New U.S. Small Business Cybersecurity Law: What It Means
Bipartisan legislation to help small businesses boost their cybersecurity profile, first introduced in March, 2017, has been signed by President Trump into law. It requires the National Institute of Standards and Technology (NIST) to use existing funds to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cyber security risks.”
The NIST Small Business Cybersecurity Act, S. 770 (formerly the MAIN STREET Cybersecurity Act), promises to provide SMBs with tools they need to use the NIST’s Cybersecurity Framework, a set of voluntary guidelines for organizations and businesses to improve their defense posture against attacks. SMBs are not obliged to do anything under the law — the resources the legislation provides for are informational in nature and not mandated rules or regulations. The idea is simply to help SMBs deal with common, not extraordinary, cybersecurity risks with consistent, relevant and comprehensive guidance.
Here’s what’s the bill requires of the NIST, which must spring into action within 12 months:
- Resources must be generally applicable and usable by a wide range of small businesses.
- The materials must vary with the nature and size of the implementing small business and the confidentiality of the data collected or stored either on premise or remotely.
- The tools must promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships.
- Case studies of practical application must be included.
- The information must be technology-neutral and implemented using commercial and off-the-shelf technologies.
“As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks,” said Schatz, lead Democrat on the Commerce Subcommittee on Communications Technology, Innovation, and the Internet, in a statement. “But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers. This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks,” he said.
The Senate’s version of the bi-partisan act was authored by U.S. Senators Brian Schatz (D-HI) and James Risch (R-ID), and co-sponsored by Senators John Thune (R-SD), Maria Cantwell (D-WA), Bill Nelson (D-FL), Cory Gardner (R-CO), Catherine Cortez Masto (D-NV), Maggie Hassan (D-NH), Claire McCaskill (D-MO), and Kirsten Gillibrand (D-NY). The legislation was first introduced by Florida legislator Dan Webster, (R-FL), a member of the U.S. House Science, Space, and Technology Committee, in March, 2017, and passed the House last October.
SMBs are increasingly the target of ransomware, phishing and data breaches. Indeed, a study last year by business continuity provider Datto found the number of ransomware attacks against SMBs was likely to spike in the coming years. As it is now, SMBs spend approximately $11 billion on remotely managed security services and are the primary driver of the segment’s projected growth, according to researcher AMI.
The feds aren’t the only ones offering up cybersecurity best practices to SMBs. Datto recently lined up a cybersecurity checklist for smaller businesses to combat cyber attacks that included risk assessments, training, updating software and other recommended preventive actions.