websites for Vulnerabilities		(mentioned)	Vuln Scanner on internal and External Assets, inc Email, Browsers, Office Suites etc
	Data Encrypted At Rest
	Application Control			Including on Workstations. Restricts Access to Excecutables etc
	Disable Microsoft Office Macros	can be disabled with notification		Except where demonstrated business Environment. With AV Scanning
	Lock Devices		(Good!) plus secure mobile phones
	Conduct Penetration, Vulnerability and Social Engineering Testing
	Remove Online Services No Longer In Use
	Remove OS that are no longer supported by Vendors
	Browser Hardening			No IE11, No Java, No Web Ads, no changes by users.
Education and Training	Cybersecurity Training	more involved
Access Management	Change Passwords Routinely		(strong passwords)
	No Admin Access		RBAC, Remove users (Good!)	Validate Requests for Access. Separate Account solely for Admin Usage. Privileged Users Internet Access Restricted. Separate Operating Environments
	Individual User Accounts		(limit)
	Password Manager
	MFA on Email	no text, email or voice		All Organisation Online Services
	MFA on Business Applications and Social Media	no text, email or voice		All Third Party Online Services
	RDP over VPN
	Remote Access Cloud Credentials Management	including setting up SSO and IAM
	MFA for Digital Data	all important digital data no text, email or voice
	MFA on VPNs	no text, email or voice
	MFA on RDP	no text, email or voice
Backup and Recovery	Backup and Recovery	more involved, including testing		more involved including no access to backups of other data by unprivileged users.
	Business Cyber Insurance
Policies, Processes and Plans	Digital Asset Register	more details	(understand your data, consolidate your data! Good!)	Automated Asset Discovery
	Confidentiality Agreement for Employees
	Invoice Fraud Policy
	Visitor Register
	Cybersecurity Policy
	Incident Response Plan	including testing and more details		(in higher maturity levels)
	Secure Physical Document Destruction
	Secure Device Disposal
	Digital Trust Program for Suppliers
	Police Checks for Employees with Admin Access

SMB is

Whole of business focused
People focused
Risk focused
Not overly prescriptive
Can just get started
Can do good enough (Levels 1 to 3)
Build in an Incident Response plan from the ground up
Built with small businesses in mind
Can be done with limited specialised software (eg Backup may be needed)
Not the only things that can and should be done

Essential 8 is

Only really relevant to government departments, or highly regulated industries.
Not relevant to many businesses
Designed for a specific purpose - to be the government's controls.
IT Specific, not whole of businesses
Not people focused
Easy to be seen as an IT project, not a business implementation
Doesn’t support the overall culture of Cybersecurity in the Organisation
Focused on Microsoft products only
Focused on businesses with On Prem
Requires specialist software (eg Vulnerability Scanning, Asset Discovery)
Doesn’t easily support BYOD
Difficult for businesses that are not up to date with technology and using old systems
Can be disruptive to users
Very prescriptive
Doesn’t go broad enough for small businesses
Does not focus on the basics that small businesses needs
Is all about product and not about process