Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Security Infrastructure

NIST Small Business Cybersecurity Act Becomes Law

The NIST Small Business Cybersecurity Act Aims to Provide Cyberdefense Resources

The NIST Small Business Cybersecurity Act Aims to Provide Cyberdefense Resources

U.S. President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act) into law on Tuesday (August 14, 2018). It requires NIST to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.” 

The resources to be provided are informational. They must be generally applicable to a wide range of small businesses; vary with the nature and size of small businesses; promote cybersecurity awareness and workplace cybersecurity culture; and include practical application strategies. The resources must further be technology-neutral and compatible with COTS solutions; and as far as possible consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980.

Use of these resources by small businesses is voluntary. 

The bi-partisan act was authored by U.S. Senators Brian Schatz (D-Hawai’i) and James Risch (R-Idaho), and co-sponsored by Senators John Thune (R-S.D.), Maria Cantwell (D-Wash.), Bill Nelson (D-Fla.), Cory Gardner (R-Colo.), Catherine Cortez Masto (D-Nev.), Maggie Hassan (D-N.H.), Claire McCaskill (D-Mo.), and Kirsten Gillibrand (D-N.Y.).

“As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers,” said Schatz, lead Democrat on the Commerce Subcommittee on Communications Technology, Innovation, and the Internet, in a statement. “This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks.”

The act has been well-received by the security industry.

“Bills focusing on the cybersecurity needs of small businesses are becoming increasingly necessary to protect activity crucial to the U.S. economy,” explains Jessica Ortega, a member of the SiteLock research team. “Small businesses account for 99.7% [SBA figures] of employers in the United States and as many as 50% [CNBC figures] of those have experienced a cyberattack. Not surprising when you consider that websites are attacked as many as 50 times per day on average [Sitelock’s own figures].

Advertisement. Scroll to continue reading.

She adds, “The NIST Small Business Cybersecurity Act aims to provide cyberdefense resources for small businesses by creating a set of guidelines for basic security measures that should be easy to follow and implement affordably. It also creates guidelines for making security best practices a required component of corporate training and workplace culture, something that is very needed as cyberthreats continue to evolve.”

Small businesses, and many large organizations, struggle to comply with the existing NIST Security Framework. “This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain,” adds Dr. Bret Fund, founder and CEO at SecureSet.

The basic problem is small organizations cannot afford extensive cybersecurity resources in-house, while many still believe they will not be a target for cyber attackers. “Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks,” warns Dirk Morris, chief product officer at Untangle. Small businesses are a major direct target for business email compromise (BEC) and ransomware attacks; and as part of the supply chain for larger organizations they are targeted for both credential theft and island-hopping to the larger target.

Counterintuitively, small businesses suffer more from a successful attack than do the larger companies. “In fact,” suggests Anupam Sahai, Vice President of Product Management at Cavirin, “recent reports shows that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures.”

The same report highlighted by Sahai also points out that smaller companies paying lower salaries have a proportionately higher number of grey hats working for them, making them more susceptible to insider threats.

While the security industry generally applauds this new act, it still suffers from one major drawback — use of the new NIST resources by small businesses is voluntary. 

“I will be curious to see how this plan is carried out,” says Francis Dinha, CEO and co-founder of OpenVPN. “Many small businesses neglect cyber security because they aren’t aware and don’t understand the risks — so, they don’t seek out solutions. But if they’re not seeking out solutions now, what makes anyone think they will seek out these new NIST resources?”

The act, he says, “does not seem to specify how to connect or engage with small businesses in these practices. It only requires NIST to make resources, in the form of guidelines, methodologies, and other information, available online. I’m concerned this won’t be enough. If small businesses aren’t engaged in a more active way, they may miss this opportunity and remain at risk.”

A complaint often heard at SecurityWeek from harassed CISOs is, “If it’s not a regulation, it won’t happen.” Perhaps what is required as a next step is a small business cybersecurity framework that can be audited. Larger organizations can then insist that smaller companies they engage must show compliance to the NIST small business cybersecurity framework — but even that will create problems. Small companies with great new ideas will continue to develop their idea without intrinsic security — and the larger companies will have to choose between a great new non-conformant idea and an older conformant solution.

This new act is a great help in assisting those small businesses that wish to improve their cybersecurity to do so. But it needs to be made a requirement before it will seriously improve the overall cybersecurity posture of the nation.

Related: FBI Pushes for Small Business Information Sharing 

Related: New Law May Force Small Businesses to Reveal Data Practices 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...


Responding to Cyber Threats Against Critical Infrastructures: Wired Business Media Acquires Long Running ICS Cybersecurity Conference Series

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.


The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...