At a recent cybersecurity conference for small businesses in Blacksburg, Va., a business owner told the audience about a costly ransomware attack on the family’s legal business. Another small business owner experienced a ransomware attack that left the company nearly bankrupt.
Such stories abounded at the conference hosted by the Small Business Development Center, a partner with the Small Business Administration (SBA), which underwrote the event. Funding such grass-roots conferences is part of a multi-pronged effort to help combat the soaring threat of cyberattacks on U.S. small businesses.
SBA has made it a priority to provide cybersecurity assistance for small businesses, reaching out to local chambers of commerce, technology vendors, and banks that serve small businesses to raise awareness of the benefits of cybersecurity threat prevention sharing through conferences such as the Blacksburg event.
Cyberattacks on businesses have risen steadily in recent years. A Symantec study found that attacks on small businesses have increased from 18 percent of all attacks in 2011 to 43 percent in 2015. However, a recent survey by Nationwide Insurance revealed that many small business owners lack formal cybersecurity plans. While 83 percent of owners reported that they believe it’s important to establish security practices and policies recommended by SBA to protect sensitive information, only half said they had established such practices.
Congress has also gotten proactive in the cyber war on small business. The House in October passed the National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act of 2017, introduced by Rep. Daniel Webster, R-Fla., a member of the House Science, Space, and Technology Committee. The legislation requires NIST to consider small businesses when it facilitates and supports the development of voluntary, consensus-based, industry-led guidelines and procedures to cost-effectively reduce cyber risks to critical infrastructure.
Under the bill, NIST must publish resources on its web site that small businesses can use to help identify, evaluate, and reduce their cybersecurity risks. Resources must include case studies of practical applications that are relevant to the size and nature of small businesses.
The Senate in late September passed a similar bill, the Main Street Cybersecurity Act, which requires NIST to publish and disseminate resources to help small businesses adopt NIST’s cybersecurity framework. The bill, introduced by Sen. James Risch, R-Idaho, and Brian Schatz, D-Hawaii, would give small businesses the tools they need “to beef up their cybersecurity and prepare to flight back,” Schatz said in a statement. The bill would ensure that NIST considers the needs of small businesses as it updates the framework over time, he said.
Another bill working its way through congress is the Small Business Development Center Cyber Training Act of 2017, which requires SBA to establish a program for certifying employees of Small Business Development Centers to provide cybersecurity planning assistance to small businesses. The legislation was offered by Sen. Jim Risch, R-Idaho, with Sen. Jeanne Shaheen, D-N.H., co-sponsoring the legislation. Rep. Steve Chabot, R-Ohio, introduced a companion bill in the House.