Lawmakers introduce a lot of cybersecurity-related legislation in Congress, but very few make it out of committee, let alone get passed by both chambers of Congress. The NIST Small Business Cybersecurity Act took a year and four months to make its way through Congress and to the president’s desk, but it was finally signed into law this week.
The law requires the director of the National Institute of Standards and Technology to “disseminate clear and concise resources” to help small and medium businesses identify, assess, and reduce their security risks within a year. NIST has to develop recommendations that are widely applicable and consider the nature and size of small businesses. The resources must be technology-neutral compatible with existing commercial, off-the-shelf tools. Along with including practical application strategies, NIST has to ensure the materials are consistent with international standards and existing laws.
The guidance must “include elements that promote awareness of basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships.”
Personal information is just as valuable with small startups, and breaches of networks at small businesses can be just as devastating.
The law doesn’t mean that small businesses using these NIT-based guidance and resources will become immune to attacks, but it should help raise the bar for security. Small businesses are highly susceptible to business-email-compromise scams and phishing attacks designed to steal credentials. Credit unions are frequently targeted for fraud. Smaller businesses who act as service providers or supplier to larger companies are often targeted as a “stepping stone” to penetrate larger companies.
Many large companies deal with data breaches despite having the money to pay for security expertise. Small businesses can’t always afford full-time security staff (in-house or outsourced), and enterprise-class technology tools and platforms do not match their needs or budgets. While The NIST CyberSecurity Framework is considered a tremendous step for enterprise security, it is too costly and complicated for small businesses. Resources specifically designed with the SMB in mind will help these businesses close the current security gap.
If nothing else, passing the law affirms the fact that small businesses deserve just as much security as giant corporations. Personal information is just as valuable with small startups, and breaches of networks at small businesses can be just as devastating.
“This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks,” Sen. Brian Schatz, the the lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, said in a statement.
Originally proposed as MAIN STREET Cybersecurity Act (H.R. 2105) in April 2017, the bill has been absorbed into U.S. federal law S.770. The bipartisan legislation was introduced by Sens. Brian Schatz (D-Hawaii) and James Risch (R-Idaho), and sponsored John Thune (R-S.D.), Maria Cantwell, (D-Wash), Bill Nelson (D-Fla), Cory Gardner (R-Colo), Catherine Cortez Masto (D-Nev), Maggie Hassan (D-N.H), Claire McCaskill (D-Mo), and Kirsten Gillibrand, (D-N.Y.)
Use of these resources by small businesses is voluntary. While not making it a requirement for small businesses to use these resources (when they are eventually developed and released) may seem problematic because not enough businesses will adopt them, these resources will help raise awareness.
Resources specifically designed with the SMB in mind will help these businesses close the current security gap.
Even voluntary programs can become standard, especially if larger companies require their suppliers and providers to show they are using the framework. Putting together a list of requirements that suppliers and providers have to comply with is a challenge for many large companies, so a NIST-based framework for small businesses would be helpful. If insurance companies adopt the framework as their baseline for small businesses looking for security riders to their business insurance, that would also help make these recommendations more widespread, despite the voluntary nature of the law.
NIST is responsible for making sure the resources and the tools are relevant and useful for small businesses. But it also means the security industry also needs to engaged with NIST over the next year as the guidance is being developed to make sure the best practices and recommendations are included.