Federal Legislation: Boosting Small Business Cybersecurity?
SMBs are increasingly the target of ransomware kidnappers, credentials thieves and data burglars. Newly passed bipartisan legislation vows to offer small and medium-sized businesses (SMBs) more tools to strengthen their defenses against cybersecurity threats.
The new law, dubbed “Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology” (MAIN STREET) and sponsored by Senators James Risch (R-Idaho) and Brian Schatz (D-Hawaii), was initially brought up for discussion on the Senate floor last March. It requires the National Institute of Standards and Technology (NIST) to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cyber security risks.”
On its face the bill promises SMBs will get the coordinated resources they need to use the NIST’s Cybersecurity Framework, a set of voluntary guidelines for organizations and businesses to improve their defense posture against attacks. To what degree SMBs can dodge or ward off attacks by using the framework is an open question at this point.
Both Risch and Schatz referenced the massive Equifax data heist to stress the new law’s timing and importance for SMBs.
“This legislation will help America’s small business owners safeguard against cyber threats and better position them to protect their assets, customers, and employees,” said Risch. “The recent Equifax hack is the latest example of the many vulnerabilities that exist and why we must take urgent, proactive steps to prevent cyber-attacks on small businesses in addition to individuals.”
SMBs Under Attack: The Trends
There’s not much debate that SMBs are an enticing target for cyber crooks. According to a recent survey conducted by independent research firm Ponemon Institute and password management and digital vault specialist Keeper Security, the number of cyberattacks on SMBs rose from 55 percent in 2016 to 61 percent in 2017.
In particular, SMB-aimed ransomware attacks and data breaches are also climbing. The average size of a data breach involved 9,350 individual records this year, an increase from an average of 5,079 records in 2016, the study said. Moreover, SMBs likely aren’t well protected to subdue an attacker. Netwrix’s 2017 IT Risks Report featuring input from nearly 500 SMBs revealed that 73 percent do not have a separate information security function.
The Senate Commerce Committee approved the MAIN STREET legislation in April. Its co-sponsors include Senators Thune (R-S.D.), Cantwell (D-Wash.), Nelson (D-Fla.), Gillibrand (D-N.Y.), Gardner (R-Colo.), Cortez Masto (D-Nev.), McCaskill (D-Mo.), and Hassan (D-N.H.).
The NIST recently broadened an updated version of its security and privacy controls framework beyond federal agencies to include state and local government, the private sector and academia. The NIST regards controls as security and privacy safeguards—both technical and procedural—designed to protect systems, organizations and individuals.