March 16, 2025 • 31 mins
In this episode of the Data Revolution podcast, I speak with Jodie Miners about the importance of cybersecurity for small businesses, focusing on the SMB 1001:2025 standard. We discuss the challenges small businesses face in implementing cybersecurity measures, the benefits of achieving certification, and practical steps to enhance data protection. Jodie shares valuable resources available for small businesses to improve their cybersecurity posture and emphasizes the need for data governance and business continuity planning in the face of rising cyber risks.
Links to the items discussed are here https://datarevolution.tech/
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to another episode of the Data Revolution podcast. This is where we explore the intersection
(00:19):
of society, culture, data and technology. This podcast offers insights into the evolving
role of data and AI in shaping our world. I'm your host Kate Caruppers and this time
I will be talking with Jodi Minas. She is a technology generalist who helps small businesses
by building bespoke systems to support their business. But one thing she also specialises
(00:44):
in is cyber security and this is a key part of the systems that a small business needs.
She helps them to make cyber security as much a part of their business as sending an invoice
or creating a new project. Welcome Jodi, it's great to have you on the podcast.
(01:05):
Thank you Kate. I've wanted to be on this podcast for so long.
Well I'm really excited about this topic because this is a small business kind of topic and
it's a cyber topic and that's a bit different to what we've had on so far. So why don't
you explain what we're going to have a chat about?
So we're chatting about the SMB 1001 as standard for small businesses in cyber security. So
(01:28):
it's really quite cool. Well why don't you explain, unpack that
a bit for the listeners because not everybody is as interested in cyber security as I am.
Yes, so we've previously had things like you've got the essential eight which is what the
government says that every business should do but it's a really difficult thing for
(01:52):
small businesses to attain. So some really clever folks in Queensland have got together
and produced a standard of which small businesses can go through all of the steps and then assess
themselves against each one of the controls and the prerequisites in the standard and
(02:12):
then get a certification in to say they are bronze level, silver level or gold level or
even higher but those three levels, the director of a business can self attest and sign a document
to say we're doing this in our business so therefore we've got this level of cyber security
for our business.
(02:34):
That's good and it actually sounds as if it is actually achievable by small business because
I'm really conscious that when talking about the essential eight even at a really large
research university we weren't able to do the essential eight, not all of them anyway.
And so with all the other competing things that small businesses have to do and they
(02:55):
have to be everything to everyone, cyber security is probably the last thing on their mind but
we need to get some cyber security in the mind of small businesses and getting them
acting on that so this framework gives them the step by step, they don't know where to
start so this framework gives them that step by step thing that they can do to actually
(03:17):
get to the level that they need to.
And that's probably the hardest thing because if you just think about a small business and
I've run a small business, you've run a small business, you're a one person who does everything
so you're the cyber security, you're the finance department, you're the sales department, you're
everything and understanding what you need to do to protect your business's data is
(03:41):
kind of a black box for many people.
So did you want to run through what the key steps are?
Yes certainly.
So as I said there's three levels before the small businesses can self attest to.
There are two levels that are higher that are externally audited so the whole thing is
(04:02):
about getting you on a path to where you might want to get to ISO 27001 standard which is
ensuring you have good IT systems in place.
But for the gold, silver and bronze, I've got gold and so I'd like to talk about gold.
So things in that like having a password manager, having a firewall, making sure you do security
(04:32):
secure document destruction, making sure that you've got a privacy policy and you've got
a cyber security policy and you've got an instant response plan and everything there
in all those steps is 26 controls or 26 steps that you have to follow and you have to prove
(04:53):
to yourself where you sign this document that you have done these steps.
So for me it was I can't done most of them but I needed to get my backups more comprehensive
across all of my systems.
I didn't have my Gmail backed up so my Google workspace.
So now I've got my Google workspace backed up.
(05:14):
For me I needed to ensure that I wasn't logged into my computer as an admin and into my Google
as an admin.
So I've now got Google as a regular user and that's what I log into but I don't have administrative
controls on that account so I have to log in as a separate account for admin.
(05:37):
So there's just all these really good, really sensible, pretty easy to attain controls for
the small business to do.
Can you just outline what are some of the benefits to a business from doing this?
Self-attestings not very interesting but there's my dog running across the background.
(06:03):
But some of the benefits that will improve data protection for the business.
So anything that you do like multi-factor authentication is a really key thing for any
business systems that you have.
So you take for example your Google account, your Outlook account to ensure you've got
multi-factor authentication on it so that if it is accessed externally there is at least
(06:30):
a prompt that you'll get to say, hey I didn't actually authorise that and say no when the
prompt comes up.
So that's one good way of protecting your data.
And one of the things about the SMB1001 is it's probably going to become, the push is
to get it to become as part of your supply chain risk for a larger business who has,
(06:54):
it works with small businesses to have, to work with their data.
Like I'd work with larger businesses and I'd work with their data.
So it's ensuring that those, their client, their contractors have this SMB1001 so they
(07:15):
know that they've got at least a basic level of security so that their data is protected.
So I think we'll see a lot more now that larger businesses will say, okay to contract
with us you need to get the SMB1001.
And I think it's not just an Australian standard, it is a global standard.
So there are, you know, rolled out now in Australia, New Zealand and it's heading towards
(07:40):
UK and the US and of course, and some of the Pacific nations also taking it off at the
moment.
That's really interesting.
So it will become a de facto standard so it could be an actual benefit for companies
that are wanting to get contracts and may become mandatory.
Yes, that's right.
I would love to see it become much more pushed for small businesses to do this because it's,
(08:07):
doesn't have the overhead, the cost and the level of detail required for ISO 27001.
Most small businesses don't need to get to ISO 27001 and it's just a bit of over too
much on their shoulders to do that.
So this is a really good, this is like you're not doing nothing.
(08:29):
You are doing, you are saying, signing a declaration to say that you as your business are doing
these things.
But what it also does is puts that onus back on the director of the business because they're
the one has to sign this.
So under the new ASIC, you know, push to get directors much more responsible for this and
boards much more responsible.
And you've talked about this in your last couple of podcasts about getting the board
(08:53):
on side and getting directors on side.
It really hones into that area that directors need to be a part of this process.
That's a really good point.
So, you know, so the directors will need to understand this process and understand what
they're certifying.
And then the other thing is that larger enterprises will be able to adopt this as part of their
(09:18):
procurement standards.
So it'll be, it'll be reducing their third party risk.
So I think it'll be really good for smaller businesses.
Yeah.
And the great thing about standard is you have to reattest every single year, but it's also
what they call a dynamic standard.
So there is a very, you know, a board of about 15 people that from all areas of industry
(09:41):
in Australia that are running this standard and updating the standard each year.
So this year, there was an additional one control put on that I got mine sort of earlier
in the year.
And so next year when I sign, I have to, well, this year when I sign it again, I have to
ensure that I met that other control.
Oh, what's the other control?
The one that was added in is ensuring that you have a VPN if you use any computer over
(10:08):
remote desktop protocol.
All right.
Oh, the thought that people are RDPing in just still makes my blood run cold.
Yes.
Yes.
Yes.
I live in a world of cloud only.
So for me to RDP into a server is very, very unusual.
Yeah.
(10:28):
But, you know, the fact that there are people out there not understanding that how important
it is to use a VPN for that sort of thing is a really good thing.
So having this kind of checklist approach is really, really powerful.
Yeah.
Yeah.
So, yeah, it's excellent.
So for me, I did, I went through the process myself.
And so as I said, there was the benefit for me was to be able to sleep at night because
(10:53):
I sort of thought I was doing things right, but you just, you know, you just not 100%
sure and there's things you can definitely do better.
Like the admin on the PCU, you know, cringe when I said that.
No, no, because, you know, we all log on as local admins.
And I mean, I've resisted for so long, but now, the now that I've done it and realised
(11:15):
I think she's not too bad.
It's actually so much more comfortable because the thing is, I know that I am going to click
on a link in an email.
Right.
So there's no training that can happen to me that will stop me from clicking on a link
in email because like other small businesses, I work really fast.
I, you know, I'm just doing things and just, you know, doing things a bit more, sort of
(11:39):
on autopilot.
So I know that I'm going to click on a link, right?
So the things for me is once I even got the SMP 1001, it wasn't quite enough.
So I've got an extra, what they call an endpoint detection and response software.
So it will double check that I, if I click on a link that won't do anything malicious
(12:01):
on my computer, but the fact is that I'm not logged in as it had been now, I know that
my computer won't, you know, inadvertently install something.
So that's actually really good.
So it's these really low level things, easy and easy to fix things that, you know, we
don't have need small businesses running a scene.
Or we don't need small businesses, you know, installing the latest, you know, big technology
(12:26):
thing that many small businesses are offered as give me one cybersecurity please sir.
And they offer these lots of different software.
We've got to start from the people and the processes within the business first before
we tackle the technology.
But there are some technology components to the SMP 1001, including things like the
(12:50):
backup.
Yeah.
And things like the password manager, which a lot of people don't realize, you know, you
can, you can start off for free.
There are open source password managers and the, there are really affordable open source
options that people can use things like Bitwarden, but even for an enterprise is quite affordable.
(13:10):
So these things don't have to cost the world and you can really secure your assets much
more effectively.
Yeah.
And then, you know, you may not need to go to a full single sign on your option.
You might have a password manager where you only give out the ability to log in to your
staff without them seeing the passwords and things.
(13:33):
And one of the other controls in the gold level is not sharing logins to.
Oh yeah.
That's so important.
The amount of that that happens out there in the world, people don't realize, but even
in really large organizations, people just log in as their boss to approve something.
That's right.
Yes.
So pernicious.
(13:54):
There's no audit trail and that for the data protection side of things is just so critical
that, you know, you've got an audit trail of who was logged in when and so that you can,
you know, something happens.
It's a cover your ass type of situation, you know.
So again, that's where I come back to it.
That allows me to sleep better at night.
(14:14):
I know that I've got these really basics covered and, you know, it's just such a weight of
my mind.
But the other thing is I've actually got to maintain all of this.
I've got to ensure my backups have been maintained.
I've got to ensure that I don't install anything, you know, untoward on my computer.
So it is a what I want to ensure that people in small businesses have it as a business
(14:37):
as usual thing.
Right.
So my business is in technology, so it's easy for me to get this as business as usual.
And so I understand that it's going to be a bit of an uplift force for other small businesses,
but it is actually really achievable.
Well, so one of the interesting questions that pops into my mind is what sort of advice
would you give to a small business that wants to start out?
(15:00):
We'll share links to the standard and stuff in the show notes.
But what sort of advice would you give to people who want to just start out with this
journey?
Yeah.
So the great thing is there's some such great free resources out there.
And I've actually done a guide for DIY Small Business Cybersecurity, so that if you are
(15:21):
really interested and you want to actually just start this process yourself with no cost,
because there is some costs involved in getting gold level certification because it's got
back up and it's got a password manager, et cetera.
But to get the bronze level, the very first basic thing to say you're on this journey,
there's really no costs involved.
One of the things is you have to have a trusted advisor for your organization, like someone
(15:46):
who knows something about IT.
So this is not your uncle's brother's son's thing who is a bit clueless with technology
who has set up your F-Pos machine.
This is actually having someone who can guide you through.
And that can be something like me or it can be an MSP or any of your regular IT providers.
(16:09):
So in having that, then we just want to make it as simple as possible.
So in my guide for DIY, there is great government resources through the Australian Cybersecurity
Centre where they've really got a whole section focused on small business and excellent resources.
Then there's the ID care, which is a program that is now government funded, where a small
(16:36):
business can do a questionnaire and then get an hour with a cybersecurity expert to let
them know what are the things that they need to be doing in their business.
Now, even for a business like mine, they told me things that I could possibly be doing to
really enhance my cybersecurity.
And you're even working in the cyber security space.
(16:57):
So if it even helped you with your small business, yeah, so that's a great free resource.
It was a great, excellent resource and the fact that it's free and just gives you that
comfort that you're on the right track and that you've got it.
And then there's some excellent training that is also free and also government funded.
It's through Cosbowa, the Council of Small Businesses Australia, and it's called Cyber
(17:20):
Wardens.
So of course, one of the key features of the one of the controls of the SMB is to have
training for all of your staff.
So the training is not something you have to buy, not something you have to go out there
and sign up to a plan that you get people who are giving you emails every month to say,
watch this five minute training.
(17:41):
There is this free tool that really helps small businesses.
Just getting over the basics.
It's pretty basic training, but it just really helps with those basics.
Well, it's so many small business people, they've never had training, their staff have
never had training.
So that will make a real difference.
And you mentioned the Australian Cyber Security Centre.
They've really stepped up their efforts to start to reach out to, they used to basically
(18:07):
deal with the big end of town.
Now they're reaching out to small business, which is really pleasing to see.
And also even individuals, because even part of their small business stuff is your individual
security because so many small business and even larger businesses, but so many people
are working from home.
So what about your home network?
Are there really teenagers coming and playing Minecraft in your home and plugging things
(18:30):
into your Wi-Fi?
So we've got it also as a small business owner, we're also going to think about where our
staff are and what their home stuff is.
So there's excellent resources on personal security on that.
And there's excellent resources for small business.
And the thing is, if there's anything that you don't understand after reading those resources
(18:58):
from the Australian Cyber Security Centre, then come and talk to someone like me.
And just don't let that be a thing that stops you from doing anything because you say, I
don't understand, it's all too hard.
So there are people there that can help.
We can work out a program to do a guided help you through this process.
(19:19):
So you've got do it yourself or come and get some help and do a guided process.
One of the really important things for people to understand is the option to just do nothing
now has gone away because everybody is vulnerable.
And it used to be, you'd be in your shop running your small business in your shop.
(19:42):
But now increasingly, your shop is not just your shop.
Your shop is an online shop, so there are people doing fulfillment from other locations.
So we've got people everywhere working in our businesses now.
And so we've got real cyber and information security risk emerging.
So even small businesses that might not realise they've got all this cyber risk now do.
(20:06):
And it's things like ransomware.
So if your data got ransomware, do you have a backup that's not on the same network as
that ransomware because otherwise you might lose all your customer data?
Yeah.
And what happens if your shopping cart software gets compromised?
What happens if you can't access your shopping cart software?
(20:29):
How is it going to impact your business continuity?
One of my clients just went jet skiing one day and lost his phone off the back of the
jet ski.
Oh my God.
And then he couldn't make payroll that week because his MFA codes for his bank were on
his phone only.
So we've got to think about all of these things that may happen.
(20:51):
You know, if you're living in Brisbane or Queensland at the moment, you know about the
risk because you've got a big cyclone coming down on you.
So it's exactly like that.
Like five years ago, we would never have thought that a major cyclone could cross over Brisbane
and the Gold Coast, but it's there now.
(21:15):
So we think about the way cybersecurity was.
If you years ago, you'd have this thought that I'm too small.
No one wants to get my stuff or a security through obscurity.
And we just can't do that anymore.
And the thing is, it's not a huge cost.
It's not a huge technical uplift.
(21:37):
There are some just really basic simple things that you can do that will become business
as usual.
Yeah.
And need to become business as usual.
So, you know, I do encourage people go and get password managers.
I was literally talking to a friend the other day and they had written down the password
wrong and they pulled out a paper book and I'm like, no, please don't do that.
(21:58):
Look, a paper book is fine.
Like, you know, my mum had things written down on paper because she had dementia.
Now, that's fine for that thing because the risk is low, right?
But not for your business systems that holds your client data.
Yeah.
Yeah.
And, you know, like the example of that guy that lost his phone, in your password manager,
(22:18):
you can save your backup codes.
Yes, that's right.
Yes.
So that if you've lost your phone, you can just log on another device, use one of your
backup codes to approve payroll.
Yes.
And you know that I completely dropped and shattered my phone.
Whilst I was at the Tate Modern Museum in London, visiting there one day.
And funnily enough, I happened to have my backup phone in my bag.
(22:40):
But so I had no password manager, no ticket to get back on the train, no nothing.
And so I just had to sit there at the Tate Modern sort of re-setting up my, all of my
passwords and access on my backup phone.
Yeah.
Yeah.
And trying to do that from scratch would, imagine doing that for your business.
That would be very stressful.
Exactly.
(23:00):
So like the business continuity part of it is just so important.
Just like every single aspect of your business, what happens if you can't do it, you know?
So even to the point of I have my will set up.
So what happens when I die and my business gets why I'm down?
Now people don't like to think about this, but it's so important because you can't leave
(23:22):
anyone else just to sort of like fuddle their way through and find out, you know, where's
the password to the email server in the back shed, you know?
It's really important.
Yeah.
And that's something people might not have joined up from, you know, we're talking about
a security standard, a sub security standard, but it really does have real implications
(23:48):
for business continuity.
So you know, all of those practices like backups offsite and stuff will be really helpful
for the people in Brisbane who may well be flooded or the people in poor old Lismore
who may be underwater tomorrow.
Yes.
Yeah.
Yeah.
And something like that, that's sort of where we are confronted with that.
(24:10):
Like my sister had a tray fall down last night on the low coast.
It happened to, it was big enough to fall on the house.
It happened to fall the other way.
So it's, you know, it's just that understanding that risk.
And so she said, gone round today and said she's done a risk assessment on the house
and all the other trees and she should be right.
So it's understanding that level of risk that we've got, right?
(24:33):
And those levels of risks have risen, whether it be from climate change, whether it be from
any form of cyber incident that may happen.
And the thing is, like I've listened to a podcast recently and it was this hacker guy
and he was just saying about, it doesn't matter.
The thing I got back from it was it doesn't matter.
(24:55):
You're just in the way of this hacker trying to get to this other dude.
You might be a golf buddy, you might be a hairdresser or something of this person that
they're trying to get to.
And you're just in the way.
So you'll be taken over and you will be compromised.
And they don't care about you.
You are no consequence to them or the people doing, you know, just spraying out passwords
(25:20):
that have been compromised and trying to take over anything, anything they get a hit on.
So it's not about you.
You don't matter.
Right?
So you've got to be ahead of the game in this.
You've got to be part of this process now.
I think you just touched on a really important point because it's not personal.
(25:40):
But these people, the people that do these attacks, they used to rob banks because that
was the easy thing for them to do.
Now they can sit in their jammies in their mother's basement and just do drive vies of
you know, stealing passwords, trying to manage.
If you don't have things like multi-factor authentication turned on, you've got no protection
against them.
And it's not personal.
(26:01):
They just want their money or the next target that they're trying to get.
So you said the very first thing, one of the things to be a password manager, for me, the
very first thing is multi-factor authentication.
But actually, even before you can do multi-factor authentication, you've got to know about your
data.
You've got to know what data is.
And you can start this as just saying exactly.
(26:23):
You had a governance.
Yay.
I can say I'm your podcast all of the time.
So I just got to bring it back to data all the time.
I'm sorry.
I can't say data.
Sorry.
You say data.
I say data.
I say data.
Anyway, I've just spent too much time working for American corporations, I think.
I've been brainwashed.
(26:45):
But no, I'm delighted to hear data governance get a Guernsey because it's so fundamental
to this whole project.
And it's a big scary term, but it just means knowing your data.
Yeah, it just means knowing where your data is, knowing what applications you're using.
And knowing, like, it could be something as simple as you've created a beautiful presentation
to the board in Canva.
(27:06):
And it's got all of your secrets for what's coming up in the next few years, you know,
or in Google Slides or something like that.
So it's not only your customer's name, address, phone number, email that was just hacked in
every single breach that's been happened recently.
It's not only that.
It is your business secrets, your business plans, anything that can affect your business
(27:28):
continuity that could be a problem.
So, you know, and we just, we just spin up so many apps.
I'm bad at this.
I'm, I do this.
We spin up so many apps and tried so many apps.
And so that was one of the things that I had to do.
And so like, okay, I need to get, you know, close this app down, close this app down.
I need to get rid of the three different backup devices that I have.
(27:52):
And I only have one good backup device because I've got to keep them updated.
So I've got to make sure I log into the backup device very often and make sure that it's
updated and have auto updates turned on.
Testing your backups.
So I got caught one time when I was an IT manager and we lost every exchange server around
(28:12):
the country in every state.
And when I went back to the backups, the earliest backup we could get was six months old because
the guy that was doing the backups wasn't testing them.
And that I was pretty new at that job.
And it was just like, give me a reason why I shouldn't fire you.
And he said, I haven't got one.
So he got fired.
But it was literally the first time I was like, what do you mean you weren't testing
(28:35):
the backups?
But I think you checked that they were working.
And you know, for a small business, that's a really sort of, you know, hard thing to
do that it's like, okay, I've got to rely on the have backups.
So for me, it's like I would get onto my backup system and at least download a few things
occasionally.
I wouldn't test to do a full.
No, no, no, you just need to see if you can get stuff out of it.
(28:58):
Yeah.
So, yeah.
And, you know, the thing is people, especially small businesses rely on the email so much.
So having your email backed up is just so important.
And I just think there's a sort of misconception out there that if you've got a cloud server,
it's backed up.
Now, the thing is, it's backed up from their point of view.
(29:21):
So if they fall down, they can restore your data to some point, but it's not backed up
from your point of view.
If you do something with your data, if you delete your data, if you have your end compromise
and your data is missing, it's not backed up from your point of view.
So you've got to have a backup, even though it's a cloud software.
(29:41):
Yeah.
And, you know, some people have like a decades worth of emails in there that they rely on
to run their business.
So that's a really important point.
Yeah, absolutely.
So for me, paying that, it doesn't mean about $150 a year, but paying that extra bit of
money to have that backup as software on my Gmail, my Google Workspace, on my CRM system,
(30:08):
on my other things, that was just really important for me.
Yeah.
Many years ago, I worked in government and we did some business continuity planning.
And one of the things we realized was that our core system wasn't our most important
system.
The system we needed brought up overnight if we lost it was email, because we would send
out one big billing run a year and then people would pay us.
(30:32):
And so the thing that we needed to be able to do was communicate with people.
And if we didn't have email, we couldn't keep that money flowing in.
So that was a really big eye-opener and nobody in the organization wanted to believe us.
They were like, oh, we surely need this core system brought up.
And they were like, what, what you mean email?
And I was like, no, if the core system goes down the day we're sending out the invoices
(30:54):
once a year, we need it.
But apart from that, we need email.
Yeah.
It's like at the Gold Coast at the moment, the NBN's down.
Oh, right.
The NBN is meant to have your backup batteries and things like that, but it's not a power
issue.
So...
Is it underwater?
I don't know.
So it's like, I think, again, these are the questions asked after the Lismore issue.
(31:18):
We need to ask these questions again because, you know, that was one thing, how people make
phone calls if the NBN's down.
So...
Yeah, yeah.
Well, some really interesting questions.
But thank you, Jodie.
This was a really helpful session and first one for our small business community.
So I hope people will find it helpful.
Thanks for being here.
(31:38):
No problem.
Thank you.
Welcome to another episode of the Data Revolution podcast. This is where we explore the intersection
(00:19):
of society, culture, data and technology. This podcast offers insights into the evolving
role of data and AI in shaping our world. I'm your host Kate Caruppers and this time
I will be talking with Jodi Minas. She is a technology generalist who helps small businesses
by building bespoke systems to support their business. But one thing she also specialises
(00:44):
in is cyber security and this is a key part of the systems that a small business needs.
She helps them to make cyber security as much a part of their business as sending an invoice
or creating a new project. Welcome Jodi, it's great to have you on the podcast.
(01:05):
Thank you Kate. I've wanted to be on this podcast for so long.
Well I'm really excited about this topic because this is a small business kind of topic and
it's a cyber topic and that's a bit different to what we've had on so far. So why don't
you explain what we're going to have a chat about?
So we're chatting about the SMB 1001 as standard for small businesses in cyber security. So
(01:28):
it's really quite cool. Well why don't you explain, unpack that
a bit for the listeners because not everybody is as interested in cyber security as I am.
Yes, so we've previously had things like you've got the essential eight which is what the
government says that every business should do but it's a really difficult thing for
(01:52):
small businesses to attain. So some really clever folks in Queensland have got together
and produced a standard of which small businesses can go through all of the steps and then assess
themselves against each one of the controls and the prerequisites in the standard and
(02:12):
then get a certification in to say they are bronze level, silver level or gold level or
even higher but those three levels, the director of a business can self attest and sign a document
to say we're doing this in our business so therefore we've got this level of cyber security
for our business.
(02:34):
That's good and it actually sounds as if it is actually achievable by small business because
I'm really conscious that when talking about the essential eight even at a really large
research university we weren't able to do the essential eight, not all of them anyway.
And so with all the other competing things that small businesses have to do and they
(02:55):
have to be everything to everyone, cyber security is probably the last thing on their mind but
we need to get some cyber security in the mind of small businesses and getting them
acting on that so this framework gives them the step by step, they don't know where to
start so this framework gives them that step by step thing that they can do to actually
(03:17):
get to the level that they need to.
And that's probably the hardest thing because if you just think about a small business and
I've run a small business, you've run a small business, you're a one person who does everything
so you're the cyber security, you're the finance department, you're the sales department, you're
everything and understanding what you need to do to protect your business's data is
(03:41):
kind of a black box for many people.
So did you want to run through what the key steps are?
Yes certainly.
So as I said there's three levels before the small businesses can self attest to.
There are two levels that are higher that are externally audited so the whole thing is
(04:02):
about getting you on a path to where you might want to get to ISO 27001 standard which is
ensuring you have good IT systems in place.
But for the gold, silver and bronze, I've got gold and so I'd like to talk about gold.
So things in that like having a password manager, having a firewall, making sure you do security
(04:32):
secure document destruction, making sure that you've got a privacy policy and you've got
a cyber security policy and you've got an instant response plan and everything there
in all those steps is 26 controls or 26 steps that you have to follow and you have to prove
(04:53):
to yourself where you sign this document that you have done these steps.
So for me it was I can't done most of them but I needed to get my backups more comprehensive
across all of my systems.
I didn't have my Gmail backed up so my Google workspace.
So now I've got my Google workspace backed up.
(05:14):
For me I needed to ensure that I wasn't logged into my computer as an admin and into my Google
as an admin.
So I've now got Google as a regular user and that's what I log into but I don't have administrative
controls on that account so I have to log in as a separate account for admin.
(05:37):
So there's just all these really good, really sensible, pretty easy to attain controls for
the small business to do.
Can you just outline what are some of the benefits to a business from doing this?
Self-attestings not very interesting but there's my dog running across the background.
(06:03):
But some of the benefits that will improve data protection for the business.
So anything that you do like multi-factor authentication is a really key thing for any
business systems that you have.
So you take for example your Google account, your Outlook account to ensure you've got
multi-factor authentication on it so that if it is accessed externally there is at least
(06:30):
a prompt that you'll get to say, hey I didn't actually authorise that and say no when the
prompt comes up.
So that's one good way of protecting your data.
And one of the things about the SMB1001 is it's probably going to become, the push is
to get it to become as part of your supply chain risk for a larger business who has,
(06:54):
it works with small businesses to have, to work with their data.
Like I'd work with larger businesses and I'd work with their data.
So it's ensuring that those, their client, their contractors have this SMB1001 so they
(07:15):
know that they've got at least a basic level of security so that their data is protected.
So I think we'll see a lot more now that larger businesses will say, okay to contract
with us you need to get the SMB1001.
And I think it's not just an Australian standard, it is a global standard.
So there are, you know, rolled out now in Australia, New Zealand and it's heading towards
(07:40):
UK and the US and of course, and some of the Pacific nations also taking it off at the
moment.
That's really interesting.
So it will become a de facto standard so it could be an actual benefit for companies
that are wanting to get contracts and may become mandatory.
Yes, that's right.
I would love to see it become much more pushed for small businesses to do this because it's,
(08:07):
doesn't have the overhead, the cost and the level of detail required for ISO 27001.
Most small businesses don't need to get to ISO 27001 and it's just a bit of over too
much on their shoulders to do that.
So this is a really good, this is like you're not doing nothing.
(08:29):
You are doing, you are saying, signing a declaration to say that you as your business are doing
these things.
But what it also does is puts that onus back on the director of the business because they're
the one has to sign this.
So under the new ASIC, you know, push to get directors much more responsible for this and
boards much more responsible.
And you've talked about this in your last couple of podcasts about getting the board
(08:53):
on side and getting directors on side.
It really hones into that area that directors need to be a part of this process.
That's a really good point.
So, you know, so the directors will need to understand this process and understand what
they're certifying.
And then the other thing is that larger enterprises will be able to adopt this as part of their
(09:18):
procurement standards.
So it'll be, it'll be reducing their third party risk.
So I think it'll be really good for smaller businesses.
Yeah.
And the great thing about standard is you have to reattest every single year, but it's also
what they call a dynamic standard.
So there is a very, you know, a board of about 15 people that from all areas of industry
(09:41):
in Australia that are running this standard and updating the standard each year.
So this year, there was an additional one control put on that I got mine sort of earlier
in the year.
And so next year when I sign, I have to, well, this year when I sign it again, I have to
ensure that I met that other control.
Oh, what's the other control?
The one that was added in is ensuring that you have a VPN if you use any computer over
(10:08):
remote desktop protocol.
All right.
Oh, the thought that people are RDPing in just still makes my blood run cold.
Yes.
Yes.
Yes.
I live in a world of cloud only.
So for me to RDP into a server is very, very unusual.
Yeah.
(10:28):
But, you know, the fact that there are people out there not understanding that how important
it is to use a VPN for that sort of thing is a really good thing.
So having this kind of checklist approach is really, really powerful.
Yeah.
Yeah.
So, yeah, it's excellent.
So for me, I did, I went through the process myself.
And so as I said, there was the benefit for me was to be able to sleep at night because
(10:53):
I sort of thought I was doing things right, but you just, you know, you just not 100%
sure and there's things you can definitely do better.
Like the admin on the PCU, you know, cringe when I said that.
No, no, because, you know, we all log on as local admins.
And I mean, I've resisted for so long, but now, the now that I've done it and realised
(11:15):
I think she's not too bad.
It's actually so much more comfortable because the thing is, I know that I am going to click
on a link in an email.
Right.
So there's no training that can happen to me that will stop me from clicking on a link
in email because like other small businesses, I work really fast.
I, you know, I'm just doing things and just, you know, doing things a bit more, sort of
(11:39):
on autopilot.
So I know that I'm going to click on a link, right?
So the things for me is once I even got the SMP 1001, it wasn't quite enough.
So I've got an extra, what they call an endpoint detection and response software.
So it will double check that I, if I click on a link that won't do anything malicious
(12:01):
on my computer, but the fact is that I'm not logged in as it had been now, I know that
my computer won't, you know, inadvertently install something.
So that's actually really good.
So it's these really low level things, easy and easy to fix things that, you know, we
don't have need small businesses running a scene.
Or we don't need small businesses, you know, installing the latest, you know, big technology
(12:26):
thing that many small businesses are offered as give me one cybersecurity please sir.
And they offer these lots of different software.
We've got to start from the people and the processes within the business first before
we tackle the technology.
But there are some technology components to the SMP 1001, including things like the
(12:50):
backup.
Yeah.
And things like the password manager, which a lot of people don't realize, you know, you
can, you can start off for free.
There are open source password managers and the, there are really affordable open source
options that people can use things like Bitwarden, but even for an enterprise is quite affordable.
(13:10):
So these things don't have to cost the world and you can really secure your assets much
more effectively.
Yeah.
And then, you know, you may not need to go to a full single sign on your option.
You might have a password manager where you only give out the ability to log in to your
staff without them seeing the passwords and things.
(13:33):
And one of the other controls in the gold level is not sharing logins to.
Oh yeah.
That's so important.
The amount of that that happens out there in the world, people don't realize, but even
in really large organizations, people just log in as their boss to approve something.
That's right.
Yes.
So pernicious.
(13:54):
There's no audit trail and that for the data protection side of things is just so critical
that, you know, you've got an audit trail of who was logged in when and so that you can,
you know, something happens.
It's a cover your ass type of situation, you know.
So again, that's where I come back to it.
That allows me to sleep better at night.
(14:14):
I know that I've got these really basics covered and, you know, it's just such a weight of
my mind.
But the other thing is I've actually got to maintain all of this.
I've got to ensure my backups have been maintained.
I've got to ensure that I don't install anything, you know, untoward on my computer.
So it is a what I want to ensure that people in small businesses have it as a business
(14:37):
as usual thing.
Right.
So my business is in technology, so it's easy for me to get this as business as usual.
And so I understand that it's going to be a bit of an uplift force for other small businesses,
but it is actually really achievable.
Well, so one of the interesting questions that pops into my mind is what sort of advice
would you give to a small business that wants to start out?
(15:00):
We'll share links to the standard and stuff in the show notes.
But what sort of advice would you give to people who want to just start out with this
journey?
Yeah.
So the great thing is there's some such great free resources out there.
And I've actually done a guide for DIY Small Business Cybersecurity, so that if you are
(15:21):
really interested and you want to actually just start this process yourself with no cost,
because there is some costs involved in getting gold level certification because it's got
back up and it's got a password manager, et cetera.
But to get the bronze level, the very first basic thing to say you're on this journey,
there's really no costs involved.
One of the things is you have to have a trusted advisor for your organization, like someone
(15:46):
who knows something about IT.
So this is not your uncle's brother's son's thing who is a bit clueless with technology
who has set up your F-Pos machine.
This is actually having someone who can guide you through.
And that can be something like me or it can be an MSP or any of your regular IT providers.
(16:09):
So in having that, then we just want to make it as simple as possible.
So in my guide for DIY, there is great government resources through the Australian Cybersecurity
Centre where they've really got a whole section focused on small business and excellent resources.
Then there's the ID care, which is a program that is now government funded, where a small
(16:36):
business can do a questionnaire and then get an hour with a cybersecurity expert to let
them know what are the things that they need to be doing in their business.
Now, even for a business like mine, they told me things that I could possibly be doing to
really enhance my cybersecurity.
And you're even working in the cyber security space.
(16:57):
So if it even helped you with your small business, yeah, so that's a great free resource.
It was a great, excellent resource and the fact that it's free and just gives you that
comfort that you're on the right track and that you've got it.
And then there's some excellent training that is also free and also government funded.
It's through Cosbowa, the Council of Small Businesses Australia, and it's called Cyber
(17:20):
Wardens.
So of course, one of the key features of the one of the controls of the SMB is to have
training for all of your staff.
So the training is not something you have to buy, not something you have to go out there
and sign up to a plan that you get people who are giving you emails every month to say,
watch this five minute training.
(17:41):
There is this free tool that really helps small businesses.
Just getting over the basics.
It's pretty basic training, but it just really helps with those basics.
Well, it's so many small business people, they've never had training, their staff have
never had training.
So that will make a real difference.
And you mentioned the Australian Cyber Security Centre.
They've really stepped up their efforts to start to reach out to, they used to basically
(18:07):
deal with the big end of town.
Now they're reaching out to small business, which is really pleasing to see.
And also even individuals, because even part of their small business stuff is your individual
security because so many small business and even larger businesses, but so many people
are working from home.
So what about your home network?
Are there really teenagers coming and playing Minecraft in your home and plugging things
(18:30):
into your Wi-Fi?
So we've got it also as a small business owner, we're also going to think about where our
staff are and what their home stuff is.
So there's excellent resources on personal security on that.
And there's excellent resources for small business.
And the thing is, if there's anything that you don't understand after reading those resources
(18:58):
from the Australian Cyber Security Centre, then come and talk to someone like me.
And just don't let that be a thing that stops you from doing anything because you say, I
don't understand, it's all too hard.
So there are people there that can help.
We can work out a program to do a guided help you through this process.
(19:19):
So you've got do it yourself or come and get some help and do a guided process.
One of the really important things for people to understand is the option to just do nothing
now has gone away because everybody is vulnerable.
And it used to be, you'd be in your shop running your small business in your shop.
(19:42):
But now increasingly, your shop is not just your shop.
Your shop is an online shop, so there are people doing fulfillment from other locations.
So we've got people everywhere working in our businesses now.
And so we've got real cyber and information security risk emerging.
So even small businesses that might not realise they've got all this cyber risk now do.
(20:06):
And it's things like ransomware.
So if your data got ransomware, do you have a backup that's not on the same network as
that ransomware because otherwise you might lose all your customer data?
Yeah.
And what happens if your shopping cart software gets compromised?
What happens if you can't access your shopping cart software?
(20:29):
How is it going to impact your business continuity?
One of my clients just went jet skiing one day and lost his phone off the back of the
jet ski.
Oh my God.
And then he couldn't make payroll that week because his MFA codes for his bank were on
his phone only.
So we've got to think about all of these things that may happen.
(20:51):
You know, if you're living in Brisbane or Queensland at the moment, you know about the
risk because you've got a big cyclone coming down on you.
So it's exactly like that.
Like five years ago, we would never have thought that a major cyclone could cross over Brisbane
and the Gold Coast, but it's there now.
(21:15):
So we think about the way cybersecurity was.
If you years ago, you'd have this thought that I'm too small.
No one wants to get my stuff or a security through obscurity.
And we just can't do that anymore.
And the thing is, it's not a huge cost.
It's not a huge technical uplift.
(21:37):
There are some just really basic simple things that you can do that will become business
as usual.
Yeah.
And need to become business as usual.
So, you know, I do encourage people go and get password managers.
I was literally talking to a friend the other day and they had written down the password
wrong and they pulled out a paper book and I'm like, no, please don't do that.
(21:58):
Look, a paper book is fine.
Like, you know, my mum had things written down on paper because she had dementia.
Now, that's fine for that thing because the risk is low, right?
But not for your business systems that holds your client data.
Yeah.
Yeah.
And, you know, like the example of that guy that lost his phone, in your password manager,
(22:18):
you can save your backup codes.
Yes, that's right.
Yes.
So that if you've lost your phone, you can just log on another device, use one of your
backup codes to approve payroll.
Yes.
And you know that I completely dropped and shattered my phone.
Whilst I was at the Tate Modern Museum in London, visiting there one day.
And funnily enough, I happened to have my backup phone in my bag.
(22:40):
But so I had no password manager, no ticket to get back on the train, no nothing.
And so I just had to sit there at the Tate Modern sort of re-setting up my, all of my
passwords and access on my backup phone.
Yeah.
Yeah.
And trying to do that from scratch would, imagine doing that for your business.
That would be very stressful.
Exactly.
(23:00):
So like the business continuity part of it is just so important.
Just like every single aspect of your business, what happens if you can't do it, you know?
So even to the point of I have my will set up.
So what happens when I die and my business gets why I'm down?
Now people don't like to think about this, but it's so important because you can't leave
(23:22):
anyone else just to sort of like fuddle their way through and find out, you know, where's
the password to the email server in the back shed, you know?
It's really important.
Yeah.
And that's something people might not have joined up from, you know, we're talking about
a security standard, a sub security standard, but it really does have real implications
(23:48):
for business continuity.
So you know, all of those practices like backups offsite and stuff will be really helpful
for the people in Brisbane who may well be flooded or the people in poor old Lismore
who may be underwater tomorrow.
Yes.
Yeah.
Yeah.
And something like that, that's sort of where we are confronted with that.
(24:10):
Like my sister had a tray fall down last night on the low coast.
It happened to, it was big enough to fall on the house.
It happened to fall the other way.
So it's, you know, it's just that understanding that risk.
And so she said, gone round today and said she's done a risk assessment on the house
and all the other trees and she should be right.
So it's understanding that level of risk that we've got, right?
(24:33):
And those levels of risks have risen, whether it be from climate change, whether it be from
any form of cyber incident that may happen.
And the thing is, like I've listened to a podcast recently and it was this hacker guy
and he was just saying about, it doesn't matter.
The thing I got back from it was it doesn't matter.
(24:55):
You're just in the way of this hacker trying to get to this other dude.
You might be a golf buddy, you might be a hairdresser or something of this person that
they're trying to get to.
And you're just in the way.
So you'll be taken over and you will be compromised.
And they don't care about you.
You are no consequence to them or the people doing, you know, just spraying out passwords
(25:20):
that have been compromised and trying to take over anything, anything they get a hit on.
So it's not about you.
You don't matter.
Right?
So you've got to be ahead of the game in this.
You've got to be part of this process now.
I think you just touched on a really important point because it's not personal.
(25:40):
But these people, the people that do these attacks, they used to rob banks because that
was the easy thing for them to do.
Now they can sit in their jammies in their mother's basement and just do drive vies of
you know, stealing passwords, trying to manage.
If you don't have things like multi-factor authentication turned on, you've got no protection
against them.
And it's not personal.
(26:01):
They just want their money or the next target that they're trying to get.
So you said the very first thing, one of the things to be a password manager, for me, the
very first thing is multi-factor authentication.
But actually, even before you can do multi-factor authentication, you've got to know about your
data.
You've got to know what data is.
And you can start this as just saying exactly.
(26:23):
You had a governance.
Yay.
I can say I'm your podcast all of the time.
So I just got to bring it back to data all the time.
I'm sorry.
I can't say data.
Sorry.
You say data.
I say data.
I say data.
Anyway, I've just spent too much time working for American corporations, I think.
I've been brainwashed.
(26:45):
But no, I'm delighted to hear data governance get a Guernsey because it's so fundamental
to this whole project.
And it's a big scary term, but it just means knowing your data.
Yeah, it just means knowing where your data is, knowing what applications you're using.
And knowing, like, it could be something as simple as you've created a beautiful presentation
to the board in Canva.
(27:06):
And it's got all of your secrets for what's coming up in the next few years, you know,
or in Google Slides or something like that.
So it's not only your customer's name, address, phone number, email that was just hacked in
every single breach that's been happened recently.
It's not only that.
It is your business secrets, your business plans, anything that can affect your business
(27:28):
continuity that could be a problem.
So, you know, and we just, we just spin up so many apps.
I'm bad at this.
I'm, I do this.
We spin up so many apps and tried so many apps.
And so that was one of the things that I had to do.
And so like, okay, I need to get, you know, close this app down, close this app down.
I need to get rid of the three different backup devices that I have.
(27:52):
And I only have one good backup device because I've got to keep them updated.
So I've got to make sure I log into the backup device very often and make sure that it's
updated and have auto updates turned on.
Testing your backups.
So I got caught one time when I was an IT manager and we lost every exchange server around
(28:12):
the country in every state.
And when I went back to the backups, the earliest backup we could get was six months old because
the guy that was doing the backups wasn't testing them.
And that I was pretty new at that job.
And it was just like, give me a reason why I shouldn't fire you.
And he said, I haven't got one.
So he got fired.
But it was literally the first time I was like, what do you mean you weren't testing
(28:35):
the backups?
But I think you checked that they were working.
And you know, for a small business, that's a really sort of, you know, hard thing to
do that it's like, okay, I've got to rely on the have backups.
So for me, it's like I would get onto my backup system and at least download a few things
occasionally.
I wouldn't test to do a full.
No, no, no, you just need to see if you can get stuff out of it.
(28:58):
Yeah.
So, yeah.
And, you know, the thing is people, especially small businesses rely on the email so much.
So having your email backed up is just so important.
And I just think there's a sort of misconception out there that if you've got a cloud server,
it's backed up.
Now, the thing is, it's backed up from their point of view.
(29:21):
So if they fall down, they can restore your data to some point, but it's not backed up
from your point of view.
If you do something with your data, if you delete your data, if you have your end compromise
and your data is missing, it's not backed up from your point of view.
So you've got to have a backup, even though it's a cloud software.
(29:41):
Yeah.
And, you know, some people have like a decades worth of emails in there that they rely on
to run their business.
So that's a really important point.
Yeah, absolutely.
So for me, paying that, it doesn't mean about $150 a year, but paying that extra bit of
money to have that backup as software on my Gmail, my Google Workspace, on my CRM system,
(30:08):
on my other things, that was just really important for me.
Yeah.
Many years ago, I worked in government and we did some business continuity planning.
And one of the things we realized was that our core system wasn't our most important
system.
The system we needed brought up overnight if we lost it was email, because we would send
out one big billing run a year and then people would pay us.
(30:32):
And so the thing that we needed to be able to do was communicate with people.
And if we didn't have email, we couldn't keep that money flowing in.
So that was a really big eye-opener and nobody in the organization wanted to believe us.
They were like, oh, we surely need this core system brought up.
And they were like, what, what you mean email?
And I was like, no, if the core system goes down the day we're sending out the invoices
(30:54):
once a year, we need it.
But apart from that, we need email.
Yeah.
It's like at the Gold Coast at the moment, the NBN's down.
Oh, right.
The NBN is meant to have your backup batteries and things like that, but it's not a power
issue.
So...
Is it underwater?
I don't know.
So it's like, I think, again, these are the questions asked after the Lismore issue.
(31:18):
We need to ask these questions again because, you know, that was one thing, how people make
phone calls if the NBN's down.
So...
Yeah, yeah.
Well, some really interesting questions.
But thank you, Jodie.
This was a really helpful session and first one for our small business community.
So I hope people will find it helpful.
Thanks for being here.
(31:38):
No problem.
Thank you.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.