I run a small business where I am the sole director and sole employee. I work in the technology space and help my clients with their software, business systems, and information security needs.
My business is 100% cloud, and currently earns 100% of its income via working within the cloud. There are no servers, routers, switches, or anything beyond a few computers, phones, and a few internet connections (yes technically there is a modem/router to connect to the NBN).
So whilst the cybersecurity industry and the Australian Government maintains that Essential Eight is the base level of cybersecurity maturity, there is still parts of the Essential Eight that I can not meet, or just do not apply, or are way overkill for my business. Eg:
Automated asset discovery (as I said, a few laptops, phones, and internet connections, plus some internet connected devices like my TV). This is not something I need automated.
Requests for privileged access to systems are validated - well it’s just me. I suppose I do validate when I enter my Admin password.
Application Control - I run Windows 11, it is not a built in feature, apart from UAC and they are not talking about that.
Web browser security settings cannot be changed by users - again, just me, yes, I can change any setting.
Macros - well, you know what I am an Excel expert from way back to Excel Version 4 and yes, I may still want to create or use an occasional macro (but there are other better ways to do things now also).
But of course I am fully all over the MFA and Backup requirements.
Sure, if you are a small business that needs to be PCI-DSS compliant, or you are legislated by APRA, then yes, you will need to start with Essential Eight, but for the rest of us, we need something simple and straightforward, and that is SMB1001.
Yes it is straightforward, and simple, but that does not mean that it wasn’t challenging for me, and required me to make some major changes before I could hand-on-heart attest that yes I do do X and I do have a policy on Y.
I chose to use the Assuredly Starter Plan as I needed to have the platform guide me through the process. Plus they have excellent templates for policies that really helped (again, it’s just me, I don’t really need policies, but it was a great exercise to do regardless).
Add Comment