Proactive Approach to IT Security
Aligning to a Recognised Security Framework Standard
For an overall security baseline, which is measurable, it has become the norm for businesses to align against a recognised international standard. This is known as a “Security Framework.”
There are many Frameworks out there such as CIS Controls, NIST CSF, Essential 8, SMB 1001 and ISO 27001. The idea is that by doing everything suggested in these and by ticking every box, it will improve overall security posture and company compliance which is measurable and reportable.
The problem is that these frameworks are designed and applied to large worldwide companies with dedicated internal IT teams who need to do this by law or due to compliance standards within their industries. For example, the health industry in America uses HIPPA compliance. Such strict, global standards are often not scalable, practical or budget friendly in their implementation for smaller businesses.
If you take a hard line and truly follow them to the letter, then they can be restrictive and counter-productive which means you’ll have some frustrated users who simply want to do something simple such as install an app urgently but have to wait to get this approved and then eventually rolled out onto their device by IT.
Speaking of IT, many IT companies often tap into the international IT security rhetoric and take a hardline stance with their advice. They will insist that unless you fully comply with everything in their preferred Framework, then you will be putting yourself at risk. This will be backed up with scare stories and fear tactics. None of the information they present will be in layman's terms and it will be a shopping list of incomprehensible ingredients! And even if you ticked every box, your safety still cannot be guaranteed!
This might be fine for international, enterprises who have the budgets to protect absolutely everything to the maximum. But realistically, some of these Frameworks are often not saleable or even relevant for a smaller SMB. Some areas need more protection than others and that is how we work with you to target those areas, then work on a sliding scale to find the right balance between cost and risk, so budgets can be maintained. These standards (tick boxes) come in the format of Gold, Silver and Bronze. Obviously, the more boxes you can tick off, the lower your risk will be. Even aligning to the Bronze standard is often a step up for most SMBs.
According to various specialist Cyber insurance companies, the most common Framework in Australia and NZ for SMBs is the SMB1001 from Cyber Cert. And therefore it is the preferred Framework to align with. The SMB1001 is a specifically designed IT Security Framework for SMBs as opposed to the more corporate focused versions. If this is achieved (all boxes ticked), then you qualify for a 15% discount on your Cyber Security Insurance Premium!
Due to our own accreditation, Computer Clinic can provide you with an official alignment to the Cyber Cert SMB1001 Framework which meets all international requirements (and more). But this is far more than just a certification to get an insurance discount. This is providing a comprehensive platform designed to fit the unique needs of SMBs. 64% of consumers say they are more likely to do business with companies that demonstrate strong data protection and cybersecurity practices and this certification is proof of that!
OUTCOME OF ALIGNING TO A SECURITY FRAMEWORK
At the end of working through a Security Framework process, you may wish to tick every box possible to adhere to a security framework. However, please understand that this still does not guarantee your safety - nothing can. But using the pros and cons of an internationally recognised framework will provide you with a solid security standard as a measurable baseline. You will be more resilient to threats and therefore reduce your risk footprint. Once you understand all the different items in the Framework, you will then be able to make an informed decision on balancing cost versus risk to provide the best level of security for your business in the future.
NEXT STEPS - To book in your free security Framework Alignment consultation, or for more information, please contact us here.