---

If you’re a founder or executive at a knowledge-intensive SMB—think biotech, medtech, software, deeptech or advanced manufacturing—then I’ve got news for you: your biggest threat might not be a cyber breach. It might be someone inside your business walking out with your IP and handing it to a foreign competitor.

Yeah. Grim.

The worst part? Most SMBs don’t even realise they’re a target—until it’s too late.

In my last post, I argued for collapsing insider threat, fraud, and integrity risk programs into one integrated workforce risk model. Today, I’ll show you how to go even further—by adding cybersecurity and innovation security to the mix using three standards already built for SMBs.

Spoiler alert: you don’t need a bespoke program or a 100-page strategy deck. Just plug and play with SMB1001, AS 8001, and ASIO’s Secure Innovation guidance.

---

Why You Need a Whole-of-Business Risk Lens

Innovative SMBs are juicy targets.

You’ve got valuable research data, intellectual property, and commercialisation plans. You’re agile, fast-growing, and often working with overseas partners. That’s a goldmine for corporate spies, fraudsters, and even state-backed actors.

Don’t believe me? Ask the Australian startups quietly briefed by ASIO on foreign interference. Or look at the biotech company that lost its trade secrets in what started as a “friendly” joint venture.

Here’s the “triple threat” that innovation-driven SMBs face:

• Cyber Security breaches that expose your R&D and IP.
• Insider Threats from employees, researchers, or suppliers with too much access.
• Fraud and Integrity failures that destroy trust, attract regulators, and scare off investors.

---

Three Standards. One Smart Strategy.

You can cover all these risks by combining three existing frameworks. Here’s how they work together:

1. SMB1001 (Gold or Platinum) – Your Cyber Backbone

Designed specifically for SMBs, SMB1001 provides cyber maturity models from Bronze to Diamond. For high-growth and innovation-focused businesses, Gold and Platinum are the sweet spot.

Gold gives you:

• Cybersecurity policies for staff and contractors
• Acceptable use rules (no, your intern shouldn’t be crypto mining on the R&D server)
• Background checks, access reviews, incident response plans, cyber awareness training

Platinum adds:

• External audits
• Continuous monitoring and automated alerts
• Integration with HR and procurement
• Real-world testing like penetration and social engineering simulations

These controls are critical—but they don’t explicitly cover fraud, integrity, or culture.

Which brings us to…

2. AS 8001:2021 – The Fraud, Corruption & Insider Threat Muscle

This standard fills the governance and integrity gap.

It requires:

• A fraud and corruption control policy, code of conduct, and clear accountability
• Whistleblower protections and reporting channels
• Regular controls testing and board-level reporting
• A leadership culture that promotes ethical behaviour

But protecting IP, innovation, and research requires one more layer…

3. ASIO’s Secure Innovation Guidance – Your National Security Overlay

This free advisory framework from ASIO (yes, the spy agency) focuses on protecting Australian innovation.

It recommends:

• Security risk assessments tailored to IP, R&D, and commercialisation
• Vetting foreign collaborators, investors, and suppliers
• Government engagement for threat intelligence and support
• Building a “secure innovation” culture, driven by leadership

Most businesses never think to ask: Could this partnership be a risk? But in today’s landscape, that’s not paranoia—it’s smart due diligence.

---

What This Means for You

To fully protect your people, assets, and innovation pipeline, you need all three:

• SMB1001 covers your cyber baseline
• AS 8001 strengthens your workforce and governance controls
• ASIO’s Secure Innovation addresses foreign interference, IP protection, and national security threats

Table: Comparison of Coverage by SMB Risk Management Framework

Risk Area / Obligation	SMB1001 (Gold/Platinum)	AS 8001:2021	ASIO Secure Innovation
Cybersecurity policies & access controls	✅ Fully covered	❌ Not covered	✅ Covered
Fraud, corruption, and integrity policies	⚠️ Partial (cyber only)	✅ Fully covered	✅ Covered in context
Supplier / third-party risk	✅ Covered	✅ Covered	✅ Covered
Insider threat / workforce risk monitoring	⚠️ Basic logging only	✅ Covered	✅ Covered + vetting
Whistleblower / confidential reporting	❌ Not required	✅ Required	✅ Strongly encouraged
Board / leadership risk reporting	❌ Not specified	✅ Required	✅ Expected
Controls assurance / testing	⚠️ Basic requirements	✅ Required	✅ Strongly encouraged
Innovation / IP risk assessment	❌ Not covered	❌ Not covered	✅ Core focus
Foreign collaboration / Counter Foreign Interference	❌ Not included	❌ Not included	✅ Core focus
Security culture / tone from the top	⚠️ Cyber awareness only	✅ Required	✅ Essential
Engagement with government for threat intel	❌ Not included	❌ Not included	✅ Strongly recommended

✅ = Fully covered ⚠️ = Partially covered ❌ = Not covered

Think of it this way:

• SMB1001 is your body armour
• AS 8001 is your immune system
• ASIO Secure Innovation is your early warning radar

---

How to Build It Without Melting Down

You don’t need a 10-person security team. Start small. Be practical.

Here’s 9 Steps to Get You Started:

1. Map your current controls to each framework. Gaps will show themselves quickly.
2. Update your policies: Include anti-fraud, IP protection, acceptable use, and supplier conduct.
3. Close quick wins: Add a code of conduct, whistleblower channel, and leadership reporting.
4. Create a cross-functional risk committee: HR, IT, Finance, Legal, Commercial—all in one room.
5. Run an integrated risk assessment: Cover cyber, insider threat, fraud, integrity, innovation/IP, and foreign partnerships.
6. Train your people: Cyber training is great—but also teach secure innovation and fraud red flags.
7. Engage with government early: ASIO Outreach and ACSC are there to help, not to audit.
8. Review and test regularly: Dashboards and audit trails go a long way with investors and boards.
9. Vetting is non-negotiable: Screen staff, partners, and suppliers—especially around your R&D and IP.

---

But Where’s the Value? What You Get in Return

• Investor confidence: Series B investors and enterprise customers want to know your IP is protected.
• Culture clarity: One integrated program = clear expectations, fewer grey zones.
• Operational edge: You de-risk your go-to-market, protect innovation, and improve scalability.

Oh—and you avoid being front-page news.

Crafting Security Business Cases for Executive Buy-in

---

Final Word

You’re building the future. Don’t let it get stolen, leaked, or sabotaged by someone you missed on a risk register.

You don’t need to reinvent the wheel. You need structure, culture, and clarity.

When you combine SMB1001, AS 8001, and ASIO’s Secure Innovation guidance, you’re building more than a compliance program. You’re building resilience. You’re protecting growth.

And you’re doing it with a framework that scales as you do.

So don’t wait for the “oh crap” moment. Start building your secure workforce risk program now.

Your investors, your board, and your future self will thank you.

---

Further Reading:

• Australian Cyber Security Center (2025). https://www.cyber.gov.au
• Australian Security Intelligence Organisation (2025). Secure Innovation
• Curwell, P. (2025). Crafting Security Business Cases for Executive Buy-in.
• Dynamic Standards International (2025). SMB1001:2025 International Edition, A multi-tiered cybersecurity certification standard for small and medium-sized businesses.

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.