Month: July 2024

The digital revolution has brought not only fantastic opportunities but also increased the attack surface when it comes to threats. Nearly half of Australian SMBs have already been targeted by cyberattacks with the cost of cybercrime averaging between $46,000 to $97,000 for small and medium sized businesses.

These statistics should serve as a wake-up call, highlighting the urgent need for robust cyber protection!

That’s when cyber security frameworks come in. They provide a structured approach to managing cyber risks, ensuring compliance with industry regulations, and incorporating best practices for IT security.

With the many frameworks available these days, this article will delve into the SMB1001 and look at why it is a game changer for smaller organisations.

An Overview of Cyber Security Frameworks

First, it is important to understand that cyber security frameworks provide a common language and methodology for discussing and managing risks. They aim to safeguard your data, systems, and ultimately, your business’ reputation.

Some of the top cyber security frameworks in Australia are ISO 27001, NIST, CIS Controls and the Essential Eight (E8).

The E8 are supported by the Australian Government who developed it through the ACSC back in 2017 to help businesses mitigate cyber threats. While it is not mandatory for private businesses, it is strongly recommended.

After 7 years, we’re able to look back and realise that these traditional frameworks present challenges for smaller organisations that are looking for something less complex, not resource-intensive to implement, and more flexible to suit their needs.

SMB1001: A Clear Path to Cyber Maturity

Cyber Security Certification Australia (CSCAU) developed SMB1001 to fill the gap in cyber security certification for SMBs.

It addresses the unique challenges faced by SMBs in implementing effective cyber security measures without the complexity and high costs associated with larger, more comprehensive frameworks.

It covers essential security practices across various areas such as incident response, risk management, and employee training, which are often overlooked by simpler frameworks like the Essential Eight.

So, what makes SMB1001 work?

The framework’s certification process is straightforward, practical, and built around five areas of focus:

• Technology Management – This pillar focuses on managing and securing the technology infrastructure, including hardware, software, and networks. It involves implementing security controls such as firewalls, antivirus software, and intrusion detection systems to protect against cyber threats. Regular updates and patch management are also essential to ensure that all systems are protected against known vulnerabilities.
• Access Management – This involves controlling and monitoring access to information systems and data. It includes implementing strong authentication mechanisms, such as multi-factor authentication, to ensure that only authorised individuals have access to sensitive information. Access controls should be regularly reviewed and updated to reflect changes in personnel and roles within the organisation.
• Backup & Recovery – Regular data backups and having a robust recovery plan in place is important. It ensures that data can be restored in the event of a cyber incident, such as a ransomware attack. A well-defined recovery plan helps minimise downtime and ensures business continuity by outlining the steps to be taken to restore systems and data.
• Policies, Plans, & Procedures – this involves developing and implementing comprehensive cybersecurity policies, plans, and procedures. These documents provide guidelines for the organisation’s security practices and response to cyber threats. They should cover areas such as incident response, data protection, and employee responsibilities. Regular reviews and updates are necessary to ensure that the policies remain effective and relevant.
• Education & Training – The SMB1001 framework is designed to be clear, concise, and accessible even for those without a deep technical background. This approach can empower your non-technical staff to take ownership of your cyber security posture. Everybody, at all levels, gets the chance to contribute to keeping the organisation protected. The responsibility of cyber security involves the entire organisation:
  • Employees, by following best practices like not opening suspicious emails, using strong passwords, and regularly updating their software.
  • Managers, by allocating resources for cyber security training and tools.
  • Executives, by prioritising cyber security at a strategic level.

SMB1001 vs. The Essential Eight

Both frameworks have the same goal which is to enhance cyber resilience, but SMB1001 provides a more accessible entry point for businesses of all sizes. It also covers more of the key practice areas that support a robust security program.

In the contrary, the E8 requirements are more technical and complex to comprehend, often leaving small business owners confused and not confident enough to continue building out their security posture.

Take Action with a Reliable Partner

ADITS’ cyber security solution, CyberShield, is built around essential security controls outlined by the SMB1001 :23 Silver Tier 2. Take control of your cyber security today – with expert guidance. ADITS can help your business through comprehensive cyber security services in Brisbane and Townsville.

CyberShield Brochure

With data becoming an invaluable asset and stricter rules regarding its protection, we have enhanced our offerings with CyberShield +, an advanced cyber security solution for businesses. It includes everything from CyberShield, plus a cyber security awareness program through uSecure and compliance to the mandatory Privacy Act.

CyberShield+ Brochure

“Ethics [in AI] is not just about getting the right answer – it demands that we are answerable to others, that we explain ourselves to them, that we listen to their response. It demands that we continue to question if our ethical decisions are right.”

Paula Boddington, author of Towards a Code of Ethics for Artificial Intelligence

Artificial intelligence (AI) is fast transforming our world. It is infiltrating every aspect of our lives, from facial recognition software in airports to mental health chatbots.

As AI keeps growing, so are its opportunities and challenges. Two in three organisations believe AI can boost their productivity with The World Economic Forum projecting 97 million new jobs due to AI by 2025.

AI can streamline administrative processes in Healthcare, personalise learning experiences in Education, and analyse donor data for Nonprofits. It can assist in areas such as:

• Inventory management
• Customer chatbots
• 24/7 hotlines
• Meeting management
• Invoicing
• Talent recruitment
• Compliance monitoring
• Cyber security

Check out our article, 10 Key Opportunities & Implications of AI for Your Business, to explore more AI opportunities that could benefit your business.

With the widespread of AI use comes questions.

“Who’s responsible if AI goes wrong?” Most people (77%) think companies should be held accountable for misuse.

“Do people trust how AI is being utilised?” Only 35% of people globally trust how companies are using it.

This outlines the need for clear rules and ethical guidelines such as Australia’s AI Ethics Principles, essential to building trust.

The AI Ethics Principles: Your Guide to Responsible AI Use

The AI ethics framework outlines eight principles to guide the development, deployment, and use of AI. These are voluntary guidelines meant to inspire and enhance compliance with existing AI regulations and practices.

1. Human, Societal and Environmental Wellbeing

The key goal of AI systems should be creating positive outcomes for individuals, society, and the environment. It encourages the use of AI in addressing global concerns, to benefit all human beings, including future generations.

Also, as organisations benefit from AI, they must consider a broader picture. This includes positive and negative impacts throughout an AI system’s lifecycle, within and outside an organisation.

2. Human-Centred Values

AI tools and platforms must be designed to respect human rights, diversity, and individual autonomy. They should align with human values and serve humans, not the opposite.

AI use should never involve deception, unjustified surveillance, or anything that can threaten these values.

3. Fairness

AI should be inclusive and accessible to all, ensuring no individual is unfairly excluded or disadvantaged. This means actively preventing discrimination against any individual or group based on age, disability, race, gender, and such factors.

Bias can be avoided and fairness promoted by utilising diverse datasets that reflect the world’s population. Algorithmic fairness audits can also be conducted prior to AI system deployment, to analyse for signs of bias against specific demographics.

4. Privacy Protection & Security

AI systems must respect and protect individuals’ privacy rights, by ensuring proper data governance throughout their lifecycle. They should involve securing AI systems against vulnerabilities and attacks, or cyber security services to prevent sensitive data from being stolen or manipulated.

Also, organisations should only collect data that’s absolutely needed for AI to function; the less data you gather, the less privacy risk there is. Measures like data anonymisation can also be implemented, where personal details are removed.

5. Reliability & Safety

AI tools and platforms must consistently perform their intended functions accurately, without posing unreasonable risks. This includes using clean, accurate, and up-to-date data to train your AI systems.

It also means regular testing and ongoing monitoring. This allows you to catch and fix any issues promptly, ensuring the system remains reliable and secure throughout its lifecycle.

6. Transparency & Explainability

Transparency helps build trust and accountability, so AI decision-making processes should be clear and understandable. This ensures people can recognise when AI is significantly impacting them and understand the reasons behind AI decisions. Allow them a “peek under the hood,” with a simplified explanation.

Avoid technical jargon when explaining AI decisions. Use clear and concise language that the average person can understand. The goal is for them to grasp the general idea, not become an AI expert.

7. Contestability

This aims to ensure that individuals, communities, or groups significantly impacted by AI systems can access mechanisms to challenge the use or outcomes of these systems. This encourages providing efficient processes for redress, particularly for vulnerable persons or groups.

For example, if an AI system used for facial recognition at an airport wrongly identifies someone as a security risk, they can easily contest this decision and have it reviewed.

8. Accountability

Organisations and individuals involved in the AI lifecycle must be clearly identifiable and responsible for the outcomes of AI systems. Mechanisms should be in place to ensure that they can be held responsible for the impacts of AI, both positive and negative.

For instance, when an AI-powered software produces biased outcomes, the persons responsible for developing and deploying it must be identifiable and face potential consequences for it.

Ethical AI Through Effective Data Governance

Data is the lifeblood of AI. The quality, diversity, and security of data directly impact the fairness and effectiveness of AI systems. Therefore, your data privacy policies and implementation will hugely influence your use of AI.

Here’s how AI ethics and data governance intersect:

Data Collection, Storage, and Use

The AI ethics framework highlights the importance of collecting and using data ethically. This involves obtaining informed consent, minimising data collection, and ensuring data is used only for its intended purpose.

Data Security and Protection

Cyber security is essential to safeguarding sensitive data. Breaches can expose personal information, which can lead to discrimination, unfair treatment, or even identity theft. Data governance frameworks should thus address security risks and ensure compliance with privacy regulations. We’ve written a really helpful resource to help SMBs meet Australia’s cyber security compliance standards, check it out.

Data Sharing and Collaboration

The principles encourage responsible data sharing while protecting privacy. Secure platforms can facilitate data collaboration, research, and innovation without compromising individual rights. These can incorporate privacy enhancing technologies like federated learning (training AI models collaboratively), which helps preserve data privacy.

Privacy By Design and Default

AI systems should be designed with privacy in mind from the start. This means minimising data collection and ensuring individuals have control over their own data. For example, a fitness tracker that only collects anonymised step data by default can have options for users to share additional metrics if they choose.

By adopting these principles, organisations can shape data governance policies that build trust with stakeholders and ensure responsible AI development.

AI Ethics: Paving a Sustainable Future

Australia’s AI Ethics Principles provide a roadmap for responsible and ethical AI. Integrate them into your governance framework and you can leverage the optimal power of AI.

Do you want to delve deeper into the topic of AI and data governance? We’ve put together a comprehensive eBook that delves into the state of AI nowadays, a comparison between ChatGPT and Copilot as well as a bonus kickstarter guide with the steps to take for a successful AI deployment.

Get Your Free eBook