Navigating the SMB1001 Cybersecurity Framework with your customers

The cybersecurity landscape is becoming increasingly challenging for business of all sizes, but small and medium-sized businesses (SMBs) often lack the resources to tackle these issues and keep up with cybersecurity demands. The frequency and persistency of cyber threats is also rising as highlighted by the 2023 Australian Signals Directorate (ASD) Cyber Threat Report, which recorded 1,100 incidents, correlating to one attack every six minutes. It’s critical for SMBs to have a robust cybersecurity framework in place. That’s where the SMB1001:2025 standard can help.  

How Dicker Data can help you leverage the SMB1001 Framework Opportunity 

Our Dicker Data team is committed to guiding our partner community to ensure Australian businesses have the best cybersecurity practices in place to protect critical data and safeguard their IT environments. Not only will the SMB1001 help improve SMBs cybersecurity posture, but it also doubles as a pivotal opportunity to engage with your customers to uncover additional revenue streams through cybersecurity. At Dicker Data, we have the knowledge and experience across several vendors and their technologies to assist you moving forward. Leverage our experienced Pre Sales and Sales Engineers who can develop and implement strategies for your customers; engage the right technologies and vendors to support you, and most of all illustrate the benefits of a structured approach and offering to maximize your revenue.  

What is SMB1001:2025? 

SMB1001 is a multitiered Cybersecurity Standard developed by Dynamic Standards International (DSI) for small to medium businesses, to help fill the gap in cybersecurity certifications. Unlike the enterprise standards and frameworks, SMB1001 removes the complexity and high costs associated with larger, comprehensive frameworks and addresses the unique challenges faced by SMBs in implementing effective cybersecurity measures including budget, resources, and technical expertise.  

The latest SMB1001:2025 standard, released in September 2024, aligns with multiple international standards, including the Australian Essential Eight, UK Cyber Essentials, and the US Department of Defense's Cybersecurity Maturity Model Certification.   

Why should SMBs use SMB1001:2025? 

Many small businesses and MSPs think of cybersecurity as a complex maze filled with challenging solutions, budget constraints and a lack of technical resources, making it tricky to identify the right path. The SMB1001:2025 framework provides the structure and guidelines to help SMBs build a comprehensive strategy that strengthens their cybersecurity capabilities to protect digital assets. 

What are the benefits of obtaining SMB1001:2025 

End-customers who obtain their SMB1001 certification will strengthen their reputation and trust within the industry and with their existing and future clients. Being certified demonstrates that they’ve taken the necessary time to secure their digital assets from evolving cyber threats according to a recognised standard and framework. All of this will elevate your offerings and confidence amongst your client base, which in turn opens doors to new business. 

Key benefits of obtaining SMB1001 

1. Improved Cybersecurity Strategies and Protection against evolving cyber threats.

2. Stepping stone for a segway into more complex Cybersecurity frameworks and regulations.

3. Competitive advantage when bidding for tenders.

4. Increased customer and partner confidence.

So, how does it work? 

The SMB1001 is multitiered across 5 levels beginning at Bronze. Our Dicker Data team can provide guidance on how to conduct reviews and implement measures to comply with the standards, as they scale up through the tiers. The strategies and requirements are designed to enhance your customer's cybersecurity resilience and introduce accountability among business executives and employees. The SMB1001 levels of maturity act as a stepping stone to the ISO27001 certification, which is used by large-scale companies. 

Here’s a breakdown of the different levels and how our Dicker Data team is positioned to help you scale up with our portfolio of industry-leading cybersecurity vendors available at each tier. 

Bronze

Focus: Basic Cybersecurity Measures. Six simple requirements any business can obtain. This level includes controls that include: 

• Engaging an external Technical Support specialist to help manage the IT Environment. 

• Deploying an Industry based Firewall to protect the local network. 

• Deploying an Industry based Endpoint Antivirus Solution across all devices. 

• Configuring Automatic deployment and installation of approved software updates and patches across all applicable assets. 

• Implement a process to routinely change passwords. 

• Implement a Backup and Recovery strategy for critical data. 

Requirement: Director attestation is required, meaning a company director must formally acknowledge that the security measures are in place. 

Vendors to leverage

Silver

Focus: Intermediate control. This level includes controls that include: 

• Installing TLS certificates on public facing Websites. 

• Restricting users’ logins from Administrative Privileges. 

• Ensuring all users have their own logins and do not operate with a shared login. 

• Implementing a Password Manager.

• MFA on all Employee Email accounts. 

• Confidentiality agreements for all employees. 

• Implementing policy to prevent Invoice Fraud. 

• Maintaining a Visitors Register.

Requirement: Director attestation is required to confirm that these enhanced security measures are actively implemented. 

Vendors to leverage 

Gold

Focus: Advanced, Mature Cybersecurity. This level includes controls that include: 

• Ensuring all servers are patched and updated regularly. 

• MFA on all businesses applications and social media accounts. 

• Implementing a Cybersecurity Policy and Strategy. 

• Implementing an Incident Response Strategy for Cyber incidents. 

• Securely disposing of all physical documentation. 

• Ensure all computer devices with sensitive data are disposed of securely. 

• Implement and maintain a Digital Asset register. 

• Conduct Cybersecurity Awareness training for all employees.

Requirement: Director attestation is required to confirm that these advanced security measures are actively implemented. 

Vendors to leverage:

Platinum

Focus: Highly detailed Cybersecurity practices This level includes controls that include: 

• Regularly scanning Public Internet facing assets for vulnerabilities. 

• Manage remote Access Cloud Credentials. 

• MFA for access to valuable digital data. 

• MFA on VPN Connections. 

• MFA on RDP Connections. 

• An up-to date Cyber Insurance policy. 

Requirement: Continuous oversight and annual external audits to ensure the implementation of these advanced security measures. 

Vendors to leverage 

Diamond

Focus: Comprehensive, real-time Cybersecurity. This level includes controls that include: 

• Encrypting Digital Data at rest. 

• Deploying and maintaining Application Control. 

• Disabling untrusted Ms Office macros. 

• Regular Penetration testing, Vulnerability Scanning, Social Engineering testing. 

• Execute a Digital Trust program with your suppliers. 

• Conduct Police Vetting for Employees and Contractors with Administrative privileges and/or controlled access to crucial assets and data. 

• Executing Incident Response drills 

Requirement: Requires real-time monitoring, external audits and collaboration with third-party experts to maintain the highest level of protection. 

Vendors to leverage 

What are the five key pillars of the SMB1001 framework? 

1. Technology Management

This pillar focuses on managing and securing the technology infrastructure, including hardware, software, and networks. It involves implementing security controls such as firewalls, antivirus software, and intrusion detection systems to protect against cyber threats. Regular updates and patch management are also essential to ensure that all systems are protected against known vulnerabilities. 

2. Access Management

This involves controlling and monitoring access to information systems and data. It includes implementing strong authentication mechanisms, such as multi-factor authentication, to ensure that only authorised individuals have access to sensitive information. Access controls should be regularly reviewed and updated to reflect changes in personnel and roles within the organisation. 

3. Backup & Recovery

Regular data backups and having a robust recovery plan in place is important. It ensures that data can be restored in the event of a cyber incident, such as a ransomware attack. A well-defined recovery plan helps minimise downtime and ensures business continuity by outlining the steps to be taken to restore systems and data. 

4. Policies and Processes

This involves developing and implementing comprehensive cybersecurity policies, plans, and procedures. These documents provide guidelines for the organisation’s security practices and response to cyber threats. They should cover areas such as incident response, data protection, and employee responsibilities. Regular reviews and updates are necessary to ensure that the policies remain effective and relevant. 

5. Education & Training

The SMB1001 framework is designed to be clear, concise, and accessible even for those without a deep technical background. This approach can empower your non-technical staff to take ownership of your cybersecurity posture. Everybody, at all levels, gets the chance to contribute to keeping the organisation protected. The responsibility of cybersecurity involves the entire organisation: 

• Employees: by following best practices like not opening suspicious emails, using strong passwords, and regularly updating their software. 

• Managers: by allocating resources for cybersecurity training and tools. 

• Executives: by prioritising cybersecurity.

Leverage our expert cybersecurity team today 

Small to medium-sized businesses with limited IT resources and no stringent compliance requirements will benefit from the SMB1001:2025 framework. It will offer a more tailored approach to securing and implementing strategies across cybersecurity, whilst keeping costs and complexity at an affordable level. If your customer’s business has regulatory obligations, handles sensitive information, or requires a higher level of cybersecurity, the Essential Eight framework may be the better option to ensure robust defences are in place. 

Leverage our expertise and start advising your customers on how to successfully obtain and implement the SMB1001 framework. Additionally, our Dicker Data experts have produced a comprehensive report into understanding the cybersecurity opportunity among Australian SMBs here.