Area | Control | SMB1001 Tier 3 | SMB1001 Tier 6 | Essential 8 Maturity Level 1 | |
---|---|---|---|---|---|
Technology Management | Technical Support Specialist | plus add a SLA with MSP | (mentioned) | ||
Firewall | |||||
Anti Virus Software | (scans) | ||||
Malware Detection |
| ||||
Devices Patched | Auto Vuln Scanner | ||||
TLS / SSL Certificate on Website |
| ||||
Protect Domain Names | |||||
Servers Patched | Includes online services and vendor mitigations. Includes internal Office Suites | ||||
Scan Websites for Vulnerabilities | (mentioned) | Vuln Scanner on internal and External Assets, inc Email, Browsers, Office Suites etc | |||
Data Encrypted At Rest | |||||
Application Control | Including on Workstations. Restricts Access to Excecutables etc | ||||
Disable Microsoft Office Macros | can be disabled with notification | Except where demonstrated business Environment. With AV Scanning | |||
Lock Devices | (Good!) plus secure mobile phones | ||||
Conduct Penetration, Vulnerability and Social Engineering Testing |
| ||||
Remove Online Services No Longer In Use | |||||
Remove OS that are no longer supported by Vendors | |||||
Browser Hardening | No IE11, No Java, No Web Ads, no changes by users. | ||||
Education and Training | Cybersecurity Training | more involved | |||
Access Management | Change Passwords Routinely | (strong passwords) | |||
No Admin Access | RBAC, Remove users (Good!) | Validate Requests for Access. Separate Account solely for Admin Usage. Privileged Users Internet Access Restricted. Separate Operating Environments | |||
Individual User Accounts | (limit) | ||||
Password Manager | |||||
MFA on Email | no text, email or voice | All Organisation Online Services | |||
MFA on Business Applications and Social Media | no text, email or voice | All Third Party Online Services | |||
RDP over VPN | |||||
Remote Access Cloud Credentials Management | including setting up SSO and IAM | ||||
MFA for Digital Data | all important digital data no text, email or voice | ||||
MFA on VPNs | no text, email or voice | ||||
MFA on RDP | no text, email or voice | ||||
Backup and Recovery | Backup and Recovery | more involved, including testing | more involved including no access to backups of other data by unprivileged users. | ||
Business Cyber Insurance | |||||
Policies, Processes and Plans | Digital Asset Register | more details | (understand your data, consolidate your data! Good!) | Automated Asset Discovery | |
Confidentiality Agreement for Employees | |||||
Invoice Fraud Policy | |||||
Visitor Register | |||||
Cybersecurity Policy | |||||
Incident Response Plan | including testing and more details | (in higher maturity levels) | |||
Secure Physical Document Destruction | |||||
Secure Device Disposal | |||||
Digital Trust Program for Suppliers |
| ||||
Police Checks for Employees with Admin Access |
SMB is
Whole of business focused
People focused
Risk focused
Not overly prescriptive
Can just get started
Can do good enough (Levels 1 to 3)
Build in an Incident Response plan from the ground up
Built with small businesses in mind
Can be done with limited specialised software (eg Backup may be needed)
Not the only things that can and should be done
Essential 8 is
Only really relevant to government departments, or highly regulated industries.
Not relevant to many businesses
Designed for a specific purpose - to be the government's controls.
IT Specific, not whole of businesses
Not people focused
Easy to be seen as an IT project, not a business implementation
Doesn’t support the overall culture of Cybersecurity in the Organisation
Focused on Microsoft products only
Focused on businesses with On Prem
Requires specialist software (eg Vulnerability Scanning, Asset Discovery)
Doesn’t easily support BYOD
Difficult for businesses that are not up to date with technology and using old systems
Can be disruptive to users
Very prescriptive
Doesn’t go broad enough for small businesses
Does not focus on the basics that small businesses needs
Is all about product and not about process
0 Comments