Perth Cyber Safe:

"SMB1001- Your      5-Tier cybersecurity certification standard for small & medium business."

A place where businesses come to "level up" their security.

At Perth Cyber Safe (PCS), our Special Agents are ICT professionals who work collaboratively, bringing together extensive real‑world experience across enterprise systems, network engineering, cyber security operations, and project management.

PCS is purpose‑built to support small to medium businesses, delivering practical and effective security solutions that prevent cyber incidents from becoming costly, disruptive business events.Our mission is to protect Western Australian businesses by reducing everyday cyber threats and attacks, and ensuring that, if an incident does occur, your business is recoverable with minimal operational and financial impact.

We don’t just hand you a list of problems. We provide a clear, structured roadmap, working alongside you to integrate and implement the necessary control measures so your business is resilient, compliant, secure, and officially certified.
SMB1001 helps SMBs understand where they stand, what matters, and what to do next.

It offers a realistic, achievable cyber maturity framework that aligns security efforts with business risk, capability, and budget.


Testimonials

Operations Manager, local professional services firm

Sarah Nguyen

Perth Cyber Safe turned our scattered security tasks into a simple roadmap. The fixed price and tiered plan gave us real confidence and momentum.

     
Owner, growing trades business

Mark Johnson

We finally understood what ‘good’ looks like for a small business. The Bronze-to-Diamond steps were clear, achievable, and tailored to Australia.

     
IT Coordinator, mid-size retail company

Emily Carter

Instead of a report full of problems, we got practical priorities and implementation support. We’ve measurably improved our security maturity.

     
 
 

Contact

F.A.Q

Cyber insurance companies are becoming far stricter about who they will cover.
If you tell an insurer “we’re working on the Essential Eight”, that signals a work‑in‑progress. Progress is good — but insurers prefer proof.
When you show SMB1001 Bronze or Silver Certification, you are presenting a recognised Australian cyber security standard that demonstrates measured, verified risk reduction. This positions your business as a lower‑risk client, which can directly influence:
  • Whether cover is approved
  • Policy conditions
  • Excess levels
  • Premium cost
In many cases, SMB1001 certification can be the difference between being insured or being declined.
Yes — it gives you supply‑chain credibility.
Government agencies and large corporations increasingly ask a simple question during procurement:
“How secure is your data?”
Most suppliers respond with policies, intentions, or verbal assurances.
Very few can respond with formal certification.
Being SMB1001 Certified allows you to demonstrate that:
  • Your environment has been independently assessed
  • Security controls are implemented and measured
  • Risk is actively managed, not ignored
This immediately places your business ahead of the majority of competitors who are still relying on hope rather than evidence.
SMB1001 stops the ‘billable hour bleed’.
Traditional cyber assessments often come with:
  • Open‑ended scopes
  • Hourly billing
  • “Let us look into that” conversations
  • Unclear outcomes
With our fixed‑price SMB1001 audit, you know:
  • Exactly what the assessment costs
  • Exactly what you’ll receive
  • Exactly what needs to be fixed
You get a clear, prioritised security action list — not vague advice.
We then work through that list step by step, with no surprise invoices.
Yes — it focuses on the controls that matter most.
SMB1001 is not about doing everything at once. It focuses on high‑impact protections first, including:
  • ✅ Backups that actually work
    (Tested and recoverable when ransomware hits)
  • ✅ Strong access controls
    Ensuring only the right people have access, using MFA and least‑privilege principles
  • ✅ Secure, updated systems
    Closing known vulnerabilities before attackers can exploit them
These controls directly address the most common causes of:
  • Ransomware incidents
  • Business disruption
  • Data loss
  • Financial damage
Yes — it’s built specifically for them.
SMB1001 was designed to give small and medium businesses:
  • A realistic, achievable standard
  • Clear maturity levels (Bronze, Silver, Gold)
  • A path to stronger security without enterprise complexity
It’s security that is:
  • Practical
  • Affordable
  • Measurable
  • Defensible

That’s a fair question — the Essential Eight is well known, but it’s important to understand what it is and what it isn’t.

The Essential Eight is a set of technical controls, not a certification. On its own, it doesn’t provide independent validation, assurance, or proof to insurers, customers, or supply‑chain partners that those controls are actually in place and working.

SMB1001 includes the Essential Eight controls and goes significantly further.
SMB1001:
  • ✅ Encompasses the Essential Eight controls as part of the framework
  • ✅ Expands beyond them to include governance, risk management, policies, and operational security
  • ✅ Measures how well controls are implemented — not just whether they exist
  • ✅ Results in formal certification, not just intent or self‑assessment
Most importantly, SMB1001 provides you with certification against a recognised international standard. That means your security posture is not just claimed, but independently assessed and verified.

In simple terms:

  • Essential Eight = what good security should look like
  • SMB1001 = proof that you are doing it. To a recognised international standard
If you need to demonstrate security maturity to insurers, customers, government, or partners, SMB1001 gives you defensible evidence that goes well beyond “we’re working on it”.

SMB1001 Explained - Cybersecurity for Small & Medium Business

Cybersecurity, done properly.

Running a small business today means relying on technology every day, email, accounting, customer data, cloud services. It also means being exposed to cyber risks that were once only targeted at large organisations.The challenge isn’t knowing security matters.

It’s knowing what’s reasonable, what’s enough, and where to start.That’s exactly what SMB1001 is designed to solve.

What is SMB1001?

SMB1001 is a cybersecurity standard built specifically for small and medium businesses.It provides a clear, practical roadmap to improve your cybersecurity, without the cost, complexity, or disruption of enterprise standards.Instead of trying to “do everything,” SMB1001 helps your business:

  • Focus on the controls that actually reduce risk
  • Improve security step‑by‑step
  • Demonstrate due diligence to insurers, customers, and partners
  • Build confidence without over‑engineering

It’s cybersecurity that fits how small businesses really operate.

Why SMB1001 matters for your business

Most cyber incidents affecting small businesses aren’t sophisticated attacks — they succeed because basic protections are missing, inconsistent, or untested.SMB1001 focuses on the fundamentals that matter most, including:

  • Securing access to email and systems
  • Keeping software and devices up to date
  • Ensuring backups actually work when needed
  • Preparing for incidents before they happen
  • Reducing human‑error risks through training

Just as importantly, SMB1001 helps you prove that you’re taking reasonable steps to protect your business — something insurers, clients, and supply‑chain partners increasingly expect.

The five areas SMB1001 covers

SMB1001 looks at your business across five simple areas. Areas every organisation already has, whether formally managed or not:

🔧 Technology

Are your systems protected, patched, and properly maintained?

🔐 Access

Who can access what — and how securely?

💾 Backup & Recovery

Could you recover and keep operating after a cyber incident?

📄 Policies & Plans

Do you have clear, usable plans when something goes wrong?

👥 People & Training

Do staff know how to recognise phishing, scams, and common threats?Together, these five areas form a practical picture of your cybersecurity maturity.

Bronze, Silver, and Gold: what do the levels mean?

SMB1001 is designed so you only do what’s appropriate for your business today.

Bronze – The essentials

Focuses on basic protections that stop the most common cyber attacks.

For many small businesses, this is the sensible starting point.

Silver – Consistent security

Builds on Bronze with stronger access controls, email protection, and monitoring.

Often aligns with cyber insurance expectations.

Gold – Proactive risk management

Introduces more mature controls, regular testing, clear incident plans, and staff training.

Commonly recommended for professional services and businesses handling sensitive data. Each level builds on the one before it, nothing is wasted or duplicated.

How Perth Cyber Safe helps

At Perth Cyber Safe, we don’t treat cybersecurity as a checklist exercise. Our approach is:

  • Independent — assessment comes first
  • Risk‑based — focused on what actually matters
  • Plain English — no jargon, no scare tactics
  • Evidence‑driven — if it can’t be proven, it doesn’t count

Our process is simple:

  1. Assess your current position against SMB1001
  2. Identify gaps in plain language
  3. Explain what matters and why
  4. Support implementation where needed
  5. Help you demonstrate security with confidence

You stay in control of decisions, timing, and budget.

How SMB1001 fits with other standards

SMB1001 aligns closely with well‑known frameworks like the Australian Essential Eight, making it a practical starting point for businesses that don’t need enterprise‑level complexity today.It also lays strong foundations for future requirements, without forcing you to over‑spend early.

Is SMB1001 right for your business?

SMB1001 is ideal if you:

  • If you want real protection and counter measures that and not promises and meets an international standard.
  • Need to meet insurer, client, tender or supplier expectations
  • Don’t have in‑house security specialists
  • Want confidence you’re doing the right things — not just more things

The Top 10 Ways Perth Businesses Are Commonly Vulnerable

If you answer “No”, “Not sure”, or “Partially” to more than 2–3 questions, your business is likely exposed to material cyber risk.

1️⃣ Password Management & Credential Security

Did you know?

More than 80% of data breaches involve weak, reused, or stolen passwords. Many attacks start with one compromised login that gives attackers access to multiple systems.Scenario:

An employee reuses the same password for email and a third‑party website. That website is breached, and attackers use the same credentials to access your Microsoft 365 environment.


Do you use a business‑grade password manager and enforce strong, unique passwords across all systems?

2️⃣ Automated Windows & Third‑Party Patching

Did you know?

Unpatched software is one of the most exploited attack paths for ransomware. Many breaches occur months after patches were already available.Scenario:

A missed Windows or Adobe update leaves a known vulnerability open. An attacker exploits it to deploy ransomware overnight.


Are Windows updates and third‑party software updates (browsers, PDF readers, Java, etc.) automated and monitored across all systems?

3️⃣ Invoice Fraud & Payment Verification

Did you know?

Invoice fraud and business email compromise are among the highest financial‑loss cyber incidents in Australia, especially for SMBs.Scenario:

Your finance team receives an email that appears to be from a supplier advising of new bank details. A payment is made — and the money is unrecoverable.


Do you have documented invoice‑change verification and secondary approval processes for all payment changes?

4️⃣ Multi‑Factor Authentication (MFA)

Did you know?

MFA can block over 99% of credential‑based attacks, even if passwords are stolen.Scenario:

An attacker obtains a user’s email password through phishing. Without MFA, they gain full mailbox access and begin internal fraud attempts.


Do all users (not just admins) use MFA with an authenticator app for email, cloud apps, and remote access?

5️⃣ Firewall & Network Segmentation

Did you know?

A firewall that is “installed” but poorly configured offers minimal real protection.Scenario:

An infected laptop gains access to your entire network because systems are not segmented, allowing malware to spread laterally.


Do you have a properly configured Next‑Generation Firewall (NGFW) with VLANs, IDS/IPS, access controls, and logging in place?

6️⃣ Email Security & Domain Protection

Did you know?

Phishing and malware emails are the #1 entry point for SMB cyber incidents. Most compromises begin with a single malicious email being opened or trusted.

An employee clicks a convincing email, enters their login details, or opens a malicious attachment. Attackers then use those credentials to access systems, launch internal scams, or deploy ransomware.Good email security is not just about spam filtering, but also ensuring it is correctly configured and actively protecting your domain, including:

  • SPF (Sender Policy Framework) — verifies which mail servers are authorised to send email on your behalf
  • DMARC (Domain‑based Message Authentication, Reporting & Conformance) — prevents attackers from spoofing your domain and provides visibility into misuse
  • DKIM (DomainKeys Identified Mail) — ensures emails are not altered in transit



Do you have spam filtering in place, and are SPF, DKIM, and DMARC properly configured and monitored for your domain?

7️⃣ Endpoint Protection (Antivirus / EDR)

Did you know?

Basic antivirus alone often fails to stop modern ransomware and fileless attacks.Scenario:

A user opens a malicious attachment. Without modern endpoint protection, the ransomware launches and spreads before being detected.


Do all laptops, desktops, and servers have up‑to‑date antivirus or endpoint detection and response (EDR) protection?

8️⃣ Backup Testing & Recovery Readiness (NEW)

Did you know?

Many businesses discover their backups don’t work only after an incident occurs.Scenario:

After a ransomware attack, you attempt to restore data — only to find backups were incomplete, corrupted, or overwritten.


Are your backups tested regularly, stored securely, and verified to be restorable within an acceptable timeframe?

9️⃣ User Cyber Awareness & Training (NEW)

Did you know?

Human error remains one of the largest contributors to cyber incidents, even in technically secure environments.Scenario:

A well‑meaning employee falls for a realistic phishing email because they’ve never been trained on what to look for.


Do staff receive ongoing cyber security awareness training and phishing education relevant to their roles?

🔟 Incident Response & Business Continuity (NEW)

Did you know?

The first 24 hours of a cyber incident often determine financial impact, downtime, and reputational damage.Scenario:

An incident occurs, but nobody is sure who to call, what systems to shut down, or how to communicate internally and externally.


Do you have an incident response and business continuity plan that is documented, understood, and tested?

✅ What This Questionnaire Tells You

  • 0–2 “No / Not Sure” answers
    → You are in a strong position, but still benefit from formal validation.
  • 3–5 “No / Not Sure” answers
    → Your business has moderate risk and would benefit from a structured security assessment.
  • 6+ “No / Not Sure” answers
    → Your business is exposed to significant cyber, financial, and compliance risk.
I BUILT MY SITE FOR FREE USING