In an era where cyber threats loom larger than ever, the Australian Signals Directorate's (ASD) Australian Cyber Security Centre (ACSC) underscores the increasing severity and impact of cyber attacks, especially on small businesses. For the more than 2 million Australian small businesses the actions of these malicious actors can be harmful, with some businesses unable to recover. A staggering report from the ASD reveals that the average cost of cybercrime to small businesses soared to over $46,000 in 2022-2023, marking a significant rise from the previous year. This trend not only highlights the financial peril these threats pose but also the existential risk for businesses grappling to recover from such incidents.
Note: The Australian Bureau of Statistics’ definition of a SMB business relates to the number of employees. This includes a Sole Trader — one employee, a Micro-business — two to four employees, a Small Business — five to 19 employees and Medium-sized Business — 20 to 199 employees.
While numerous information security standards exist, their complexity and breadth often render them impractical for small businesses. Typically requiring an exhaustive list of up to hundreds of security controls, these standards are better suited for larger organizations with ample resources. Small businesses, on the other hand, find themselves overwhelmed by the voluminous assurance requests from larger companies, entailing thousands of security questions through various third-party platforms. This process is not only daunting but also costly, as evidenced by a case study where a medium-sized business faced over 4,500 questions, translating to consultancy costs upwards of AUD $100,000.
A number of standards allow businesses to employ third party auditors to conduct a review of their controls and recommend them for certification or provide a report they can share with stakeholders.
The current cost to small businesses to achieve security certifications is significantly above their budget and their expectations.
The current costs to achieve security certification and/or pass external audits ranges from AUD $30,000 to $60,000.
ACSC reported in their 2023 Cyber Security and Australian Small Businesses Report that while 62 per cent of respondents have experienced a cyber security incident and 80 per cent rated cyber security as ‘important to very important’ almost half of SMBs rated their cyber security understanding as ‘average’ or ‘below average' and had poor cyber security practices and spend less than $500 on cyber security per year. With this type of budget it is no wonder SMB's find it hard to achieve the minimum benchmarks for the current range of standards available.
The Essential Eight has been promoted by the Australian Government as a good set of measures for small business. The Australian Government surveyed 1,763 SMBs to measure their cyber security understanding against how many of the Essential Eight Mitigation Strategies businesses they implement. Almost 50% of SMBs rate their cyber security understanding as ‘average or below' and had poor cyber security practices (implement four or fewer of the Essential Eight). They were categorised as ‘needing help and know it’.
We compared the requirements set out by the SMB 1001 Standard to the Essential Eight. Our analysis showed that the SMB 1001 standard has greater coverage across all the key practice areas that support a robust security program. While the Essential Eight requirements are more technical in nature and cover less practice areas (including critical areas such as incident response). Many small businesses we speak to cannot implement the Essential Eight without significant technical support. The Essential Eight is also heavily focused on Windows operating systems so excludes any business who uses other operating systems. The Australian Government SMB survey reported that this could represent as many as 22% of SMB's.
While we know the Essential Eight are created to address some of the most critical security vulnerabilities seen by the ASD the SMB1001 Standard gives an entry point for ALL businesses, regardless of resources or expertise to start uplifting their security today.
If you are thinking "what will 6 controls do for any business?" then we challenge you to look at the new standard and let us know what you think is better...
Recognizing the need for a more accessible standard, Assuredly has embraced SMB 1001, a new security standard/framework devised by experts at CSC AU. Unlike its predecessors, SMB 1001 offers a pragmatic and tiered approach to security controls, enabling small businesses to achieve Tier 1 compliance swiftly and enhance their security measures over time.
Assuredly has integrated an online assessment tool for SMB 1001 within our platform, simplifying the compliance process for small businesses. This tool not only facilitates assessments across various tiers of the standard but also provides comprehensive support through help guides, evidence requirements, risk registers, and automated action plans.
Our mission is to make security management and certification both accessible and affordable, with costs for achieving Tier 1 SMB 1001 certification within a small businesses budget!
The Assuredly platform allows small business to:
Understanding the pivotal role of ICT providers and consultants in supporting small businesses, Assuredly collaborates closely with these stakeholders to elevate security standards across the board. Our partnerships with CyberCert, Managed Service Providers, Consultants and Businesses ensures that the assessment, certification process, ongoing audits and management of security assurance information remains streamlined and cost-effective, emphasizing our commitment to enhancing security assurance for small businesses.
Assuredly is at the forefront of cybersecurity assurance, offering a robust platform that enables businesses of all sizes to assess their cybersecurity posture against leading standards. Our founder's extensive experience in cybersecurity and dedication to demystifying the complexities of the field underscore our mission to empower businesses to secure their operations confidently. The founders leadership and vision continue to drive Assuredly towards setting new benchmarks in cybersecurity assurance for small businesses.