I went to an interesting talk the other day about the role of the CISO. One particular speaker, Nic Miller from Aedile Consulting spoke about the burden of large accreditations like ISO 27001 on small businesses and the reality is they are not designed to provide specific advice for practical security controls and so an organisation can end up with a badge and still be massively exposed to attack.

I wrote a blog post earlier about this: Should I use ISO 27001 for a small business?

The problem is that most people in the Information Assurance world are, well, information people. Their solution to everything is information, process, paperwork and badges that might win you a contract but mean very little in practice.

Most small companies are not interested in needless paperwork but they are interested in staying safe and understanding the practical steps you can take to reduce your attack surface and reduce the risk of a hack or other malware attack. The National Cyber Security Centre has some great resources, and these also overlap with existing guidance, which are described on the NCSC but to find the simple steps can still be a little daunting. Some guidance is very specific ("Advice for British Airways Customers") and this should not be in the same pot of documentation as "Supply chain security collection" and "Design Principles: Designing to avoid disruption", which are all concerned with very different environments and for different end users.

I found the Australian Cyber Security Centre (part of the Australian Signals Directorate) Essential 8 much more practical and useful for small companies. Instead of trying to get really abstract about risk management and reducing risk with controls etc. something that most small companies have no experience of, they instead specify that things like disabling Flash and Java in browsers and disabling automatic macro functionality in Office software can buy you a lot for the effort required. In fact, you don't even need to understand why.

I then decided to write a quick and easy (and free) cyber security audit tool which is based on the ASD 8 as well as couple of other areas and then gives you a rough score as to how well you are doing. As the site says, 100% doesn't mean you are immune from attack and < 50% doesn't mean you are going to be attacked soon but it does give some ballpark idea.

If anyone wants to take it for a spin and give it some feedback, please do!

If anyone wants help to perform an audit, please contact Cotswold IT Consulting on 01242 500028 or info@cotswolditconsulting.co.uk