cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

NIST Small Business Cybersecurity Act signed into Law

Hi All

 

So what impact will this new Act have on Small Businesses?

 

https://www.scmagazine.com/president-signs-nist-small-business-cybersecurity-act-into-law/article/78...

 

Regards

 

Caute_cautim

12 Replies
Caute_cautim
Community Champion

Possibly the winners here will be the Cyber Security insurance organisations i.e. raising their annual premiums?
rslade
Influencer II

> Caute_cautim (Contributor III) posted a new topic in Industry News on 08-20-2018

>   So what impact will this new Act have on Small Businesses?

Pretty much none?

NIST stuff was basically already available, and basically ignored.

Locally, our emergency prep office did a bang-up job, a few years back, putting
together a terrific emerg/business continuity prep package for small business. Had
a four stage entry level: you could do something that took 2 minutes, something
that took ten minutes, something that took a couple of hours, and something that
was pretty full-scale. I figured it was terrific, since it could give somebody a 2-
minute "buy-in" that might get them started on the rest.

Couldn't get anyone outside the North Shore interested in it. Eventually the
office shelved it and moved on.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The irony of the information Age is that it has given new
respectability to uninformed opinion. - John Lawton
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Flyslinger2
Community Champion

My former business (IT Consulting) was purposed built to cater to the small to medium sized business in the DMV.  These companies could not afford a full time IT staff and were dependent on companies like mine to keep their tech running so they could do the things that they do best-bake, paint, print, lawyer, etc.  I have had a passion for security almost as long as I have had tech.  That carried over into the services that I offered to my customers.  In the best bake, paint, print, lawyer speak I could use I encouraged the customer to employ best practices as much as possible.  That included purchasing tools that were affordable and effective.

 

I get the interest that the Feds have in Cyber for the SMB.  The problem is they have NO clue what that SMB is going through to make payroll, stay ahead of the competition and expand their market.  None of this is going to amount to a hill of beans to them.  If anything it would be thought of as the Feds trying to meddle more in their affairs.

 

I read the document and then looked at the contributors to the document.  All were feds, Mitre, or other big corporation uppity up muckity mucks.  I didn't see John Doe, Owner, Shell Station 123 Maple Street, Anytown, USA listed as a resource.  

 

I think the Feds need to do what the Feds should do, which is worry about the mess they are in and leave the SMB alone. But, sadly, they won't because that is not what the Government is about. It has to be in everyone's knickers daily.

Caute_cautim
Community Champion

This subject has progressed:

""Small business leaders have to become security champions and communicate it to the staff," he says. "They have to explain to employees that security it not just about protecting the boss's Mercedes Benz. They have to understand that their W2s or tax refunds can be stolen, so cybercrime affects them, too.""

 

https://www.darkreading.com/application-security/half-of-small-businesses-believe-theyre-not-cybercr...

 

Yes or no?   What are your thoughts?

 

Regards

 

Caute_cautim

Caute_cautim
Community Champion

I understand, that the USA states that a Small business is one with under 100 employees and a Medium sized one has under 1,000 employees.    In comparison:  80 to 90% of all businesses in New Zealand have less than 100 employees - so does this make them tiny in comparison:

 

Some good advice from the UK on why Small businesses should adopt secure practices:

 

https://www.telegraph.co.uk/business/cybersecurity-for-small-business/fraud-prevention/

 

Regards

 

Caute_cautim

Flyslinger2
Community Champion

Capture.PNG

 

Part of my due diligence when I read an article is to see who/what etc is behind it.  If you read the second article you linked the above graphic is a link that takes you to a catalog of services that the same governmental organisation wants you to buy from once they have scared the crap out of you.  I'll lay down my snarky pen and pick up my analytical one:

 

1. As mentioned before, lets use one of my former customers as an example.  He is a baker.  Pastries, cakes, and other baked goods that my cardiologist would frown at are his specialty.  His wife, a sweet woman, handles all the back office stuff because he wants to do what he does best which is bake.  She is NOT an trained account but she knows that Quickbooks for business can help her run their small operation, handle their small payroll and get their quarterly tax reports to the greedy hands of the government.  She know nothing about computers except for the fact that she knows nothing about computers. That is why she hired me.  They know nothing about computer security beyond what they may get from the evening news, social media if they have a friend who posts about that sort of thing (like me!) or from the occasional email. But who wants to open that scary email?

 

2. Rinse repeat bullet point 1 for the owner of the printing company, hotel (not part of a chain), auto mechanic, etc.  The same case applies.

 

I think governmental organisations need to stick to their large enterprise environments and worry about keeping their own house in order. By extension, contractors to the Feds have to adopt increased security measures if they still want to play in that arena.  Sub-contractors to federal contractors should have to inherit the same security posture if they want to continue their role as well.  This makes sense and should be the norm.

 

Creating a panic by issuing the dumbed down version for SMB is not practical.  It's certainly not in the budget for these SMB's and is only a distraction.

 

CraginS
Defender I

@Flyslinger2 used the phrase "small to medium sized business in the DMV. "

 

For our International crowd here, DMV across most of the USA means Department (or Division) of Motor Vehicles. and refers to the state agency that registers and licenses vehicles. However, in Mark's usageABOVE it means Delaware / Maryland / Virginia, three contiguous states on the east coast with many regional businesses.

This local usage seems to be increasing rapidly in our area, and more often than not confuses me when I read it as the Motor Vehicle agency (who I had to pay this morning in Virginia). It also ignores the District of Columbia, which sits between Maryland and VIrginia. 

 

Maybe we should use DMDV or DMCV, or DMWV?

 

DCS, DSc

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Flyslinger2
Community Champion

My only knowledge of the usage of DMV comes from local print and radio-they all refer to it as District/Maryland/Virginia.

 

My apologies for not being broader in my scope for responses.  Yes, this is an international community.

Baechle
Advocate I

> It also ignores the District of Columbia, which sits between Maryland and VIrginia.

That also seems to be the international norm...