Tech Insights with Alisha Christian
In today's rapidly evolving tech landscape, staying informed is more important than ever. "Tech Insights" by Mercury IT is your go-to podcast for expert analysis, industry trends, and actionable insights from top technology professionals.
Whether you're interested in cybersecurity, IT infrastructure, emerging technologies, or digital transformation, this podcast covers it all. Tune in to stay ahead of the curve and navigate the complexities of the tech world with confidence.
Tech Insights with Alisha Christian
Cybersecurity Made Simple: SMB 1001 for Your Business
Chris Haig, our Chief Information Security Officer, explains the new SMB 1001 certification designed specifically for small to medium businesses in Australia.
This affordable, user-friendly certification provides a practical approach to cybersecurity with different levels of protection that build upon each other like karate belts.
• SMB 1001 was developed by CyberCert and Dynamic Standards International to address the gap in security certifications for SMBs, who make up about 90% of Australian businesses
• Traditional security certifications like ISO 27001 are too complex and resource-intensive for small businesses
• The certification follows a tiered approach - Bronze ($95/year), Silver ($195/year), Gold ($395/year), Platinum and Diamond
• Bronze certification requires meeting just six basic security controls, while Silver has 14 standards and pre-qualifies businesses for cybersecurity insurance
• The process is simple: businesses self-assess with help from their MSP, tick off requirements in an easy-to-use dashboard, and have a director sign off
• Certified businesses can display the SMB 1001 badge on websites and email signatures, providing a competitive advantage
• The certification is dynamic and updated annually to stay current with evolving cybersecurity threats
• Government support is growing with initiatives like free Bronze certification through the Cyber Wardens training program
Visit the CyberWarden website or contact Mercury IT to start your SMB 1001 certification journey and protect your business with this Australian-made standard that's now going global.
On today's episode, I'm joined by Chris Haig, our cybersecurity expert here at Mercury IT. Chris has joined us once again to explain all about SMB 1001 certification, why businesses should have it, how cost effective it is and how simple it is to put it in place. I hope you enjoy the episode. Welcome to Tech Insights. Joining us again as our regular is Chris Haig, our Chief Information Security Officer. Welcome once again, chris.
Speaker 2:Thank you, thank you.
Speaker 1:Now, we do love having you on the podcast because you do always bring some relevant information along with you, so that's always appreciated.
Speaker 2:I definitely try, definitely try.
Speaker 1:So today we're going to be talking about SMB 1001 certification, which is basically aimed at small to medium sized businesses.
Speaker 2:That's right. So it's a new-ish certification that's come along, so I thought it'd be a good idea to have a chat about it today and just let our viewers know that it's available, what it does if they think it's worth it, et cetera. Just have a little chat.
Speaker 1:Yeah, no, that's great. I appreciate you coming along, because I certainly can't tell them much about it. So let's jump right in and can you explain what is SMB 1001 and why was it developed?
Speaker 2:Yeah, sure, so CyberCert and the DSI, which is the Dynamic Standards International, kind of came together to build out a certification specifically for SMBs. So it's Australian driven originally, although it's going global now as well, which is great, and the idea was looking at the number of businesses in Australia. If you look at the number of businesses, it's something close to 90% of businesses actually fall into a small medium business bracket, not enterprise, and most of our security tools certifications process, all that kind of stuff is mostly geared around enterprise and government and so forth and they filter down, obviously, but they take time to do that and there was that gap that was missing where the small medium business is. A certification like the ISO 27001, which is a security international securities kind of certification, is very complex for an SMB to get. It's not impossible but it's hard. It takes a lot of work to get there and a lot of resources, not just money but in staff, time and so forth.
Speaker 2:So the idea was okay, can we develop something that actually suits a small medium business? Because there'll be certification pieces that are required in an ISO certification that an SMB won't necessarily need. It's just not applicable at all. So there could be a lot of extra costs there for no reason. So the idea was can something be created that's easy for a small-medium business to implement and run with?
Speaker 1:I mean it seems like a great idea. So why would it matter for a small-to-medium business to get a certification like this?
Speaker 2:Look, that's a great question because the idea around getting a certification you go okay. Well, what does it actually mean for a small business? There's so many priorities that a business owner is going to be looking at and cybersecurity doesn't really matter how many news articles you read about. Like you know, cybersecurity is the number one thing that businesses think about. It's not, it just isn't. If you look at a risk kind of factored type situation, I think it comes in at number three in a lot of you know these sort of checks with business. But again, it's aimed at larger business and so forth and maybe they're asking the risk committee and not really the owner of the business or the stakeholders. But you can imagine a small medium business. You know it's like I don't know they've got 12 people, they're accountants and so forth and you know top line is like you know revenue is what I'll be thinking about.
Speaker 2:Losing revenue. How do I get more customers? And you know worried about what I'll be thinking about Losing revenue. How do I get more customers? And you know, worried about my competition. There's just so many things to be worried about, you know. So cybersecurity is way, way down on the list. So often it's just about focus, and often cybersecurity is just complex. So, or it seems complex, so they don't know where to start.
Speaker 1:We've spoken about that before, haven't we?
Speaker 2:Absolutely.
Speaker 1:How it can be very overwhelming for smaller businesses especially to take that journey.
Speaker 2:Absolutely, but I think what we've got to be aware of, though, is Australia, along with other countries, are noticing cyber security incidents are getting worse and worse. It's just, it's a constant thing. It's a business all in its own of how much money it makes, so it's not going anywhere, and our government, the Australian government's got their cyber strategy you know the 2030 strategy going forward with its shields, and the idea, though, is that's becoming part of the public thought, and if it's becoming more public, then your customers, as a small medium business owner, are going to start thinking about it, so you can kind of see it start to happen now where people are going like hold on a second is my data safe?
Speaker 2:Like? I go to these small accountants as an example and they ask for a lot of information and then you start to think are they keeping the information secure? Have they asked me to just email it to them? Or you know, those questions start to come up. So I think for SMBs now looking at a certification, this is a good piece to show the customer that they are actually thinking about it. So it's getting to that point of proving that you are more secure than the next person, so we'll put you ahead of the competition as well.
Speaker 1:Yeah, well, that's a great way to look at it, because I think people are becoming more aware of you know what's happening with their data and that sort of thing.
Speaker 2:Like I said, it's so far down on the list of priorities. You want to make it easy.
Speaker 1:Oh absolutely. So how do businesses go about getting the SMB 1001 certification? Is there a certain process?
Speaker 2:Yeah, absolutely, look, you can go to the CyberCert website or Google SMB 1001, but CyberCert's website is where you can go and purchase your certification directly off the website.
Speaker 2:You don't just get the certification, obviously.
Speaker 2:The idea here is there's different levels to get, but there's a questionnaire on the website to determine what level you should be looking at.
Speaker 2:But if you're not sure, you'll just start at the bottom and kind of work your way up is the easier way to do it and that website's actually going to give you like a dashboard and it's going to give you easy, step-by-step processes. It's going to give you worksheets, it's going to give you those processes to use, all all kind of available for you to go through and you self assess is what happens for every level, though you do need to engage with an MSP to help you work through that. So you know, in our case I'd say to people look, go on there, find the cert that you want to do, or speak to us first, and then you go and select mercury ideas as your partner and then that's generally the first step is speak to your, to your msp, and then we can actually walk through that. Um, the process itself once you've got that depends on the level that you go through, and there's basically a bronze silver, gold I was going to ask you about the different levels.
Speaker 2:Are all self-attested. So it's a case of you assess yourself along with your MSP, gather the evidence that you need, et cetera, all in one place, and it creates a letter that a director of the business needs to sign. So it is signed up at an executive level, which is really really important, and then your final two sides as well, where you've got your platinum and diamond levels, are actually externally audited. So it's really about what you're after as a business, whether you need kind of basic security, in-hand security, advanced security or that kind of checking your entire supply chain and so forth. So there's different aspects to it, obviously, different costs, different numbers of things that you need to meet, but it is set up in such a way that you can start on bronze right, get that, and then move to the next one and get that. It's almost like what did? I hear it described as like, yeah, your karate belts you know your kind of belts.
Speaker 2:It's like okay, I've achieved all of this, so now I can be graded from my green belt to a brown belt that kind of scenario. Well, I mean that's good.
Speaker 1:Well, it builds on each other, which is great so you can just start at the bronze and it's.
Speaker 2:It's like 95, so it's relatively cheap. It is an annual cost and and that's really important as well because it's a dynamic standard it gets updated every year, so it moves with those cybersecurity changes in the industry. So yeah, website, sign up, have a chat with your MSP, they'll work through it. You sign the letter from a director and then you can actually use the badge on your website, on your email signatures and so forth, to actually demonstrate.
Speaker 2:Oh, that's great, isn't it To your clients and potential clients that that is something that you care about, Even though it's way down on your priority list. It's a case of getting that done.
Speaker 1:But I guess the fact that they can start at a bronze and it comes at such a reasonable price $95, it's a step, isn't it? It's that first step to Absolutely yeah.
Speaker 2:And I think by the sounds of it, the interface and everything is pretty user-friendly Very very user-friendly, with very clear instructions, and the great thing is you know you, as the business owner, along with your chosen service provider, both have the same instructions to work through, and I quite like this because it keeps everyone honest, and what I mean by that is your MSP is not going to try and sell you something that's not on the list.
Speaker 1:Oh, yes, okay.
Speaker 2:So it's not. You know you're not going to be oversold a security solution when that's not what's being asked for, and that's what's great about the SMB 1001. It is the basics to start with. You know your bronze is only six kind of steps that you have to work through Stuff like. The first one is working with your MSP.
Speaker 1:So that's easy enough.
Speaker 2:The second one is like making sure you've got a, a business grade firewall in place so you don't have a home device running for your business. You know things, things like that. Uh, having um, endpoint security antivirus on your devices, and then that's for bronze. And then moving to silver, that moves out to then 14 standards that you would need, so 14 bits that you would need in place. And the good thing about like just even going from bronze to silver if you certify on silver, you actually automatically like pre-qualify for cybersecurity insurance.
Speaker 2:Oh, really, yeah, so that's a really, really cool step as well. So there's specific insurance providers that are kind of part of that standard as well, so they partner with CyberCert to be able to offer that. Obviously, it's still underwritten, it's still got to be checked, that you're doing the right thing.
Speaker 2:But this is a huge step. I did hear of a case whereby a company got their I think they went with their gold certification. But getting the gold certification, they managed to not increase the price of their cyber insurance, but they've got double or more coverage. Yeah, so that was really useful. So the director was like, well, that paid for itself.
Speaker 1:Well, that's definitely a good example there. And do you think bringing this certification in and making it so easy it's obviously going to push a lot more people along to you know, take cybersecurity seriously and look at putting it in place for their business. So is that what's sort of behind the initiative, do you think?
Speaker 2:Absolutely Like when I say we, we in the industry of cybersecurity, know that a lot of this is not I keep saying it's like not taken seriously, or it doesn't feel like it's taken seriously, right, and it's not about the seriousness of it. It's again seriously right and it's not about the seriousness of it. It's again priorities, right. So if, as a company director, I'm trying to run my business, I've got so many things I'm concerned about, you know whether it's you know paying salaries, and then the BAS and this and accounts, and there's too many things to think about. So the idea is to make this as simple as possible. So it is important, like as a director, I'd be like I understand it's important, but where do I put it in the time Right, and then also resources. So there's a couple of challenges around this. Right Priority is a challenge, like and where SMB comes in is okay. It's made really simple Dashboard, steps, tick tick, tick, tick click print.
Speaker 2:Prints off the letter. Sign it. So it's a very simple process that we can go through to get there, and each one just builds on that next level. So, okay, you've already got this in place, right, we move to the next bits that we need to get in place. So resources is another one, right? So money it's not terribly expensive, that's important. So you know, we're paying 95 dollars for bronze, I think it's 195 for silver.
Speaker 2:395 for gold something like that per year. Um, and then, yes, that's not paying for your firewall, and if you need to replace that, I get that. But the idea again, then, is keeping everybody on a level you know I don't need. You know application control at a silver or gold level as an example, so I don't have my MSP trying to sell me that either. Yes, that's true. So I'm trying to keep that as a cost reduced so I meet the requirements and I'm getting real benefits, because there's a bunch of security professionals in the industry that have come together to actually design what those controls are.
Speaker 2:So they've taken the controls that are really, really important and significant and make an impact to a small business. So you know, those six things, those 14 things, those 20 something, things are very, very specific, that help a lot and they aligned with like an ISO 27,000 standard as well. So when I do grow and I go actually I'm going to go with my ISO 27001 stat I've got a bunch of controls already ticked off because they're in line already. So everything feeds in, it's all aligned, it's not random stuff and quite often what happens is, even if an SMB does have some cybersecurity, it feels pretty random, there's no coherence to. Okay, have you thought about account protection, client data protection, processes, training? There's very specific things, and this has been designed to tick all of those things without you having to think about it. It's go in, run through the steps and you know that there's. I don't have to do the thinking. The intelligence has already been put behind and I just have to follow through to get benefits out of it.
Speaker 1:I mean for SMBs. There's really no excuse now is there to not have some level of certification.
Speaker 2:I think it's a great move. We saw it happen in the UK. That happened. And then what actually happened in the UK is they actually moved that certification to then a requirement if that small medium business was providing to the government. So it became a supply chain thing.
Speaker 2:So I think what you'll see happen in this country is because cybersecurity is it's becoming that bane of existence type situation and it's like trying to stamp it out is, if we get that more awareness and more people come on the badges, start going on the websites, clients are going to start looking okay, and what's also going to happen is you're going to start to look at your supply chain, which is going to be interesting. So you as a small medium business are going to look at your suppliers and go you, you should really be doing this SMB 1001. So I know that you've done the right thing, because if you can't supply you know your widgets to me once a month I can't supply to my customer. It becomes a problem. So there's a potential revenue issue straight up, which I said was number one problem. It's like if I can't supply my product, I have a problem and that's because you got ransomware, so it's not even my problem, but now it becomes my problem.
Speaker 2:Yes, well, that's it so that's where that supply chain becomes super important and that is what I think is going to start to happen. People are going to go back down the chain going, hey, can we look at certification? And I think most companies will then start getting on board and getting the basics. Because that's what SMB 1001 is. It's the basics of your cyber security.
Speaker 1:And then just build on that.
Speaker 2:Absolutely yeah.
Speaker 1:And so you mentioned that it's an annual, like if you just do the bronze, $95 a year, do you have to go back and do the six steps again, or does that just you? Just pay your annual fee and roll over.
Speaker 2:Yeah, you do, but bear in mind how quick that will be the second year around right.
Speaker 2:It's like are you talking to your managed service provider? Yes, yeah. Do you have a firewall? Yep, I put that in last year. Do you have endpoint security on your machine? Yep, we've put that in. So it's literally going to be a tick, tick, tick, tick, tick, Unless, of course, the standard changes which it could do. Maybe they'll add in a seventh or an eighth thing. So as cybersecurity moves, that maturity level moves, so maybe there will be one or two extra things, but bear in mind it's still under the bronze, so it's going to be relatively simple.
Speaker 2:Whatever it is, Bear in mind it's still under the bronze, so it's going to be relatively simple, whatever it is. A good example would be, for instance, putting MFA multi-factor authentication on all accounts that need to log in. That's become almost a staple now.
Speaker 1:Yes, we talk about that a lot.
Speaker 2:So something could come in like that going oh, this must happen now and then where, like maybe in gold and I'm talking about a random standard. I don't know if there's particular controls in there, so it's just an example. Let's say it said everything's got to have MFA right, but then it doesn't specify what type of MFA, and certain MFAs are stronger than others, right? So getting a text on your mobile phone is weak compared to using a security key as an example. So they might enhance that standard in a year's time to say you now need to use security keys.
Speaker 1:So it's a good check-in anyway, isn't it?
Speaker 2:It is absolutely a good check-in. Yeah, at least annually.
Speaker 1:Yes, for sure, yeah, exactly to go back in and say am I covering myself enough at the basic level?
Speaker 2:Correct, yeah.
Speaker 1:And so people do want to go ahead and check out the certification. We can drop the details into the show notes anyway.
Speaker 2:Yeah, we'll put the links in there. Yeah, absolutely.
Speaker 1:Is there anything else that you'd like to add? Or? I mean obviously you're well and truly behind this initiative.
Speaker 2:Well, like I said, I'd love businesses to be able to do something like an ISO 27001, but it's complicated.
Speaker 1:Yes.
Speaker 2:You know Mercury as a company. We're busy going through our ISO 27001 certification now, so I can tell you how complex it is and how much? Time it takes. So, it's a lot of meetings and lots of things to do to get that in place lots of evidence, audits and so forth and most SMBs are not going to be able to do that. So I absolutely welcome something like this coming in, because previous to this, there's lots of different standards out there.
Speaker 2:So, it's like well, which standard do I pick? And people are going well, there's Essential 8, there's NIST Cybersecurity Framework. There's a couple of things that they can look at too, and a lot of MSPs try and do a mix of some of them. We've even done that. We'll do a mix of that and go okay, well, for this business, these things make sense and that's that kind of expertise that you're paying for. But these things make sense and that's that kind of expertise that you're paying for.
Speaker 2:But at the end of the day, there's no kind of standard right that you're working towards, and for an SMB, maybe the whole essential aid, even at, you know, maturity level one, is a step too far, you know, because you would have to have application control as an example.
Speaker 1:And I think that's where people do get turned off then, don't they? So they're like oh no, it's all too hard, I'm not going to do anything.
Speaker 2:So invariably what will happen is a business owner will talk to another business owner around a barbecue on the weekend and someone got done you know ransomware or whatever it was and then that story filters around and then Monday morning it's like we need to sort out our cyber security.
Speaker 2:You start having talks about it and it it kind of just goes into the too hard basket at the end of the day. You know. So if you just had this simple going hey, you know what, just start here. So it might not be everything you need to start with, but if you start, it's that momentum starts going. You get your executives on board understanding okay, this is something we need to look at and it's part of our remit, which it is, but it's trying to get that understanding there, and then as well as managers, so you've got to get that buy-in of that entire company moving forward around cyber security. And it's not like it's going to take, you know, all the time in the world. It's kind of just starting, get the basics in and start moving along with it well, it's like anything, isn't it?
Speaker 2:you just got to take those first couple of steps, yep, and then you're on your way well, I think that positivity of that, one positive step, getting getting the badge and going, hey, we've done it, cool. Then you know, maybe in six months or a year you go, you know what. Let's look at silver. What does silver have? And it's a case of like, do we need silver? Or, you know, do we need gold? And again, speaking to your MSP, they'll have an understanding and it's mostly around what data you have what data you're holding?
Speaker 1:what's the risk?
Speaker 2:Yes, Exactly, and then they can advise as well.
Speaker 1:And once people, like you say, start seeing those certifications popping up on websites and that sort of thing, people will start to consumers will start to be looking out for that and yeah.
Speaker 2:Agreed, agreed and yeah, I have spoken to the guys at Cybercert and so forth. It is going international. It's already Singapore, it's launching in the US. So it's not, although it's Australian grown, it's now going global quickly and it's getting a lot of interest from the government as well. So Department of Home Affairs are looking at it going okay. So there was even a system we spoke about it last week where the government's providing training through cyber wardens and it's if you go and do the training on cyber wardens, they were giving you a bronze certification for free so that was just a, a freebie like one of the, and I think we'll see a lot more deals like that coming through that.
Speaker 2:The government's trying to encourage businesses, so for me it's a case of like geez, just go do some free training, right absolutely get given a bronze certification, so you save yourself 95 bucks, and I think it was.
Speaker 2:also, if you then go and take that certification on, it got upgraded to a silver for free, so it's200 worth, plus the training. It was great. That's a no-brainer really, isn't it? Exactly so I'd be looking at things like that from the government. I'd be like the government's definitely behind it and I think there'll be more and more of a push. So for me, for a lot of businesses, it's a case of well, I would just be getting ahead of the curve and doing it, because I know it's not that complicated. Just jump on, because that's where it's headed.
Speaker 1:Yeah, Well, thanks for coming along today and explaining all about what it means and how easy it is to obviously implement it into your business. We appreciate that and if people want to reach out to you, LinkedIn.
Speaker 2:DM LinkedIn's going to be best. Yeah.
Speaker 1:Yes, and we will drop those extra information in the show notes so people can go and have a look for themselves.
Speaker 2:Absolutely.
Speaker 1:So, no, that's great. Thanks for coming along.
Speaker 2:Awesome. No problem Thank you.
Speaker 1:See you again soon.
Speaker 2:Will do.
.png)