Small businesses can’t go it alone on cybersecurity

The bill would allow SBDCs to use current grant funding to provide cybersecurity training and technical resources to small businesses. It would also direct the agency, working with the Department of Homeland Security, to manage and distribute cybersecurity materials.

A cybersecurity breach at a small business “not only has devastating consequences for that company’s future, it can also be the doorway for breaches of larger companies,” Peters said in a statement. “Yet too many small business owners say they lack the resources they need to safeguard their businesses and customers from hackers, fraudsters, and cybercriminals.”

While most news coverage focuses on huge data breaches, small businesses are not immune from attack. About 43 percent of the more than 41,000 cyberattacks identified in Verizon’s 2019 Data Breach Investigations Report targeted small businesses.

The bill echoes recommendations from DHS and the SBA in a report published in March, which suggested that many small businesses lack training in cybersecurity and are confused about what cybersecurity resources are available from the government.

Rep. Steve Chabot introduced a similar bill earlier this year.

Rubio has also introduced another bill, the Small Business Cyber Training Act, which would require cyber certification for small business development center counselors.

Several cybersecurity experts praised the bill, saying more training resources can help small businesses improve their defenses against cyberattacks.

“Complying with data privacy and cybersecurity laws is often a daunting task for small businesses,” said William Roberts, a cybersecurity lawyer at Shipman & Goodwin in Hartford, Connecticut. “They usually lack the financial, dedicated cybersecurity or compliance staff, and time to dedicated to cybersecurity.”

For many small businesses, and particularly start-ups, cybersecurity is one of many legal and compliance risks they are trying to juggle, he added. “Despite best efforts, there is simply not enough money or time in the day for many small businesses,” he said. “Add in the ever-changing technical nature of cybersecurity and a legal landscape in constant flux, many small businesses don’t know where to turn next for support.”

The bill would allow small businesses to use the SBDCs as an “outsourced” cybersecurity resource to help them understand the risks to their business, the legal requirements, and the way to enact reasonable cybersecurity strategies, Roberts added.

The intentions behind the bill are good, added Robert Siciliano, cybersecurity training expert CEO of Safr.me. However, there are other cybersecurity resources available that many small businesses don’t take advantage of, he added.

“The issue here is execution,” he said. “Programs deployed by the government tend to get bogged down in bureaucracy and often do not reach their full potential.”

Siciliano cautioned against small businesses going it alone on cybersecurity. “Cybersecurity is a specialty,” he said. “It requires skilled credentialed experts. Just because anyone can buy a hammer, doesn’t mean they are a finish carpenter.”

Another cybersecurity expert questioned the value of the bill. The legislation is unlikely to “move the needle,” said Mounir Hahad, head of Juniper Threat Labs and Juniper Networks.

Hahad questioned whether many small businesses would take advantage of the resources offered. “Most small businesses do not see the dangers involved with cybersecurity and believe the impact to their business would usually be minimal,” he said. “Therefore, they do not invest time and resources in shoring up their security posture. They rely on their primary vendors to put in place a good enough security solution so they can remain focused on their core business.”

Hahad recommended that Congress instead focus on improving the security of the nation’s critical infrastructure or establish an incident response center for small businesses to help them deal with cyber incidents.