Understanding Cyber Security Compliance for Small Businesses

Small and micro businesses have been reaching out to cyber security providers like Cynch in increasing numbers as clauses like the one above have crept into contracts with larger organisations. The increased focus on cyber security in government departments and large corporates is finally flowing into an unprepared small business supply chain. For smaller operators hit with questions, a poor response could mean the end of a contract foundational to the future of their business.

At Cynch, we prefer to think of security compliance as a benefit of Cyber Fitness. However, increasingly we’re finding compliance is a key outcome for many of our small business members. For a business not facing an urgent compliance requirement, a Cynch membership is the perfect way to mature your security without having to invest a fortune or turn yourself into a security expert. For those already feeling the pressure from their customers, continue to evolve a number of offerings to support your needs.

Cyber Security Standard Acronym Soup

A business wading into cyber security compliance for the first time will encounter a confusing array of terms and acronyms. While you don’t need to be an expert in these standards to secure your business, it can be useful to have a high level understanding of each of them to figure out your responses.

ISO 27001: International Organization for Standardization

The most common security standard referenced in Australia is the International Organization for Standardization’s imaginatively named "Information technology — Security techniques — Information security management systems — Requirements" – which is mercifully just known as ISO 27001.

The standard provides guidance across a number of areas:

• Organisational context and stakeholders

• Information security leadership and high-level support for policy

• Planning an information security management system; risk assessment; risk treatment

• Supporting an information security management system

• Making an information security management system operational

• Reviewing the system's performance

• Corrective action

There is a comprehensive “Annex” in the standard that lists 114 security controls and their objectives. These controls are then covered in painstaking detail in a complementary ISO 27002 standard. ISO 27001 certification can be a long, drawn out process – not for the faint hearted. If you’ve been asked to become ISO 27001 certified it is strongly recommended that you speak to an expert in this space to understand what will be involved for your business.

ISM: Information Security Manual

The slightly more creatively titled, Information Security Manual (ISM), is a massive reference document that is based on the experience of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). The purpose of the ISM is to assist organisations in using their risk management framework to protect their information and systems from cyber threats, and details every security measure an organisation must take to work with classified information from the Australian government. Comprising hundreds of highly specific security requirements, the ISM is a daunting document to tackle and not something most small businesses would be expected to follow.

It is possible to be accredited against the ISM by completing an Information Security Registered Assessors Program (IRAP) assessment. An IRAP assessment is performed by specialist assessors endorsed by ASD, and can make an ISO 27001 assessment feel like a walk in the park. Larger technology providers are gaining IRAP accreditation in order to better angle themselves for government contracts. For smaller businesses, adopting solutions from those large providers can give you the benefit of the stringent security that this process demands without the need to fully align to the ISM yourself.

Essential Eight

The eight security controls that make up the Essential Eight are based on requirements from the ISM but prioritised over all others due to their proven effectiveness in ‘mitigating’ security incidents. When the Essential Eight was released in 2017, they were said to be able to stop pretty much any targeted attack on an organisation when “properly implemented”. Of course, correctly implementing these eight controls involves quite a bit of technical effort.

For most businesses, the Essential Eight is a fantastic place to start when looking to mature the technical aspects of their cyber security. There are a number of quick wins that businesses can achieve without a huge investment, like introducing multi-factor authentication, and checking that backups are set up as per the guidance.

APPs: Australian Privacy Principles

Any Australian business that handles information about individuals needs to be thinking about the potential harm that could be caused if that information fell into the wrong hands. The Office of the Australian Information Commissioner (OAIC) is responsible for the privacy of Australians and has the authority to issue fines and penalties to organisations that don’t take appropriate measures to protect the information they collect.

To help us do the right thing, OAIC maintains a list of Australian Privacy Principles (APPs). Understanding these principles is worthwhile for all businesses – adopting them will minimise the risk of the personal information you collect causing harm to you and your customers.

The other critical area of privacy legislation that all Australian businesses should be aware of is the Notifiable Data Breaches (NDB) scheme. This is the obligation for organisations to notify the OAIC and the affected individuals when a data breach is likely to result in serious harm to an individual whose personal information is involved. While very small businesses are exempt, following the guidelines will help anyone dealing with a data breach to reduce harm to those impacted. It may also help to reduce the damage to your reputation that could follow.

NIST CSF: National Institute of Standards and Technology Cyber Security Framework

The U.S. National Institute of Standards and Technology (NIST) maintains a set of guidelines known as the Cyber Security Framework (CSF). While less prescriptive than the ISM and ISO 27001, it is still quite a broad set of recommendations that most businesses struggle to fully adopt. Fortunately, the NIST CSF guideline is designed to be used as needed, providing high level guidance on how to approach security rather than specifics of what should be done. While you can’t be certified as NIST CSF compliant, its international recognition means aligning to the framework can be useful.

Straightforward information security assurance

There are countless security guidelines, frameworks, standards and accreditations out there for businesses, however by now you’ve likely determined that each has a different purpose and would take significant effort to adopt. Unfortunately all of these frameworks were designed with large business and government agencies in mind, leaving them impenetrable to most small businesses.

Until the need arises for your business (i.e. a key customer demands it) cyber security accreditation shouldn’t be your goal. Instead, focus on keeping your business safe and building resilience by establishing a culture of cyber fitness. Sign up with Cynch and you can start to identify the key cyber risks to your business and incrementally address them as your budget and schedule allows.

When you’re ready to become accredited, all the progress you’ve already made in building cyber fitness will make the process that much easier and quicker.

If you’re interested in learning about how Cynch Cyber Fitness can get your business on track for your certification of choice, reach out for a chat.