Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Trump Signs NIST Small Business Cybersecurity Act Into Law

August 20, 2018

SecurityWeek reported on August 16th that President Trump had signed the NIST Small Business Cybersecurity Act into law on August 14th. The law requires NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks."

The resources will be informational. They must be generally applicable to a wide range of small businesses; vary with the nature and size of small businesses; promote cybersecurity awareness and workplace cybersecurity culture; and include practical application strategies. The resources must be technology-neutral and compatible with COTS solutions; and as far as possible consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980.

Use of these resources by small businesses is voluntary. The act has been well-received by the security industry.

Jessica Ortega, a member of the SiteLock research team said, "Small businesses account for 99.7% [SBA figures] of employers in the United States and as many as 50% [CNBC figures] of those have experienced a cyberattack. Not surprising when you consider that websites are attacked as many as 50 times per day on average [Sitelock's own figures]."

She adds, "The NIST Small Business Cybersecurity Act aims to provide cyberdefense resources for small businesses by creating a set of guidelines for basic security measures that should be easy to follow and implement affordably. It also creates guidelines for making security best practices a required component of corporate training and workplace culture, something that is very needed as cyberthreats continue to evolve."

Small businesses, and many large organizations, struggle to comply with the existing NIST Security Framework. "This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain," adds Dr. Bret Fund, founder and CEO at SecureSet.

While the security industry generally applauds this new act, everyone seems to wonder whether small businesses will choose to comply voluntarily with the act. My guess is that most will not. After all, they have not generally made a great effort up to now to harden their security. Doing anything requires time, dedication to learning about security – and some amount of money. Don't bet the mortgage money on small businesses eagerly reading and using the resources made available by NIST.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson