There are very few modern businesses that can ignore the importance of cybersecurity, no matter their size or the industry they operate in.
Since 2017, businesses across the country have had their cybersecurity efforts guided by the Australian Cyber Security Centre’s Essential 8 framework. From small businesses to large corporations, and even government organisations, this framework of principles has been the north star for protecting systems, networks and data across Australia.
More recently, a new framework emerged that offers cybersecurity guidance that’s better tailored to the unique needs of small and medium-sized businesses. The SMB1001 Framework is highly regarded as easy to implement, flexible and human-focused. It also offers formal certification so that businesses can help customers feel at ease.
In this article, we will discuss the SMB1001 framework in further detail, comparing its fundamental differences to the Essential 8 so you can decide what’s right for your business.
A quick recap of the Essential 8 framework
Although most Australian business owners and stakeholders are probably familiar with the Essential 8 framework, it’s important to do a quick recap so that a clear comparison can be drawn. Developed by the Australian Cyber Security Centre (ACSC), this framework consists of eight key strategies that can be used to prevent a cyber attack. In their most simple form, these straightforward and scalable steps are;
- Application control
- Patching applications
- Configuring Microsoft Office macro settings
- User application hardening
- Restricting administrative privileges
- Patching operating systems
- Multi-factor authentication (MFA)
- Daily backups
Understanding the SMB1001 framework
Like the Essential 8, the SMB1001 framework offers fundamental cybersecurity guidelines that protect businesses from common cyber threats. Developed by Dynamic Standards International (DSI) — who have a vision of helping small and medium-sized businesses navigate the evolving cyber threat landscape with confidence and resilience — it offers a structured yet flexible approach to cybersecurity whilst recognising the unique challenges of smaller organisations. The SMB1001 framework is continually developed across the following key areas:
- Risk management — taking steps to ensure risks are mitigated across the business.
- Security awareness training — providing detailed training that encourages employees to be aware and prepared when it comes to cybersecurity threats.
- Data protection and privacy — this includes regular backups and ensuring data is securely stored.
- Incident response and recovery — developing policies and procedures for if a cybersecurity attack does occur.
- Network security — this includes protecting both hardware and software, such as routers, firewalls and servers.
- Access control — monitoring and controlling who has access to your company’s data.
Beyond this guiding framework, SMB1001 includes a tiered certification pathway where businesses can move from Bronze to Diamond, progressively improving their cybersecurity efforts along the way.
Essential 8 versus SMB1001: The key differences
The Essential 8 and SMB1001 frameworks both aim to improve the cybersecurity of businesses through practical, actionable and scalable steps. Though they share these similarities, they also have many differences:
What business types are they designed for?
The most significant difference between the Essential 8 and SMB1001 is who they are designed for. Essential 8 has no specific target audience, meaning they have a broad approach that can be applied to a range of organisations, including large enterprises and government entities. SMB1001, on the other hand, is tailored specifically for SMBs, addressing the unique needs and constraints of operating on a smaller scale.
Overall implementation complexity
The Essential 8 framework can be rolled out quite simply, given the vague nature created to suit organisations of all shapes and sizes, regardless of their experience in cybersecurity. Being tailored to a subset of businesses, SMB1001 takes a more detailed and structured approach. With the tiered certification system, businesses can choose how complex or simple their approach to cybersecurity is, and can gradually increase their efforts according to the evolution of their business.
Certification versus maturity levels
One of the appeals of SMB1001 is its formalised certification process. The pathways of these certificates allow businesses to be rewarded for their improvements and continued efforts in the cybersecurity space. Meanwhile, followers of the Essential 8 framework can assess their maturity level based on their implementation of the eight strategies. These five levels of maturity may help businesses understand how they are positioned, but there is no reward or certification that can be used to impress customers or clients.
Human-focused approach
While both frameworks cover essential cybersecurity practices, SMB1001 is unique in its human-focused approach, placing an emphasis on policy management and employee training. This focus is hugely important for small and medium-sized businesses, where resources for cybersecurity are often limited and employee awareness can significantly impact the overall security of the business.
Summary
Choosing between Essential 8 and SMB1001 depends on the specifics of your organisation. Essential 8 offers a straightforward approach to IT security services suitable for a wide range of organisations, including large enterprises and government entities.
Meanwhile, SMB1001 provides a flexible, human-focused approach that addresses the unique challenges faced by smaller businesses. By understanding the differences between these two frameworks, leaders can make informed decisions about what cybersecurity approach works best for their business.
To explore the power and possibilities of the SMB1001 framework in more detail, you can reach out to Sentrian to purchase the package and begin the journey of certification.
