My Journey to SMB1001

Cybercon 2024 Talk Resources

More about SMB1001

More about Cybersecurity Assurance

I run a small business where I am the sole director and sole employee. I work in the technology space and help my clients with their software, business systems, and information security needs.

My business is 100% cloud, and currently earns 100% of its income via working within the cloud. There are no servers, switches, or anything beyond a few computers, phones, and a few internet connections (one router to connect to the NBN).

So whilst the cybersecurity industry and the Australian Government maintains that Essential Eight is the base level of cybersecurity maturity, there are still parts of the Essential Eight that I can not meet, or just do not apply, or are way overkill for my business. Eg:

• Automated asset discovery (as I said, a few laptops, phones, and internet connections, plus some internet connected devices on my personal network like my TV). This is not something I need automated.

• Requests for privileged access to systems are validated - well it’s just me. I suppose I do validate when I enter my Admin password.

• Application Control - I run Windows 11, it is not a built in feature, apart from UAC and they are not talking about that. I do run a Pixel device and only allow Apps from the Play Store, so I guess that covers the mobile device.

• Web browser security settings cannot be changed by users - again, just me, yes, I can change any setting.

• Macros - well, you know what I am an Excel expert from way back to Excel Version 4 and yes, I may still want to create or use an occasional macro (but there are other better ways to do things now also).

But of course I am fully all over the MFA and Backup requirements.

Sure, if you are a small business that needs to be PCI-DSS compliant, or you are legislated by APRA or some other legislation, then yes, you will need to include Essential Eight in the mix of your cybersecurity controls, but for the rest of us, we need something simple and straightforward, and that is SMB1001.

Yes it is straightforward, and simple, but that does not mean that it wasn’t challenging for me, and required me to make some significant changes before I could hand-on-heart attest that yes I do do X and I do have a policy on Y.

I chose to use the Assuredly Starter Plan as I needed to have the platform guide me through the process. Assuredly has excellent templates for policies that really helped (again, it’s just me, I don’t really need policies, but it was a great exercise to do, regardless).

I now have attained the SMB1001 Gold Certification and the end result was that I had no increase in the cost of my cyber and business insurance, but with the added bonus of 4 times the cybersecurity coverage value as previous, so I think that is worth it.

For me out of the 26 controls:

• 10 controls I was already doing and could just check off, this includes using a password manager, MFA on all accounts.

• A few of the controls needed written documentation, which being only me was not really necessary. Thankfully Assuredly had templates to help me write the documents, but I still did have to write parts of them and ensure they fit with my business.

• Four controls I needed to work on.

Admin accounts for all my services. I already has two users for Google and Microsoft from when I had a staff member. I had to sacrifice a user account on each one of those services to set up myself as an Admin account, distinct from my user account. I'm not convinced there is much benefit in this given that I have MFA on both of them, but there are some things that I have to just say, yep, I agree this is best practice, and it was not a lot of money.

I was logging into my laptop as an administrator account, and yeah I don't fully agree with not logging in as Admin every day, but the heightened risk of ranswomware installs happening without knowing, makes it worthwhile. It is annoying having to enter the username and password, but it is just a reminder as to why I'm doing this whole process.

Backups. I had a backup set up for my regular files, but I purchased a backup plan for Google, Microsoft, and Salesforce. It wasn't that expensive, and is a good reassurance because I think losing my email would be the hardest thing to recover from for business continuity.

Digital Asset Register, and secure destruction, it wasn't that I was not doing it, it was that I was over doing it. I am on the hoarderish side of redundancy for technology devices. I had three backup Android devices, two backup laptops etc. So it was the case of getting to one good known backup device for Windows and Android, then wipe and securely dispose of the others.

Now even with the SMB1001 Gold certification in progress, I had to look at my risks specifically. As a sole operator, there is no one to report phishing emails to, and I worry that I could inadvertently click on a link, or do something wrong whilst working quickly. Now, I am 99% sure that any damage that I could do by clicking on a link could be recovered simply just by switching to my backup device and restoring from backup, but I don’t need that stress.

So I also implemented some extra controls for my business that really help me.

• Guardz is an email and website scanning too. I love this tool and not just because they would sell it to me! There are not many companies who will sell one or two licences for their cybersecurity products. It just gives me piece of mind that my emails are being scanned and quarantined before I click. I even had to do the mandatory training because apparently I clicked on a bad website once.

• I also have a similar tool for my M365 setup, but I will probably switch that over to Guardz once they allow for both suites to be in the same account.

• Sucuri Website monitoring. I had a huge issue with randoms trying to access my website a number of years ago, so I have that extra level of protection that looks for malware on my website every week. I also have excellent support from my domain and website host, WP Hosting Australia.

• My will and the business memorandum for how my business is to be wound down, and ensuring the executor has a budget to employ someone to do that. This also includes an Advanced Care Directive and Power of Attorney if they are needed. These are important documents to prepare now, to help your family in the future.

• As a Certified Data Privacy Solutions Engineer (CDSPE), I already focus on Data Privacy in my business, and help my clients understand having better data privacy in their business.

Extra things you might do, depending on your business:

• Talk about and plan for business continuity in multiple situations. Eg even if you lose or break your phone - can you pay Payroll this week?

• Talk about risk and your level of risk tolerance, especially to get on the same page as your co-leaders.

• Talk about your business values and how to bring cybersecurity in alignment with your values. Eg if your values include helping your clients achieve their best, then having good cybersecurity yourself, and helping your clients understand where they can improve their cybersecurity, fits with those values.

• Ensure you know your obligations under the Privacy Act if your business is larger and you need to comply.

• Have a look through my Small Business Cybersecurity Activation Plan for more ideas.

Costs

Here’s what I paid for over and above regular email and cloud services.

For SMB1001 Gold

• Assuredly Starter Plan $990/year

• SMB1001 Gold Certification $395/year

• Backup - Email and Cloud Apps $115/yr

• Secure Document Destruction $82

• I was already paying for:

  • SSL Certificate $69/yr

  • 1Password $75/yr

  • Backup - Files $150/yr

  • Additional Microsoft M365 Licence

  • Additional Google Workspace Licence

Additional Security tools:

• Email and Web Security Monitoring $330/yr

• Website Monitoring $168/yr