Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

More about SMB1001

I run a small business where I am the sole director and sole employee. I work in the technology space and help my clients with their software, business systems, and information security needs.

My business is 100% cloud, and currently earns 100% of its income via working within the cloud. There are no servers, routers, switches, or anything beyond a few computers, phones, and a few internet connections (yes technically there is a modem/router to connect to the NBN).

So whilst the cybersecurity industry and the Australian Government maintains that Essential Eight is the base level of cybersecurity maturity, there is still parts of the Essential Eight that I can not meet, or just do not apply, or are way overkill for my business. Eg:

  • Automated asset discovery (as I said, a few laptops, phones, and internet connections, plus some internet connected devices like my TV). This is not something I need automated.

  • Requests for privileged access to systems are validated - well it’s just me. I suppose I do validate when I enter my Admin password.

  • Application Control - I run Windows 11, it is not a built in feature, apart from UAC and they are not talking about that.

  • Web browser security settings cannot be changed by users - again, just me, yes, I can change any setting.

  • Macros - well, you know what I am an Excel expert from way back to Excel Version 4 and yes, I may still want to create or use an occasional macro (but there are other better ways to do things now also).

But of course I am fully all over the MFA and Backup requirements.

Sure, if you are a small business that needs to be PCI-DSS compliant, or you are legislated by APRA, then yes, you will need to start with Essential Eight, but for the rest of us, we need something simple and straightforward, and that is SMB1001.

Yes it is straightforward, and simple, but that does not mean that it wasn’t challenging for me, and required me to make some major changes before I could hand-on-heart attest that yes I do do X and I do have a policy on Y.

I chose to use the Assuredly Starter Plan as I needed to have the platform guide me through the process. Plus they have excellent templates for policies that really helped (again, it’s just me, I don’t really need policies, but it was a great exercise to do regardless).

Personal vs Business

Being a sole director company, with my main office now at home (I reluctantly had to give up my office after it shut down after the pandemic), there is a vast overlap between personal and business, especially around devices, accounts etc. So I can’t separate out keeping my personal data safe online vs keeping my business data safe.
Eg the Australian Government’s new basic message to “Act Now. Stay Secure” is good advice (but when they tell you to “change your password” after your data has been breached an every bit of your personal information is “out there” it’s then not so good).

  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.