The recent attacks on our nation’s digital infrastructure through the compromise of small- and medium-sized businesses (SMBs) underscore the urgent need to close a critical gap in our nation’s cyber defenses.
When we think about cybersecurity, we tend to think at a macro level — about state actors, and state secrets; about hacks of millions of online identities; about threats to critical infrastructure. And when we think about remedies, we tend to focus on digital giants and national or multinational policymaking. These policy solutions are necessary and appropriate, but they are not sufficient. The threats we face — as a nation, and as individual consumers and citizens — are not restricted to the macro level. As the saying goes, a chain is only as strong as its weakest link. Today, that chain is our economy’s supply chain, and our SMBs are its weak link.
SMBs, which are constrained by limited resources and unable to invest proportionately in cybersecurity, expand our risk exposure. Bank of America CEO Brian Moynihan said during an appearance on Face the Nation that eighty percent of America’s businesses have fewer than 10 employees, and 95 percent have fewer than 100. SMBs are the backbone of our economy, but they are inherently fragile. These small enterprises lack the resilience to withstand a barrage of cyberattacks.
The SolarWinds and Microsoft Exchange attacks have brought us to an inflection point, raising questions about the viability of America’s cyber defenses. These recent compromises are, in fact, symptoms of the challenges we face. And policies are not enough. We cannot simply shrink tools and techniques employed by major corporations into smaller versions for SMBs. Many SMBs are doing what the experts tell them to do — updating and patching software, changing passwords, removing malicious code — but neither they nor we can be lulled into believing that is enough.
SMBs need easy access to cybersecurity resources, support from the federal government and prescriptive and simple-to-adopt programs and approaches that impact their everyday operations. Because a small business may not have a department or even a single employee solely focused on cybersecurity, approaches grounded in creating cultural change through human behavior and education are critical. Human behavior can be a force multiplier for cybersecurity in SMBs (and larger companies, as well).
The federal government can play a critical role. Here are five steps it can take today that will have expedient and measurable impacts on SMB cybersecurity defenses:
- Create an SMB Cybersecurity Center. Today, no single government agency curates cybersecurity resources, from multiple, vetted sources, for SMBs. This issue presents a challenge for SMBs. Given the ongoing work to support SMBs by the Cybersecurity and Infrastructure Security Agency (CISA) and the recent allocation of additional resources to the agency, CISA is a recommended agency to perform this function.
- Establish Cybersecurity Incentives. Tax credits to SMBs that invest in cybersecurity can incentivize cybersecurity efforts.
- Set Cybersecurity Standards. We need minimum standards for cybersecurity that all organizations must follow, including SMBs. These standards would be founded in a risk management approach that allows each business to address their cybersecurity vulnerabilities based on their mission, assets, and resources.
- Launch National Cyber Squads. We should amplify the existing CyberCorps with government-funded Cyber Squads of student interns to help minority-owned SMBs and to fill a desperately needed talent pipeline. By doing so, we will also be educating the next generation of cyber leaders.
- Roll Out a National Cyber Readiness Education Campaign. Awareness is critical. For SMBs and the entire population, we need an aggressive, accessible, and easy-to-understand nationwide awareness campaign. To start and for clarity, it should focus on one issue, such as authentication. This approach can help change behavior and educate everyone — at work and home — on the basic steps to be cyber ready.
Our nation’s cybersecurity challenges are diverse. One foundational way we can improve our defenses is by supporting and investing in the cyber readiness of small- and medium-sized businesses. A weak link in our nation’s supply chains can become one of our greatest strengths: America’s hundreds of thousands of SMBs, mobilized, educated, and supported to be our resilient frontline of cyber defense.
Kiersten E. Todt is the managing director of the Cyber Readiness Institute, a non-profit that provides free cybersecurity tools to small- and medium-sized businesses, globally. She most recently served as executive director of President Obama’s Commission on Enhancing National Cybersecurity.