Congressional acts aim to help small businesses improve cybersecurity
But industry leaders warn vague guidelines, simplified solutions, lack of resources will foil best efforts
By Rodika Tollefson, ThirdCertainty
Lack of resources is the biggest barrier for small businesses’ cybersecurity. So it’s not surprising that the U.S. Congress wants to help by making resources available.
New legislation intends to help small businesses strengthen their security. But industry practitioners are skeptical about its impact.
Two related bills made their way out of committees recently in the Senate and in the House—titled, respectively, the MAIN STREET (Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology) Cybersecurity Act of 2017 and the NIST Small Business Cybersecurity Act of 2017.
Citing that 60 percent of small businesses fold within six months of a cyber attack, the bills would require the National Institute of Standards and Technology (NIST) to disseminate “simplified” resources geared specifically to small businesses. The resources could encompass voluntary tools, standards, guidelines, best practices, etc., and would include elements like basic controls.
The legislation was widely supported by industry groups such as the National Small Business Association, U.S. Chamber of Commerce and the Information Technology Industry Council.
A move in right direction
Jeannie Warner, security strategist at application-security vendor WhiteHat Security, says the idea is similar to the Payment Card Industry Data Security Standard’s simplified version of its guidelines for small businesses.
“They (PCI DSS) realized that small businesses have the exact same needs as big businesses, but less money to execute and likely no experience at all in IT, let alone security,” she says. “NIST’s stated intention of doing the same is an excellent step forward.”
The PCI guide includes granularities such as what type of scanner technologies are approved for use with mobile devices for POS transactions. She says that’s “exactly the level needed for cottage industries and starter companies that need a bump in the direction on how to secure financial transactions.
“I hope NIST pays more attention to application-level challenges … and offers up best practices or recommended tools/vendors who play in the affordable SMB space,” Warner says.
The congressional bills require the provided resources to be technology-neutral, which likely means they’ll focus on high-level, vendor-neutral information. Small businesses need guidelines that are more prescriptive, says Casey Corcoran, vice president of cybersecurity company FourV Systems.
“A general problem with [guidelines like NIST], they’re prescriptive only in a general sense and then you have to figure out how to do that,” he says. “It’s a vague statement of what to do and doesn’t help the person to go do them.”
Simple isn’t more secure
NIST, in fact, already has provided guidelines geared to small businesses. Last fall, it released “Small Business Information Security: The Fundamentals,” which essentially is a simplified version of its widely used cybersecurity framework. The guidance is designed to provide “basic security.”
Sammy Migues, principal scientist at software-security vendor Synopsys, says trying to simplify the cybersecurity framework for small businesses is like writing a book to make calculus easy for elementary-school students—“it’s still calculus.”
“If you have no grounding in how to do this, what are you going to do with the list? Even more, who’s going to do it?” he says.
FourV President Derek Gabbard agrees. He says that a condensed version of the cybersecurity framework is a good starting point, but it’s not likely to solve the problem.
“It’s a complex problem to solve and too simplified a solution won’t get you there,” he says. “And for a small business to implement even a scaled-down process, is more work.”
SMBs hit a wall
Even when small organizations have the resources to invest in new technology, such as next-generation firewalls, they get stuck at implementation and management.
“The configuration and management of all these technologies, even inside a single platform, is hard,” Gabbard says. “Most small businesses don’t have the resources to even do that.”
Tax incentives for meeting basic cybersecurity requirements would be a better solution, Migues says. Better yet, having the FTC “crack down on software and IT vendors that sell insecure business technology to SMBs or make false security claims about their products.
“The underlying problem hindering small business is that software and systems they rely on are insecure,” he says.
Ultimately, it would be up to the industry to help small businesses, Gabbard believes. A standardized security data set, for starters.
“That in and of itself is a challenge. … It’s severely lacking in the industry, though we’re seeing an emergence,” he says. “I think it’s a necessity.”
More stories related to cybersecurity guidelines:
Few adopt NIST cybersecurity guidelines, but that could change
Security of the Internet of Things takes on new urgency
SMBs must understand and counter new digital risks