The Problem With the Small Business Cybersecurity Assistance Act

The Small Business Cybersecurity Assistance Act may provide business owners with access to government-level tools to secure small business against attacks.

Perhaps the best approach to rampant malware, ransomware and cybercrime is stronger cooperation between the public and private sectors.

The American Congress took a stab at that kind of ecumenical solution to the looming $6 trillion problem of cybersecurity in the form of the Small Business Cybersecurity Assistance Act (SBCAA). It’s as bipartisan a bill as the U.S. can hope for at present and an encouraging sign that the problem is on the government’s radar.

Regrettably, the Small Business Cybersecurity Assistance Act has already gathered criticism and detractors, with some saying it falls short of the mark. Let’s look at why this might be the case and what the Act actually contains that might, or might not, be of value to worried business owners.

What Does the SBCAA Seek to Accomplish?

The two main co-sponsors of the Act — Senators Gary Peters and Marco
Rubio — frame the SBCAA’s mission as primarily an educational effort to bring
small business owners up to speed on cybercrime-related issues such as:

The variety of cyber threats in the world todayThe potential risk that small business owners faceThe tools available to help them protect themselvesThe small business community must understand that they represent a
larger — not a smaller — portion of the threat surface where cybercrime is
concerned. Small business owners are less likely to have taken adequate
measures to protect their digital systems and are consequently at an even higher
risk of sustaining a data breach or a ransomware attack than a major

Under the Small Business Cybersecurity Assistance Act, business owners
could visit U.S. Small Business Development Center (SBDC) locations to secure
educational materials, enroll in programs, and work with representatives from
the Department of Homeland Security to better understand
and confront cyber threats and risks. Clearly, the intentions
and the desired outcome are heading in the right direction.

The question is: What on earth is a Small Business Development Center?

A Good Idea With Limited Infrastructure
Behind It

Like many public services in the United States, Small Business
Development Centers are wonderful in theory but consistently go underfunded —
despite their value — and remain mostly unknown to the communities most in need
of their assistance. Among other things, SBDCs provide services like business
counseling and information on local, state and federal government compliance
and assistance programs.

But because this service goes underfunded and unheralded, the U.S. has
only 63 such centers — barely one for every U.S. state and territory. In
contrast, the U.S. had almost 140,000 Starbucks locations in 2018, despite the
company employing under 200,000 people that year.

The SBDC’s 63 locations, meanwhile, are meant to support the entire
American small business community. In 2016, companies with fewer than 100
employees made up 33.4% of the U.S.
workforce, and companies with 500 or fewer made up nearly half.

Many of the criticisms leveled against the SBCAA have latched onto this
lack of infrastructure and public awareness. Earmarking additional funding
could possibly help raise the SBDC’s public profile and make more people aware
of their existence. But this isn’t certain, and it doesn’t look like the SBCAA
has addressed the existing funding shortfall.

The Act reportedly permits Small Business Development Centers to use their current
funding to make cybersecurity resources available after they’re prepared by
other government agencies. But the key phrase is “current funding.”
SBDCs, like the one at Wharton School, already face
shuttering their doors because of a lack of funding. Adding to the demands
placed on their staff without a commensurate rise in funding could be

The other problem, apart from a lack of funding and awareness, is that
significant numbers of small business owners do business in the cloud. As a
result, they outsource most of their IT and digital systems architecture work,
including data hosting services, to third parties.

It could be fairly useful to educate small business owners on the
security best practices these third parties should follow in their operations —
either by law or according to common sense. What’s not useful is doing all of
this without backing it up with appropriately harsh fines for the larger
companies which mishandle or misplace client data, either by mistake or because
they have nefarious intent.

The European Union is off to a slow start levying fines for abusing
data privacy and security, but the now-year-old General Data Protection
Regulation gives the government the power to do so. Until the U.S. implements a
similar measure, U.S. states are left on their own to fine
companies which don’t take cybersecurity or client privacy seriously. Any
measure undertaken to educate the small business community about cybersecurity
won’t do much good if the U.S. government doesn’t stand ready to have their

Another potentially fruitful avenue to explore is providing grants or
subsidies to help small business owners purchase cyber liability insurance. Not
all small business owners know such products exist, but these services can go a
long way toward keeping small businesses
in operation after they fall victim to a cybercrime.

Safety on the Internet Isn’t a Luxury

Some seem content to let cybersecurity remain a competitive advantage
or a luxury commodity. Others believe the buy-in should be the same for both
small entrepreneurships and major corporations when it comes to keeping digital
properties safe. Everybody has a right to stay safe online — it shouldn’t be
something that only moneyed interests get to enjoy.

The SBCAA is a well-intentioned measure styled after the American
tradition of empowering people to pull themselves up by their own bootstraps
and know-how.

 But without a more robust
support system in place, it risks confirming what many people already believe —
that the government throws money at problems instead of solving them. It’s best
to think of the SBCAA as a first step toward something better.

A better, second draft would back up its proposals for DHS-SBDC collaboration with additional funding as well as adequate punitive measures for data handlers that get cybersecurity wrong.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her recent projects, visit her About Me page.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(Security Affairs – Small Business Cybersecurity Assistance Act)

The post The Problem With the Small Business Cybersecurity Assistance Act appeared first on Security Affairs.