(This post originally appeared on The Hill)
Cyberattacks – from data breaches to ransomware – are everywhere, and businesses of all sizes are suffering. Small businesses are among the biggest targets. This makes sense. Most small business owners are too busy running their business to worry about virtual attacks.
That’s the problem that Sens. Gary Peters (D-Mich.) and Marco Rubio (R-Fla.) are trying to solve. This week they introduced the Small Business Cybersecurity Assistance Act. Sadly, the legislation is not the answer. In fact, it completely misses the mark.
The bill has all the right intentions: It authorizes the nation’s Small Business Development Centers (SBDCs) to “work with” the Department of Homeland Security to, according to The Hill, “provide consulting to small businesses on how to strengthen their cybersecurity protocols.” New materials and education programs are also to be offered.
There are two things wrong with this.
First, the law would enlist SBDCs to do this training and provide consulting. But from my experience no small business owners even know that SBDCs exist. The centers, which do provide great services and consulting, are woefully underfunded and almost invisible to most small business owners.
Don’t believe me? Then why did the University of Pennsylvania’s Wharton School, a preeminent entrepreneurial center located in a city with hundreds of thousands of small businesses, recently shut down its center?
I’ll tell you why: No one knows about it and no one cares. Tasking these centers to “provide consulting to small businesses on how to strengthen their cybersecurity protocols” is akin go throwing money away.
The second problem is that the bill’s sponsors are missing the enormous disruption in technology that’s occurred over the past few years and has completely changed the way small businesses do business: the cloud. Most small companies don’t have servers anymore. And if they still do, they’re getting rid of them fast.
These companies now run their accounting, customer relationship management, email, office management and communications using cloud-based applications that are developed and hosted by tech companies. The trend will continue, and within the next few years it will be hard to find a small business that has its data on premise and needs protection. Small businesses have outsourced their data and all the security issues around it to third parties.
In other words, the bill is directed at the wrong people. It’s designed to help small businesses get educated about cyberattacks when it’s the large companies hosting the data – Microsoft, Google, Amazon and others – who are the ones with that responsibility. Where are they in this legislation?
Here’s what would make more sense.
It would be helpful if the government penalized large companies hosting a small company’s data that don’t follow industry best practices and acceptable security protocols. That penalty could be paid in fines to the government or, more desirably, compensation paid back to their small business customers when they screw up. The cloud – and big tech – needs more regulation, and with this regulation will come better protection over our data. Now there’s motivation to protect against cyberattacks!
The other helpful thing the government can do is to make it easier and more affordable for small businesses to obtain cyber insurance. Many small businesses don’t realize this kind of coverage exists, and many insurance companies either offer limited or no options at all.
Government guarantees for insurance companies – similar to the ones offered for bank loans through the Small Business Administration – would help expand this kind of protection. Government assistance for smaller companies to help pay for cyber insurance would go a long way to helping those that may have lost data, suffer business interruption or face lawsuits from their customers because of a cyberattack.
I agree with Sen. Peters when he says that “too many small business owners say they lack the resources they need to safeguard their businesses and customers from hackers, fraudsters and cybercriminals.” But this is not “commonsense legislation” and it will not “help ensure small businesses can access much needed information and training to secure their systems from malicious cyber-attacks.”
This legislation will likely go unnoticed by the small business community. My recommendations wouldn’t.