Implications of strengthening the cybersecurity of small business in America

On November 2, 2021, the House of Representatives passed two bills with the goal of strengthening the cybersecurity of small businesses in America.

The first bill, the Small Business Administration (SBA) Cyber Awareness Act, was unanimously approved to expand cybersecurity operations at the SBA. The bill requires the Small Business Administration to issue a report assessing the agency’s ability to combat cyber threats within six months of passage. The report must disclose:

• SBA’s cybersecurity infrastructure
• The SBA’s strategy to improve cybersecurity protections
• Any equipment used by the SBA and manufactured by a company headquartered in China, and
• Any incident of cyber risk at the SBA and the agency’s actions to confront it

Additionally, the bill requires that the SBA notify Congress of future breaches while detailing who was affected in said breach as well as how the breach occurred.

The bill was introduced by Reps. Young Kim (CA-39) and Jason Crow (CO-06).

“For more than two decades, the SBA’s Inspector General has listed IT security as one of the most pressing challenges facing the SBA. Unfortunately, SBA cybersecurity vulnerabilities were brought to light with unprecedented demand of SBA loan programs during COVID-19, discouraging entrepreneurs from starting a business and creating jobs,” said Congresswoman Kim. “We must address this issue now and secure our systems so small business owners can safely utilize SBA’s resources as they work to recover from the pandemic, hire workers and adjust to rising costs of supplies.”

The second bill, the Small Business Development Center Cyber Training Act, aims to give small businesses the resources necessary to manage cyber-attacks on their own. The bill would help improve the training of Small Business Development Centers (SBDCs) to ensure they can better support and counsel small businesses on cybersecurity-related matters. As it stands, the bill would enable the SBA to reimburse SBDCs for employee certification and training costs, upwards of $350,000 annually.

The bill was introduced by Congressman Andrew Garbarino (R-NY). In a recent release he stated, “As both a member of the House Small Business Committee and Ranking Member of the House Homeland Security Committee’s Cybersecurity Subcommittee, I have seen how difficult it is for small businesses to arm themselves against these kinds of attacks due to resource constraints. It is my hope that this bipartisan legislation will be an impactful first step to getting small businesses the training they need to protect themselves from cyber criminals.”

Why do these bills matter?

Given the rapidly evolving threat landscape and increased frequency of attacks, establishing strong cybersecurity education is a critical business opportunity.

As a small business, using resources made available to you by regulatory authorities provides room for differentiation in the market and establishes security as a key deliverable to your customers. This looks like an ability to:

• Prevent loss of customer data
• Execute on and communicate secure data procedures throughout all lines of business
• Secure the storage valuable business information in the face of threats, and
• Define and implement a threat-informed business strategy

What action items can small businesses take away today?

• Attend a free training: When taking the first steps to prioritize cybersecurity across your business, it’s critical to gather information in cost-effective, accurate ways.
• Research cybersecurity trends: At the heart of threat evolution lies digital transformation. As digital transformation continues at full speed, finding a cybersecurity resource hub to use as your central source of truth will aid the learning process.
• Spark conversation: Start conversations around cybersecurity with industry peers and establish a strong network of trusted subject matter experts. Staying informed and creating a community of people to learn with is key in standing up strong cybersecurity awareness throughout your business.
• Begin strategizing: Identify key gaps in your understanding of cybersecurity awareness and begin gathering resources to aid you as you strategize on how to mitigate your risk areas.

I firmly believe that weaving the fabric of trust throughout your organization is an opportunity for business differentiation and a key to empowering efficient workflow in every business dynamic, no matter its size. The bills focus on strengthening Small Business Cybersecurity, of which establishing a trust-based cybersecurity program is essential.