NIST Small Business Cybersecurity Act Becomes Law

The NIST Small Business Cybersecurity Act Aims to Provide Cyberdefense Resources

U.S. President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act) into law on Tuesday (August 14, 2018). It requires NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks." 

The resources to be provided are informational. They must be generally applicable to a wide range of small businesses; vary with the nature and size of small businesses; promote cybersecurity awareness and workplace cybersecurity culture; and include practical application strategies. The resources must further be technology-neutral and compatible with COTS solutions; and as far as possible consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980.

Use of these resources by small businesses is voluntary. 

The bi-partisan act was authored by U.S. Senators Brian Schatz (D-Hawai'i) and James Risch (R-Idaho), and co-sponsored by Senators John Thune (R-S.D.), Maria Cantwell (D-Wash.), Bill Nelson (D-Fla.), Cory Gardner (R-Colo.), Catherine Cortez Masto (D-Nev.), Maggie Hassan (D-N.H.), Claire McCaskill (D-Mo.), and Kirsten Gillibrand (D-N.Y.).

"As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that's exactly what makes them an easy target for hackers," said Schatz, lead Democrat on the Commerce Subcommittee on Communications Technology, Innovation, and the Internet, in a statement. "This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks."

The act has been well-received by the security industry.

"Bills focusing on the cybersecurity needs of small businesses are becoming increasingly necessary to protect activity crucial to the U.S. economy," explains Jessica Ortega, a member of the SiteLock research team. "Small businesses account for 99.7% [SBA figures] of employers in the United States and as many as 50% [CNBC figures] of those have experienced a cyberattack. Not surprising when you consider that websites are attacked as many as 50 times per day on average [Sitelock's own figures].

She adds, "The NIST Small Business Cybersecurity Act aims to provide cyberdefense resources for small businesses by creating a set of guidelines for basic security measures that should be easy to follow and implement affordably. It also creates guidelines for making security best practices a required component of corporate training and workplace culture, something that is very needed as cyberthreats continue to evolve."

Small businesses, and many large organizations, struggle to comply with the existing NIST Security Framework. "This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain," adds Dr. Bret Fund, founder and CEO at SecureSet.

The basic problem is small organizations cannot afford extensive cybersecurity resources in-house, while many still believe they will not be a target for cyber attackers. "Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks," warns Dirk Morris, chief product officer at Untangle. Small businesses are a major direct target for business email compromise (BEC) and ransomware https://www.securityweek.com/ransomware-where-its-been-and-where-its-going attacks; and as part of the supply chain for larger organizations they are targeted for both credential theft and island-hopping to the larger target.

Counterintuitively, small businesses suffer more from a successful attack than do the larger companies. "In fact," suggests Anupam Sahai, Vice President of Product Management at Cavirin, "recent reports shows that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures."

The same report highlighted by Sahai also points out that smaller companies paying lower salaries have a proportionately higher number of grey hats working for them, making them more susceptible to insider threats.

While the security industry generally applauds this new act, it still suffers from one major drawback -- use of the new NIST resources by small businesses is voluntary. 

"I will be curious to see how this plan is carried out," says Francis Dinha, CEO and co-founder of OpenVPN. "Many small businesses neglect cyber security because they aren't aware and don't understand the risks -- so, they don't seek out solutions. But if they're not seeking out solutions now, what makes anyone think they will seek out these new NIST resources?"

The act, he says, "does not seem to specify how to connect or engage with small businesses in these practices. It only requires NIST to make resources, in the form of guidelines, methodologies, and other information, available online. I'm concerned this won't be enough. If small businesses aren't engaged in a more active way, they may miss this opportunity and remain at risk."

A complaint often heard at SecurityWeek from harassed CISOs is, "If it's not a regulation, it won't happen." Perhaps what is required as a next step is a small business cybersecurity framework that can be audited. Larger organizations can then insist that smaller companies they engage must show compliance to the NIST small business cybersecurity framework -- but even that will create problems. Small companies with great new ideas will continue to develop their idea without intrinsic security -- and the larger companies will have to choose between a great new non-conformant idea and an older conformant solution.

This new act is a great help in assisting those small businesses that wish to improve their cybersecurity to do so. But it needs to be made a requirement before it will seriously improve the overall cybersecurity posture of the nation.

Related: FBI Pushes for Small Business Information Sharing 

Related: New Law May Force Small Businesses to Reveal Data Practices 

Original author: Kevin Townsend