Why Small Businesses Need Cybersecurity
Small businesses face many of the same cybersecurity risks as large businesses. They have public a web presence and social media accounts. They handle customer data, especially payment information targeted by criminals trafficking in identity theft. They have networked devices that can be exploited, including routers, mobile phones and tablets, desktop or laptop computers, inventory management systems, printers and scanners, and point of sale (PoS) devices. Many offer Wi-Fi to their customers.
Small businesses also have similar legal and regulatory requirements to large businesses. If they process personally identifiable information (PII), they probably have a reasonable security requirement imposed by law. If they process payment information, they need to be in compliance with the Payment Card Industry (PCI) Standard. If they process health-related data, they must be compliant with the Health Insurance Portability and Accountability Act (HIPAA) requirements. If they do any work for the Department of Defense (DoD), even as a subcontractor, they have to meet the National Institute of Standards and Technology’s (NIST) SP 800-171 requirements. If they are in an industry categorized as critical infrastructure, they may have additional measures imposed by the Department of Homeland Security (DHS).
While small businesses face many of the same challenges as large businesses, they do not have the same resources. High cost and a lack of expertise are the top reasons small businesses cite when asked why they do not implement more cybersecurity practices. Indeed, dedicated services and equipment are often priced for big businesses, leaving small businesses sidelined due to limited financial resources. For the tools and techniques that exist for free or low cost, there is a significant gap between the technical competence of business owners and the skills required for operations and maintenance. Qualified experts are scarce and demand salaries beyond most small businesses' reach.
Furthermore, many small businesses make cybersecurity a low priority, even when they acknowledge it is a concern. They are focused on running and growing their business and have little time to either figure out what is needed or to actually take action. Additionally, many have a mindset that a cyber attack will not happen to them or that it is not a major risk to their business. Both views are false. Cyber criminals have automated most of their processes and search for easy instead of large targets. This is one reason ransomware attacks have become a primary concern since 2012. Moreover, being the victim of a cyber attack like ransomware is likely an existential event for many small businesses -- less than half of them are able to remain profitable for the first 3 months afterward.
Efforts to encourage the adoption of cybersecurity practices include three models worth discussing: statutory requirements, regulatory requirements, and safe harbor provisions. Statutory requirements have garnered much attention in the past few years due to Europe’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA), which is based on GDPR. While these may be the most well known for their wide applicability and likely strict enforcement, at least 24 other US states also have laws that require private entities to enact protective measures of consumer data. These laws generally follow a common model imposing “reasonable” (CCPA SEC. 11) or “appropriate” (GDPR Art. 32) security requirements, leaving it to regulators to determine if an entity is in compliance. The shortfall of these laws is that it is unclear whether they will be widely enforced, especially for small businesses. Regulators may target larger companies in order to make a statement with their limited resources, leaving most small businesses able to escape with minimal compliance for the foreseeable future.
Regulatory requirements for specific industries tend to be more prescriptive than general statutory requirements, often dictating specific measures that must be accomplished for compliance. Massachusetts passed one of the earliest versions of these requirements when their Office of Consumer Affairs and Business Regulation enacted the Standards For The Protection Of Personal Information Of Residents Of The Commonwealth in 2009. The regulation applies to “[e]very person that owns or licenses personal information about a resident of the Commonwealth” and includes 10 specific areas that must be addressed in a written information security plan (WISP). While other states have adopted ideas from Massachusetts, most regulatory requirements in other states are narrowly focused on a specific industry. For example, the New York State Department of Financial Services passed strict requirements for financial services companies in 2017, Colorado passed requirements for broker-dealers and investment advisors in 2017, and South Carolina passed requirements for the insurance industry in 2018. The narrow focus on specific industries makes these requirements effective because regulators are able to consistently enforce the standards.
Safe harbor provisions for cybersecurity plans are based on similar laws for data breach notifications that provide safe harbor when encryption is used; such provisions have only been passed in Ohio. The Ohio law encourages businesses to adopt better practices by granting “affirmative defense” if they “[c]reate, maintain, and comply with a written cybersecurity program” aligned with one of a set of listed frameworks and covering some minimum requirements. Providing legal protection, a clear incentive, may encourage more small businesses to adopt better cybersecurity practices when compared to regulations that punish non-compliance.
Outside of regulations, there are other efforts such as frameworks and certifications that encourage minimum levels of security. The EU’s cybersecurity certification framework is probably the most expansive. Managed by the EU Agency for Network and Information Security (ENISA), the framework provides different levels of certification for products, services, or processes that must be recognized across all member states. Similarly, the UK’s Cyber Essentials program enables public and private entities to demonstrate to consumers that they have taken cybersecurity measures. Unfortunately, all these measures are currently voluntary, so adoption is limited, especially among small businesses where cost becomes a prohibitive factor.
Reasonable security approaches, such as the CCPA and GDPR are designed to adjust to each business environment. The measures one company needs to prove reasonableness would be too burdensome for another. The requirements are flexible to account for these differences. In contrast, mandatory enforcement policies require and assess specific measures for all covered entities, regardless of the imposed burden. There are three programs worth discussing for small businesses. In 2016 the EU adopted the Network and Information Services (NIS) Directive, part of which requires “operators of essential services” and “key digital service providers” to meet minimum cybersecurity standards. These categories focus on critical national infrastructure, such as utility operators and or the banking sector. While these are often large players, small businesses that do exist in this space are required to meet the same standards.
In the United States, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) has a similar mandate called the Chemical Facility Anti-Terrorism Standards (CFATS), but it is limited to chemical facilities. Additionally, the program is non-permanent and must continually be authorized by Congress. The current program is set to expire in July 2020, although legislation has been introduced to extend the program through 2025.
The most successful effort for cybersecurity practice adoption at a wide-scale is the DoD’s Safeguarding Covered Defense Information and Cyber Incident Reporting program, which started in 2016 and became enforceable in 2018. The DoD procurement program is stringent and requires all contractors and their subcontractors to fully implement NIST SP 800-171, which covers 110 different areas. The DoD even provides funding to defray incurred costs. Despite the success of the program, the DoD is moving to a program called Cybersecurity Maturity Model Certification (CMMC) that adds different levels of compliance with external verification. The change is intended to provide higher compliance and to make the program more cost-effective for small businesses to participate.
US Government Small Business Resources
The US federal government offers many other cybersecurity resources for small businesses, including from the Small Business Administration (SBA), CISA, the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the Department of Justice (DOJ). NIST even has formal responsibility from Congress “to disseminate consistent, clear, concise, and actionable resources to small businesses.” Their landing page has many guides and resources, but many are outdated and often inaccessible to a non-technical audience.
Perhaps the most promising developments for small business cybersecurity is the increased focus on this issue by the SBA. Pilot programs in some state and regional Small Business Development Centers (SBDCs) are providing high-touch services, consulting, and training. Legislation has also been introduced in Congress that will mandate such services at all SBDCs and require minimum levels of staff with cybersecurity training. These programs will probably be the most effective in the long term in getting small businesses to adopt best practices to protect them and their customers, but they do not come with additional funding at this time so dispersal to SBDCs will probably be slow.
What can be done
These legislative and regulatory efforts underscore the importance of small businesses for the national economy and why they need to be a focus of US cybersecurity strategy. Small businesses account for 99.9% of all businesses in the US and account for 47.5% of all private-sector employment.
The federal government and some State, Local, Tribal, and Territorial (SLTT) governments have specific quotas or considerations for small business contracts. California, for example, issued an Executive Order in 2006 establishing a goal to spend at least a quarter of their contract dollars with small businesses. However, these contracts do not often take into account cybersecurity best practices. This is despite the fact that, when a small business is breached, it puts all of its partners, including government entities and their constituents, at risk due to data exposure and system interconnections.
The lack of small business cybersecurity can be seen as a market failure. Small businesses need the high levels of security that are typical of big business, but understandably do not prioritize their own money and time to implement these tools and practices. In most instances, customers are not willing to pay more for products and services from companies that do invest in cybersecurity. Government regulation is an appropriate response to force change but may have the unintended side effect of causing small businesses to close due to the increased cost. An approach is required that balances the high need for cybersecurity with limiting the regulatory burden and financial impact of compliance.
We propose that governments, especially SLTTs, incentivize better cybersecurity practices by modifying their procurement policies to require a Cybersecurity Plan in order to compete for contracts. At the same time, we propose that additional resources should be provided for small businesses to ease the friction of taking action on cybersecurity practices. We have created two such products: a risk assessment tool called Interactive LASER and an educational campaign called Eat Hackers for Lunch.