Congressional acts aim to help small businesses improve cybersecurity

But industry leaders warn vague guidelines, simplified solutions, lack of resources will foil best efforts

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Lack of resources is the biggest bar­ri­er for small busi­ness­es’ cyber­se­cu­ri­ty. So it’s not sur­pris­ing that the U.S. Con­gress wants to help by mak­ing resources available.

New leg­is­la­tion intends to help small busi­ness­es strength­en their secu­ri­ty. But indus­try prac­ti­tion­ers are skep­ti­cal about its impact.

Two relat­ed bills made their way out of com­mit­tees recent­ly in the Sen­ate and in the House—titled, respec­tive­ly, the MAIN STREET (Mak­ing Avail­able Infor­ma­tion Now to Strength­en Trust and Resilience and Enhance Enter­prise Tech­nol­o­gy) Cyber­se­cu­ri­ty Act of 2017 and the NIST Small Busi­ness Cyber­se­cu­ri­ty Act of 2017.

Relat­ed video: Why all com­pa­nies should adhere to NIST cyber­se­cu­ri­ty framework 

Cit­ing that 60 per­cent of small busi­ness­es fold with­in six months of a cyber attack, the bills would require the Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy (NIST) to dis­sem­i­nate “sim­pli­fied” resources geared specif­i­cal­ly to small busi­ness­es. The resources could encom­pass vol­un­tary tools, stan­dards, guide­lines, best prac­tices, etc., and would include ele­ments like basic controls.

The leg­is­la­tion was wide­ly sup­port­ed by indus­try groups such as the Nation­al Small Busi­ness Asso­ci­a­tion, U.S. Cham­ber of Com­merce and the Infor­ma­tion Tech­nol­o­gy Indus­try Council.

A move in right direction

Jean­nie Warn­er, secu­ri­ty strate­gist at appli­ca­tion-secu­ri­ty ven­dor White­Hat Secu­ri­ty, says the idea is sim­i­lar to the Pay­ment Card Indus­try Data Secu­ri­ty Standard’s sim­pli­fied ver­sion of its guide­lines for small businesses.

Jean­nie Warn­er, White­Hat Secu­ri­ty secu­ri­ty strategist

They (PCI DSS) real­ized that small busi­ness­es have the exact same needs as big busi­ness­es, but less mon­ey to exe­cute and like­ly no expe­ri­ence at all in IT, let alone secu­ri­ty,” she says. “NIST’s stat­ed inten­tion of doing the same is an excel­lent step forward.”

The PCI guide includes gran­u­lar­i­ties such as what type of scan­ner tech­nolo­gies are approved for use with mobile devices for POS trans­ac­tions. She says that’s “exact­ly the lev­el need­ed for cot­tage indus­tries and starter com­pa­nies that need a bump in the direc­tion on how to secure finan­cial transactions.

I hope NIST pays more atten­tion to appli­ca­tion-lev­el chal­lenges … and offers up best prac­tices or rec­om­mend­ed tools/vendors who play in the afford­able SMB space,” Warn­er says.

The con­gres­sion­al bills require the pro­vid­ed resources to be tech­nol­o­gy-neu­tral, which like­ly means they’ll focus on high-lev­el, ven­dor-neu­tral infor­ma­tion. Small busi­ness­es need guide­lines that are more pre­scrip­tive, says Casey Cor­co­ran, vice pres­i­dent of cyber­se­cu­ri­ty com­pa­ny FourV Sys­tems.

Casey Cor­co­ran, FourV Sys­tems vice president

A gen­er­al prob­lem with [guide­lines like NIST], they’re pre­scrip­tive only in a gen­er­al sense and then you have to fig­ure out how to do that,” he says. “It’s a vague state­ment of what to do and doesn’t help the per­son to go do them.”

Sim­ple isn’t more secure

NIST, in fact, already has pro­vid­ed guide­lines geared to small busi­ness­es. Last fall, it released “Small Busi­ness Infor­ma­tion Secu­ri­ty: The Fun­da­men­tals,” which essen­tial­ly is a sim­pli­fied ver­sion of its wide­ly used cyber­se­cu­ri­ty frame­work. The guid­ance is designed to pro­vide “basic security.”

Sam­my Migues, prin­ci­pal sci­en­tist at soft­ware-secu­ri­ty ven­dor Syn­op­sys, says try­ing to sim­pli­fy the cyber­se­cu­ri­ty frame­work for small busi­ness­es is like writ­ing a book to make cal­cu­lus easy for ele­men­tary-school students—“it’s still calculus.”

If you have no ground­ing in how to do this, what are you going to do with the list? Even more, who’s going to do it?” he says.

FourV Pres­i­dent Derek Gab­bard agrees. He says that a con­densed ver­sion of the cyber­se­cu­ri­ty frame­work is a good start­ing point, but it’s not like­ly to solve the problem.

It’s a com­plex prob­lem to solve and too sim­pli­fied a solu­tion won’t get you there,” he says. “And for a small busi­ness to imple­ment even a scaled-down process, is more work.”

SMBs hit a wall

Even when small orga­ni­za­tions have the resources to invest in new tech­nol­o­gy, such as next-gen­er­a­tion fire­walls, they get stuck at imple­men­ta­tion and management.

Derek Gab­bard, FourV Sys­tems president

The con­fig­u­ra­tion and man­age­ment of all these tech­nolo­gies, even inside a sin­gle plat­form, is hard,” Gab­bard says. “Most small busi­ness­es don’t have the resources to even do that.”

Tax incen­tives for meet­ing basic cyber­se­cu­ri­ty require­ments would be a bet­ter solu­tion, Migues says. Bet­ter yet, hav­ing the FTC “crack down on soft­ware and IT ven­dors that sell inse­cure busi­ness tech­nol­o­gy to SMBs or make false secu­ri­ty claims about their products.

The under­ly­ing prob­lem hin­der­ing small busi­ness is that soft­ware and sys­tems they rely on are inse­cure,” he says.

Ulti­mate­ly, it would be up to the indus­try to help small busi­ness­es, Gab­bard believes. A stan­dard­ized secu­ri­ty data set, for starters.

That in and of itself is a chal­lenge. … It’s severe­ly lack­ing in the indus­try, though we’re see­ing an emer­gence,” he says. “I think it’s a necessity.”

More sto­ries relat­ed to cyber­se­cu­ri­ty guidelines:
Few adopt NIST cyber­se­cu­ri­ty guide­lines, but that could change
Secu­ri­ty of the Inter­net of Things takes on new urgency
SMBs must under­stand and counter new dig­i­tal risks

Posted in Featured Story