There are precious few issues or topics capable of garnering bipartisan support in Congress these days. Finding new ways to help small businesses protect against cyberattacks and other digital threats is one of them.
This week a quartet of senators introduced a new bill, The Small Business Cyber Resiliency Act, that would establish a new Central Small Business Cybersecurity Unit within the Small Business Administration. The unit would be responsible for creating a free, public repository of cybersecurity resources for small businesses to tap, improving information sharing between the SBA and the Cybersecurity and Infrastructure Security Agency and other agencies, and conducting cyber hygiene reviews for small businesses that had to quickly stand up digital infrastructure to stay afloat in the wake of the COVID-19 pandemic.
“Small businesses are invaluable to our communities — creating jobs, providing goods and services, and contributing substantially to our economy — but increasing data breaches and cyber risks threaten these businesses’ futures,” said Sen. James Risch, R-Idaho, in a statement. “Given the variety of threats small businesses face, from home and abroad, it is important they are equipped with tools and information to protect themselves, their employees and customers, and our entire economy.”
The bill is being brought forward by two Republicans and two Democrats: Risch and fellow Idaho GOP Sen. Mike Crapo, as well as Sens. Jeanne Sheehan, D-N.H., and Catherine Cortez Masto, D-Nev. In a release announcing the bill, Shaheen noted that 99% of companies in her state would fall into the category of a small business.
Small businesses represent one of the weakest links in the cybersecurity ecosystem — often lacking dedicated funding or staff for cybersecurity and priced out of the market for most tooling or managed third-party cybersecurity services. That, combined with the fact that many of those same smaller businesses occupy important parts of the technology supply chain for larger providers, make them an attractive target for hackers.
For example, the Department of Defense is currently trying to raise digital security standards for its contractors through programs like the Cybersecurity Maturity Model Certification program, but has struggled to find a way to do it without crowding out many smaller companies that provide the bulk of technology innovation within the military.
According to Accenture’s annual cybercrime study, small businesses are the primary victim in 43% of cyberattacks. IBM’s most recent report on the cost of a data breach found that smaller organizations (defined as those with 500 employees or fewer) incurred an average of $3.31 million in total and associated costs to respond to a breach.
“You have very, very limited resources for implementing security controls of any kind. Your IT person is also your security person is also your Jack- (or Jill-) of-all-trades who wears many hats and never sleeps,” Verizon’s latest data breach investigation report noted while describing the challenging digital security environment that many smaller enterprises face.