Unveiling the New Security Standard SMB 1001: A Game-Changer for Small Businesses

February 7, 2024

The Imperative of Cybersecurity for SMBs

In an era where cyber threats loom larger than ever, the Australian Signals Directorate's (ASD) Australian Cyber Security Centre (ACSC) underscores the increasing severity and impact of cyber attacks, especially on small businesses. For the more than 2 million Australian small businesses the actions of these malicious actors can be harmful, with some businesses unable to recover. A staggering report from the ASD reveals that the average cost of cybercrime to small businesses soared to over $46,000 in 2022-2023, marking a significant rise from the previous year. This trend not only highlights the financial peril these threats pose but also the existential risk for businesses grappling to recover from such incidents.

Note: The Australian Bureau of Statistics’ definition of a SMB business relates to the number of employees. This includes a Sole Trader — one employee, a Micro-business — two to four employees, a Small Business — five to 19 employees and Medium-sized Business — 20 to 199 employees.

The Challenge with Current Security Standards

While numerous information security standards exist, their complexity and breadth often render them impractical for small businesses. Typically requiring an exhaustive list of up to hundreds of security controls, these standards are better suited for larger organizations with ample resources. Small businesses, on the other hand, find themselves overwhelmed by the voluminous assurance requests from larger companies, entailing thousands of security questions through various third-party platforms. This process is not only daunting but also costly, as evidenced by a case study where a medium-sized business faced over 4,500 questions, translating to consultancy costs upwards of AUD $100,000.

The excessive cost of security assurance and certification for SMB’s

A number of standards allow businesses to employ third party auditors to conduct a review of their controls and recommend them for certification or provide a report they can share with stakeholders.

The current cost to small businesses to achieve security certifications is significantly above their budget and their expectations.

The current costs to achieve security certification and/or pass external audits ranges from AUD $30,000 to $60,000.

ACSC reported in their 2023 Cyber Security and Australian Small Businesses Report that while 62 per cent of respondents have experienced a cyber security incident and 80 per cent rated cyber security as ‘important to very important’ almost half of SMBs rated their cyber security understanding as ‘average’ or ‘below average' and had poor cyber security practices and spend less than $500 on cyber security per year. With this type of budget it is no wonder SMB's find it hard to achieve the minimum benchmarks for the current range of standards available.

Assuredly analysis of current average assurance costs

The Essential Eight vs SMB 1001

The Essential Eight has been promoted by the Australian Government as a good set of measures for small business. The Australian Government surveyed 1,763 SMBs to measure their cyber security understanding against how many of the Essential Eight Mitigation Strategies businesses they implement.  Almost 50% of SMBs rate their cyber security understanding as ‘average or below' and had poor cyber security practices (implement four or fewer of the Essential Eight). They were categorised as ‘needing help and know it’.

We compared the requirements set out by the SMB 1001 Standard to the Essential Eight.   Our analysis showed that the SMB 1001 standard has greater coverage across all the key practice areas that support a robust security program.  While the Essential Eight requirements are more technical in nature and cover less practice areas (including critical areas such as incident response). Many small businesses we speak to cannot implement the Essential Eight without significant technical support.  The Essential Eight is also heavily focused on Windows operating systems so excludes any business who uses other operating systems.  The Australian Government SMB survey reported that this could represent as many as 22% of SMB's.

Comparison of Essential Eight vs SMB 1001 Requirements

While we know the Essential Eight are created to address some of the most critical security vulnerabilities seen by the ASD the SMB1001 Standard gives an entry point for ALL businesses, regardless of resources or expertise to start uplifting their security today.

If you are thinking "what will 6 controls do for any business?" then we challenge you to look at the new standard and let us know what you think is better...

  1. a business with 6 controls who has found the assurance process helpful, has learned and is confident to continue building their security program, or
  2. a business who avoids security assessments or fudges them because it is too complicated and costly?
Comparison of minimum requirements - Essential Eight vs SMB1001

Introducing SMB 1001: A New Dawn for Security Standards

Recognizing the need for a more accessible standard, Assuredly has embraced SMB 1001, a new security standard/framework devised by experts at CSC AU. Unlike its predecessors, SMB 1001 offers a pragmatic and tiered approach to security controls, enabling small businesses to achieve Tier 1 compliance swiftly and enhance their security measures over time.

Assuredly and SMB 1001: Empowering Small Businesses

Assuredly has integrated an online assessment tool for SMB 1001 within our platform, simplifying the compliance process for small businesses. This tool not only facilitates assessments across various tiers of the standard but also provides comprehensive support through help guides, evidence requirements, risk registers, and automated action plans.

Our mission is to make security management and certification both accessible and affordable, with costs for achieving Tier 1 SMB 1001 certification within a small businesses budget!

SMB 1001 Tier 1-5 Certification Process making it affordable for SMB’s

The Assuredly platform allows small business to:

  • Complete an assessment of their business against one or more Tiers of the SMB 1001 Standard.
  • Access Help Guides that assist them in implementing controls which they don’t yet have in place.
  • Access instant guidance on what evidence is required to prove to an auditor that each control is designed and operating effectively.
  • Attach evidence to the assessment.
  • Be provided with automated suggested action plans for weak controls.
  • Be automatically given a risk register with associated risk treatment plans.
  • Run reports that give them a clear view of how well their business has achieved against the SMB 1001 standard in easy-to-understand graphs.
  • Access a link to apply for certification.

Fostering Collaboration with ICT Providers and Consultants

Understanding the pivotal role of ICT providers and consultants in supporting small businesses, Assuredly collaborates closely with these stakeholders to elevate security standards across the board. Our partnerships with CyberCert, Managed Service Providers, Consultants and Businesses ensures that the assessment, certification process, ongoing audits and management of security assurance information remains streamlined and cost-effective, emphasizing our commitment to enhancing security assurance for small businesses.

Assuredly SMB 1001 Tier 1-3 Certification Process made easy for SMB’s

Assuredly SMB 1001 Tier 1-3 Certification Process made easy for SMBs

Assuredly SMB 1001 Tier 4-5 Verified Certification Process for SMB’s

Assuredly SMB 1001 Tier 4-5 Verified Certification Process for SMBs

About Assuredly

Assuredly is at the forefront of cybersecurity assurance, offering a robust platform that enables businesses of all sizes to assess their cybersecurity posture against leading standards. Our founder's extensive experience in cybersecurity and dedication to demystifying the complexities of the field underscore our mission to empower businesses to secure their operations confidently. The founders leadership and vision continue to drive Assuredly towards setting new benchmarks in cybersecurity assurance for small businesses.

Book a free demonstration or talk to one of our team today to uncover how we can help ensure you align to standards while also understanding your risks and knowing what action to take to keep your business secure.

Request a Demo
Secure your business.
Today is the day to build the business of your dreams. Let us help you secure your assets without blowing your budget — and focus on the things that count!