Breaking Down the Small Business Guides

Area	Control	SMB1001 Tier 5 - Diamond	Cybersecurity Small Business Guide	CyberWardens Action Plan / Toolkit / Reflections	ID Care Resilience Plan Questionnaire	Essential Eight Maturity Level 1
Technology Management	Technical Support Specialist	plus add a SLA with MSP	(mentioned)		Specifies MSP
	Firewall
	Anti Virus Software		(scans)		Specifies phones also (which is not a thing).
	Malware Detection
	Devices Patched					Auto Vuln Scanner
	TLS / SSL Certificate on Website
	Protect Domain Names
	Servers Patched			Automatic Updates		Includes online services and vendor mitigations. Includes internal Office Suites
	Scan Websites for Vulnerabilities		(mentioned)			Vuln Scanner on internal and External Assets, inc Email, Browsers, Office Suites etc
	Data Encrypted At Rest				does not mention at rest specifically
	Application Control				only certain applications to be downloaded (what about installed by other methods)	Including on Workstations. Restricts Access to Excecutables etc
	Disable Microsoft Office Macros	can be disabled with notification				Except where demonstrated business Environment. With AV Scanning
	Lock Devices		(Good!) plus secure mobile phones	Physical Security of devices. Good!
	Conduct Penetration, Vulnerability and Social Engineering Testing
	Remove Online Services No Longer In Use
	Remove OS that are no longer supported by Vendors
	Browser Hardening				Internet Browser Protections	No IE11, No Java, No Web Ads, no changes by users.
Education and Training	Cybersecurity Training	more involved		The Cyber Wardens program Soft Skills for Cyber Wardens. Good!	Understand latest scams and threats
	Understand consequences of an incident			Good!
	Review regularly			Good!
Access Management	Change Passwords Routinely		(strong passwords)
	No Admin Access		RBAC, Remove users (Good!)		Changes to IT Environment by one person or role	Validate Requests for Access. Separate Account solely for Admin Usage. Privileged Users Internet Access Restricted. Separate Operating Environments
	Individual User Accounts		(limit)
	Password Manager			strong push for passphrases
	MFA on Email	no text, email or voice				All Organisation Online Services
	MFA on Business Applications and Social Media	no text, email or voice				All Third Party Online Services
	RDP over VPN
	Remote Access Cloud Credentials Management	including setting up SSO and IAM
	MFA for Digital Data	all important digital data no text, email or voice
	MFA on VPNs	no text, email or voice
	MFA on RDP	no text, email or voice
	Wifi Passwords			Separate Guest networks. Good!
	Website			Update your Website! Good!
Backup and Recovery	Backup and Recovery	more involved, including testing		Includes testing Recovery! Good!	Weekly	more involved including no access to backups of other data by unprivileged users.
	Business Cyber Insurance
Policies, Processes and Plans	Digital Asset Register	more details	(understand your data, consolidate your data! Good!)	Where is your data hiding. Good! Device Audit. Good!	Very privacy focused. Good!	Automated Asset Discovery
	Confidentiality Agreement for Employees
	Invoice Fraud Policy			BEC scams
	Privacy Policy
	Visitor Register
	Cybersecurity Policy
	Incident Response Plan	including testing and more details			Data Breach Response Plan	(in higher maturity levels)
	Secure Physical Document Destruction
	Secure Device Disposal
	Digital Trust Program for Suppliers			Encourage suppliers to do Cyber Wardens also
	Police Vetting for Employees with Admin Access

SMB1001 is

An International Standard.
Whole of business focused.
People focused.
Risk focused.
Not overly prescriptive.
Can just get started.
Can do good enough (Levels 1 to 3).
Build in an Incident Response plan from the ground up.
Built with small businesses in mind.
Can be done with limited specialised software (eg Backup may be needed).
Not the only things that can and should be done.

CyberWardens is

Mainly focused on Training.
A bit simplistic in some areas.
But can be good for the very basics.
Information is a bit jumbled and spread out over different areas. Eg I used the Reflections Notebook, the Cyber Security Action Plan the CyberWardens Toolkit documents for this review. Maybe it should all be one document.
Is supported by COSBOA but the COSBOA Cybersecurity page is woeful.

ID Care is

Free to small businesses.
You get to talk to a real person and they ask hard questions, and give very helpful advice.
Pretty comprehensive.
Has the added level of support for breaches or incidents.
They will search for your email addresses that have been compromised and let you know what to do about it.

Essential Eight is

Only really relevant to government departments, or highly regulated industries.
Not relevant to many businesses.
Designed for a specific purpose - to be the government's controls.
IT Specific, not whole of businesses.
Not people focused.
Easy to be seen as an IT project, not a business implementation.
Doesn’t support the overall culture of Cybersecurity in the Organisation.
Focused on Microsoft products only.
Focused on businesses with On Prem.
Requires specialist software (eg Vulnerability Scanning, Asset Discovery).
Doesn’t easily support BYOD.
Difficult for businesses that are not up to date with technology and using old systems.
Can be disruptive to users.
Very prescriptive.
Doesn’t go broad enough for small businesses.
Does not focus on the basics that small businesses needs.
Is all about product and not about process.