Most of the data breaches that make headlines these days happen at large organizations, but the threat of hacking is not confined to the enterprise. A study published by security giant Symantec last year found that 43 percent of cyberattacks target small businesses. It’s becoming such a problem that even Congress, which has historically been slow to address new developments in the technology world, is starting to take notice.
A bill currently moving through the Senate seeks to provide small businesses with more resources for protecting their information from attack. Introduced by Sen. Brian Schatz (D-Hawaii), the Main Street Cybersecurity Act proposes the creation of federal guidelines for breach prevention that specifically focus on firms with fewer than 500 employees. If passed, the bill will trust the task to The National Institute of Standards and Technology (NIST), which created a similar framework for large enterprises back in 2014.
The latter guide combines high-level information about how to implement security best practices with practical pointers from several dozen white papers. The framework has made an outsized impact on the corporate world since its release. In a video released last year, NIST claims that about 30 percent of the companies that the framework was designed to reach currently follow its guidelines to varying extents. The Main Street Cybersecurity Act uses the same basic formula in a bid to replicate the project’s success.
A press release from Sen. Schatz’s office specified that the plan is to create a set of “simplified, consistent resources” based on the 2014 framework. The emphasis will likely be on the “simplified” part given that the average small business doesn’t have the manpower to pour through dozens of technical papers. For the proposed guidelines to be effective, they’ll likely have to be considerably shorter than the enterprise version and much different in structure.
To start, the paper will need to account for the fact that the average small business doesn’t employ dedicated cybersecurity staff. Most only have a few IT generalists to support day-to-day operations, if that. As a result, NIST can expected to leave out the more nuanced parts of its enterprise framework and focus on the best practices that businesses are most likely to implement. In other words, it will have to stick to the essentials.
Besides basic items such as blocking malicious sites and training workers in handling suspicious emails, the top priority for businesses is to use technology products with strong security. GoCo, for example, encrypts sensitive data using one of the most time-tested cryptographic algorithms on the market while logging every important action to create an audit trail. It’s all done in compliance with the HIPAA regulations that govern healthcare-related information. And the underlying infrastructure is run by the cloud division of Amazon, which has such a reputation for security that it’s been commissioned to build a data center for the CIA.
The Main Street Cybersecurity Act represents an important step towards making breach prevention a bigger priority for businesses when adopting new technologies. Given that it’s been endorsed by a bipartisan group of senators along with the National Small Business Association and U.S. Chamber of Commerce, the bill should face few obstacles going forward.