Cybercon 2024 - My Journey to SMB1001
Title: My SME's journey to SMB1001 certification: Is cybersecurity certification worthwhile for your SME?
Conference: Australian Cyber Conference 2024, Melbourne
Date: 28-Nov-2024
Synopsis:
As the director of a company providing services in the information security industry I'm always very conscious of walking the talk, and following the same best practice as my larger company peers. However, there is just not the possibility to buy tools to help with cybersecurity best practices, because they don't sell to companies as small as mine. My company is even too small for many MSSPs to look after my devices.
So often, we hear from experts in the cybersecurity industry that the minimum baseline is Essential Eight. However Essential Eight is not for everyone, and is completely daunting for companies that are cloud-first, and / or don't use Microsoft 365 which is fully controlled by a Microsoft security specialist, either in-house, or via an MSSP. So many aspects of Essential Eight are just not relevant to my business, or other Small to Medium Enterprises.
So when the CSCAU (Cyber Security Certification Australia) released SMB1001 it seemed like the best fit for my company. There are three levels (Bronze, Silver, and Gold) that are self assessed, and two that require an external auditor. The Bronze level has 6 controls and most businesses could pass that easily. The Gold level is where I wanted my business to be, at a minimum.
The talk will be about my journey to get to Gold Certification, the changes I had to make in my business, the difficult changes I needed to implement, and the help I needed to get there.
There will be an overview of the Standard, the Certification, and the tools to help achieve the certification.
I will compare the new Standard with the Small Business Cyber Security Guide from the Australian Cyber Security Centre (ACSC), and the Cyber Wardens program supported by the Council of Small Business Organisations Australia (COSBOA)
I will talk about the software tool that I used to help me though understanding and documenting each of the controls, but note that this is not required and you can follow the DIY model, but for me the tool was worth it.
Summing up with, in the end is it worth it? Do I feel more secure? Did it impact my Cybersecurity insurance? Do I need to go to the next level of external audit? Do I recommend other SMEs undertake this journey? What are the next steps for the participant to walk out of this talk, and get started on.