CSCAU updates cyber security standard for SMBs to fight threats

Cyber Security Certification Australia (CSCAU) has announced the release of the first update to its dynamic cyber security certification standard, SMB1001:2025. The standard, initially introduced in 2023, has been specifically designed for small and medium-sized businesses (SMBs) and aims to protect against evolving cyber threats.

The updated standard will be reviewed annually to ensure it remains relevant in the face of new and emerging cyber threats. CSCAU co-founder and CEO Peter Maynard, said, “We can't have a set-and-forget approach to cyber security standards. The cyber security landscape is evolving constantly, and updating the certification standard annually is critical so businesses can certify, or vaccinate, against the latest threats.” 

The dynamic nature of the standard is intended to provide businesses and organisations with the agility and resilience required to adapt to new risks while integrating the latest technologies. According to Mr Maynard, “This is necessary to ensure all businesses—not just large enterprises—are protected. This, in turn builds cyber defences across the business ecosystem and supply chain.”

The development of the updated standard was overseen by CSCAU's Industry Steering Committee, which includes experts from both the public and private sectors. It received approval from the Standards and Certification Oversight Board. Throughout the year, the Steering Committee reviews the latest threat landscape and proposes updates that are easy for the diverse range of SMBs to adopt.

Professor Ryan Ko, co-founder of CSCAU, highlighted some of the key updates to the standard. “These refinements include the addition of definitions and a new control that encourages SMBs certifying to Levels 3, 4 and 5 to ensure that remote desktop protocol (RDP) is enabled only over virtual private network connections. According to the Steering Committee experts, this simple step helps to reduce the risks of SMEs experiencing unauthorised access and data breaches.”

The updated standard encourages SMBs to take a more proactive approach to mitigating risks associated with data breaches and business email compromises. It also prepares SMBs for forthcoming changes to the Privacy Act. Professor Ko emphasised the agility of CSCAU's process, stating, “Our streamlined process allows us to publish updated standards each year and be responsive to emerging threats. By comparison, traditional standards development is relatively slow and can take close to three years at a national level and almost six years for international standards.”

Professor Ko also pointed out the value of the updated standard for SMBs. “The updates allow resource-constrained SMBs to keep up to date and align to multiple standards and frameworks around the world, including the ACSC's Essential Eight, UK Cyber Essentials and the US DoD's CMMC, at an affordable price without needing to be standards experts or governance, risk and compliance specialists.”

The Australian Cyber Security Centre’s Small Business Survey revealed that 62% of SMBs have experienced a cyber security incident. The survey identified key barriers to implementing good cyber security practices, including a lack of dedicated staff and difficulty in identifying cyber risks.

Mr Maynard also commented on the challenges faced by SMBs in enhancing their cyber security measures. “SMBs are often targets of cyber attacks, but they have limited resources and expertise to draw on improve their adoption of cyber security,” he said. “The CSCAU's dynamic standards are tailored to the needs and capacities of SMBs. They provide a clear pathway for SMBs to build cyber resilience and strengthen their cyber security practices to protect data, ensure business continuity and build trust with partners and customers.”

The updated standard, SMB1001:2025, will be officially published on 1 September 2024.