Differences across the aisle couldn’t stop it. For far too long, the underbelly of the nation’s economy has been ripe for exploitation. Poorly guarded but chock full of valuable data, intellectual property and access-granting credentials, the networks of small- and medium-sized businesses (SMB) have too often come second to enterprises, governments and large organizations.
On Aug. 14, that may have finally changed when U.S. President Trump officially signed the new National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act as law. It’s one of the first bills I’ve seen expedited so quickly and unanimously across party lines. It’s worthy of applause.
The new policy requires the U.S. Commerce Department and NIST to “develop and disseminate resources for small businesses to help reduce their cybersecurity risks.” The act was authored by U.S. Senators Brian Schatz (D-Hawai‘i) and James Risch (R-Idaho) and is an unofficial follow-on policy to the Cybersecurity Enhancement Act of 2014 — the foundation for the current NIST Cybersecurity Framework leveraged by many large enterprises today.
But therein lies a problem. While it was a necessary cornerstone, that bill was still tailored to large organizations with untold resources, budgets, staff, technology and time. In many cases, this forced SMBs to protect themselves for another decade — until now.
A Collaborative Pivot to defend SMBs
The passage of this law is indicative of how important cybersecurity is for both Congress and the Trump administration. Cybersecurity for businesses is not partisan or specific to particular counties or states. We’re moving forward together — at the right time and in the right way.
I’m passionate about this mission. The initiatives to help protect SMBs from cyberattacks is an objective I have been working toward with Congress since 2009 when I collaborated with U.S. Senator Jay Rockefeller (D-West Virginia) and other policymakers on the Hill to help support the Cybersecurity Act of 2010 (S.773). That proposal was not enacted by Congress, but I’m confident it served as a critical framework to today’s modern policies, including the new NIST Small Business Cybersecurity Act.
In concert with the private sector, the federal government can soon begin delivering much-needed guidance to small- and medium-sized businesses and educate them on how best protect themselves against modern cyberattacks.
The NIST Small Business Cybersecurity Act specifies that the NIST recommendations be technology-neutral; based on international standards to the extent possible; able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems; consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014; and deployed in practical applications and proven via real-world use cases.
Stopping Lateral Attacks from Compromised SMBs
This isn’t just about protecting SMBs, though. The supply chain that delivers the software and hardware that protect other large organizations and enterprises — think government agencies, energy giants, utilities — is often sourced from SMBs.
In hopes of breaching larger organizations, cybercriminals and threat actors will execute complex lateral attacks — sometimes several layers across — against SMBs to compromise machines in target organizations.
A prime example of a later attack is the 2014 Target breach that resulted in the theft of 40 million customer credit and debit card numbers. The attack was executed by cybercriminals who gained network access by using credentials stolen from a HVAC company contracted by Target and other regional retailers. The result was an $18.5 million settlement and untold costs for investigation, analysis, forensics, remediation and brand damage.
As it played out in the Target scenario, criminal groups and threat actors attack without discrimination. They’ll use any means necessary to attack smaller organizations with weaker defenses or leverage SMBs as part of a lateral attack against more lucrative targets. In fact, in July 2018 alone, the average SonicWall customer faced 2,164 malware attacks (28 percent increase from July 2017), 81 ransomware attacks (43 percent increase) and 143 encrypted threats.
Implement Cybersecurity Best Practices Now
While the NIST Small Business Cybersecurity Act is absolutely needed, NIST has a year to design and publish official cybersecurity guidance for SMBs. For organizations with little to no defenses in place, that’s too long to wait.
In the interim, small- and medium-sized businesses should familiarize themselves with the NIST Cybersecurity Framework. This official — and voluntary — guidance “consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”
For many organizations, it may be too much. Too much budget. Too many people. Too far away from their core business. While it’s still recommended that organizations are aware of the NIST principles, organizations should also call on trusted cybersecurity vendors in the private sector to guide their path toward a stronger security posture.
SMBs should consider security solutions that fit their size, scale and budget. And any solution at this level should deliver some form of automated real-time breach detection and prevention. At a high level, a sound defense typically consists of:
- Next-generation firewalls (NGFW)
- Integrated deep packet inspection (DPI) of encrypted traffic
- Multi-engine cloud sandbox with deep memory inspection
- Endpoint protection/next-generation antivirus (NGAV)
- Email security
- Secure Wi-Fi access points
- Cloud-based management, analytics and reporting
Next Steps For Federal Policy
The cyber threat landscape evolves swiftly, so there’s still more legislation to be reviewed, approved and signed into law.
For example, the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 (H.R.1224), from the U.S. Science, Space, and Technology Committee, still requires support from the U.S. House of Representatives. This is an important policy that would further galvanize the nation’s security posture.
If passed, this law would include NIST expertise in the Inspector General’s evaluations and audits of U.S. federal agencies’ cybersecurity performance gaps, and recommendations. It requires more universal adoption of the NIST Cybersecurity Framework across government agencies and thorough verification it’s been applied properly.
Based on my discussions with both cybersecurity experts in the field and policymakers in Washington, I recommend full support of H.R. 1224 and urge the House to approve the policy and pass it to the Senate for review.
This is a critical and logical next step for national security. This legislation would act as the perfect complement to the new NIST Small Business Cybersecurity Act and the Cybersecurity Enhancement Act of 2014. The trio of policies would promote unified and consistent cybersecurity best practices across federal agencies, large enterprises, and small- and medium-sized business.