The 5-4-3-2-1 Cybersecurity Model for SMEs

Jan 04, 2024

four macarons balancing near two and one macarons — Photo by Eaters Collective on Unsplash

Hello and Happy New Year!

I hope this newsletter finds you in good health and high spirits as we embark on another promising year. It's that time when we're full of resolutions and fresh plans. And speaking of fresh plans, I've got something special for our SME friends out there.

In my recent conversations with SME owners and vendors, I've noticed a common thread of concern: finding a practical and manageable cybersecurity model for SMEs. It seems the more complex frameworks like NIST CSF or ISO 27001 or even RMiT can be quite a mouthful for smaller businesses, and therefore may not be that practical to start with.

So, I put on my thinking cap and thought of a simpler approach: the 5-4-3-2-1 cybersecurity model. This model is tailored for SMEs, offering a straightforward path to beef up their cyber defenses by focusing on what really matters for SME businesses.

Here's the gist of it:

5 is for “FIVE” basic cyber hygiene practices:
- Timely patching of IT systems.
- Continuous security awareness program.
- Implementing malware protection.
- Protecting credentials.
- Encrypting data, both at rest and in transit.
4 is for performing “FOUR” vulnerability assessments in a year:
- Scanning of the network, web apps, and security configurations every quarter.
3 is for keeping “THREE” copies of your data:
- Keeping one original data (production) and two backups on different types of media.
2 is for achieving level “TWO” maturity in the NIST CSF Maturity Model:
- Striving to reach and maintain a level two maturity level in the NIST CSF Maturity Model.
1 is for putting in place “ONE” robust incident response plan:
- Having one robust and regularly tested incident response plan.

It's key to remember that the 5-4-3-2-1 model isn't about just checking things off in that order. I suppose SMEs can start with the part that seems most relevant and doable for them. The main idea of this model is to make cybersecurity less of a scary thing by giving a simple guide that focuses on the really important parts of cybersecurity and cuts out the extra stuff. This way, it points out what's really key, making things simpler for SMEs.

I'd love to get your thoughts on this. Do you find this model practical and effective for SMEs? Or perhaps you have other ideas or methods that might fit the bill better?

Wishing you a safe, prosperous, and cyber-secure 2024!

Cheers!
Sivanathan

Thank you for reading Cyber Brew. This post is public so feel free to share it.

The Cyber Brew

Discussion about this post