Perhaps the best approach to rampant malware, ransomware and cybercrime is stronger cooperation between the public and private sectors.
The American Congress took a stab at that kind of ecumenical solution to the looming $6 trillion problem of cybersecurity in the form of the Small Business Cybersecurity Assistance Act (SBCAA). It’s as bipartisan a bill as the U.S. can hope for at present and an encouraging sign that the problem is on the government’s radar.
Regrettably, the Small Business Cybersecurity Assistance Act has already gathered
The two main co-sponsors of the Act — Senators Gary Peters and Marco Rubio — frame the SBCAA’s mission as primarily an educational effort to bring small business owners up to speed on cybercrime-related issues such as:
The small business community must understand that they represent a larger — not a smaller — portion of the threat surface where cybercrime is concerned. Small business owners are less likely to have taken adequate measures to protect their digital systems and are consequently at an even higher risk of sustaining a data breach or a ransomware attack than a major corporation.
Under the Small Business Cybersecurity Assistance Act, business owners could visit U.S. Small Business Development Center (SBDC) locations to secure educational materials, enroll in programs, and work with representatives from the Department of Homeland Security to better understand and confront cyber threats and risks. Clearly, the intentions and the desired outcome are heading in the right direction.
The question is: What on earth is a Small Business Development Center?
Like many public services in the United States, Small Business Development Centers are wonderful in theory but consistently go underfunded — despite their value — and remain mostly unknown to the communities most in need of their assistance. Among other things, SBDCs provide services like business counseling and information on local, state and federal government compliance and assistance programs.
But because this service goes underfunded and unheralded, the U.S. has only 63 such centers — barely one for every U.S. state and territory. In contrast, the U.S. had almost 140,000 Starbucks locations in 2018, despite the company employing under 200,000 people that year.
The SBDC’s 63 locations, meanwhile, are meant to support the entire American small business community. In 2016, companies with fewer than 100 employees made up 33.4% of the U.S. workforce, and companies with 500 or fewer made up nearly half.
Many of the criticisms leveled against the SBCAA have latched onto this lack of infrastructure and public awareness. Earmarking additional funding could possibly help raise the SBDC’s public profile and make more people aware of their existence. But this isn’t certain, and it doesn’t look like the SBCAA has addressed the existing funding shortfall.
The Act reportedly permits Small Business Development Centers to use their current funding to make cybersecurity resources available after they’re prepared by other government agencies. But the key phrase is “current funding.” SBDCs, like the one at Wharton School, already face shuttering their doors because of a lack of funding. Adding to the demands placed on their staff without a commensurate rise in funding could be fruitless.
The other problem, apart from a lack of funding and awareness, is that significant numbers of small business owners do business in the cloud. As a result, they outsource most of their IT and digital systems architecture work, including data hosting services, to third parties.
It could be fairly useful to educate small business owners on the security best practices these third parties should follow in their operations — either by law or according to common sense. What’s not useful is doing all of this without backing it up with appropriately harsh fines for the larger companies which mishandle or misplace client data, either by mistake or because they have nefarious intent.
The European Union is off to a slow start levying fines for abusing data privacy and security, but the now-year-old General Data Protection Regulation gives the government the power to do so. Until the U.S. implements a similar measure, U.S. states are left on their own to fine companies which don’t take cybersecurity or client privacy seriously. Any measure undertaken to educate the small business community about cybersecurity won’t do much good if the U.S. government doesn’t stand ready to have their backs.
Another potentially fruitful avenue to explore is providing grants or subsidies to help small business owners purchase cyber liability insurance. Not all small business owners know such products exist, but these services can go a long way toward keeping small businesses in operation after they fall victim to a cybercrime.
Some seem content to let cybersecurity remain a competitive advantage or a luxury commodity. Others believe the buy-in should be the same for both small entrepreneurships and major corporations when it comes to keeping digital properties safe. Everybody has a right to stay safe online — it shouldn’t be something that only moneyed interests get to enjoy.
The SBCAA is a well-intentioned measure styled after the American tradition of empowering people to pull themselves up by their own bootstraps and know-how.
But without a more robust support system in place, it risks confirming what many people already believe — that the government throws money at problems instead of solving them. It’s best to think of the SBCAA as a first step toward something better.
A better, second draft would back up its proposals for DHS-SBDC collaboration with additional funding as well as adequate punitive measures for data handlers that get cybersecurity wrong.
(Security Affairs – Small Business Cybersecurity Assistance Act)