Compliance Management, Industry Regulations

Small and medium businesses need their own federal cyber policy, say advocates

A woman works in a coffee shop in New York’s Chinatown on February 13, 2020 in New York City. (Photo by Spencer Platt/Getty Images)

Small to medium-sized businesses have drastically different cybersecurity preparedness, capacity and overall posture than their king-sized brethren. It should not be much of a surprise then, that SMB cybersecurity advocates are lobbying the Biden administration for small business-specific cybersecurity federal policies to complement an approach often focused on big players and government entities. 

SMBs need to be addressed separately, say advocates, because encouraging cybersecurity in smaller firms is fundamentally different than larger firms. Several issues exist solely due to scale. Hiring a dedicated cybersecurity employee in a 10-man office is increasing the workforce by 10%. Without dedicated resources to address the problem, they are less equipped to understand gaps in coverage or hunt down disparate federal resources. Also, the equipment in small firms is different than large firms; they are more likely to repurpose home gear, for example. The risk, and the perception of risk, can be wildly different. And small companies are more likely to take the go-for-broke, fast-growth strategies prioritizing revenue and R&D rather than adequate security investment. 

“I would argue that small companies in different sectors are more similar in cybersecurity needs than small and large companies in the same sector," said Michael Daniel, the president and CEO of the infosec industry threat sharing group, the Cyber Threat Alliance, and former White House cybersecurity coordinator. "While we typically think of differentiating policy among ‘verticals,’ we should also sometimes differentiate along ‘horizontals’ too.”

A new whitepaper from the SMB-focused Cyber Readiness Institute proposes a five-pronged approach for the administration to take to bolster small business cybersecurity — and not just for their own benefit. 

“It's clear that small businesses have become vulnerabilities in our global supply chains,” said Kiersten Todt, managing director of the institute.  

CRI is pushing for greater investment in federal educational outreach toward SMBs to help them deal with common problems. It backs tax incentives to encourage cybersecurity, asks a federal agency — likely the Cybersecurity and Infrastructure Security Agency — to catalog SMB cybersecurity resources split across a variety of agencies in a single location, and proposes public and private coordination to work on SMB specific standards. While all of those would be impactful, CRI’s most novel idea is for the federal government to expand its CyberCorps scholarship-for-service program to include SMBs as well as federal agencies. 

At present, CyberCorps trades up to three years of college and internship experience with a commitment to do the same period of work for the government. It is a single solution that solves two problems — developing a workforce and placing that workforce in organizations that often struggle to find necessary talent.  CRI proposes expanding the program to add an SMB option. 

“It’s not just about building the workforce pipeline, but really trying to help and solve issues along the way,” said Todt, who noted the opportunity to provide a private sector rotation to the program would only increase the experience for students. 

Benefitting small businesses within the supply chain has particular benefits for the government, noted Bill Harrod, vice president for public sector at asset management firm Ivanti. 

“The federal government wants to do business with small and medium-sized businesses, veteran-owned businesses, women-owned businesses, and those in HUBZones,” or historically underutilized business zones, he said. 

“On the one hand, there is this emphasis by the government to put procurement activity towards small and medium businesses. But on the other hand, the policies that are being leveraged aren't scaled for small and medium businesses," Harrod continued. "In order to be able to do business with the government, they have to meet the same requirements as Raytheon, or Booz Allen and it becomes really onerous.”

The goal he said is not to lessen the amount of security that SMBs would need to work with the government, but to create an environment where SMBs could reach that level of security using standards designed for firms on their scale. 

It still may require a lot of progress to get many SMBs to a place of adequacy. 

“Cybersecurity is not a one size fits all kind of approach," Harrod said. "A lot of government mandates, from a policy standpoint, really have to do with the maturity of an organization, and the ability of that organization to meet specific controls and implement those controls. And a lot of times, small, medium-sized businesses are really immature in their approach.” 

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.