All the new law effectively does is tell NIST to go write more 800- series publications to help small businesses know what to do. My concern is whether the NIST staff and contractors will adopt a customer-centric approach to developing the pubs, involving ALL of the stakeholder communities in the research and writing.
Having worked for almost twenty years on meeting the FISMA requirements for DOD IT systems under DITSCAP, then DIACAP, then RMF, I have had to read thousands of pages of NIST SPs: 800-30, -37, -53, -53A, -60, -63-3, -63A, -63B, -63C. Most small businesses have neither the staff time nor knowledge base to absorb such massive, confusing guidance.
The NIST Small Business cybersecurity effort will make a difference ONLY if they bring together a well-informed stakeholder team and first research how small business actually operate. Their guidance must be in small, easily digestible pamphlets, not hundred page tomes, and must provide actionable, affordable recommendations that small business owners will be able and willing to carry out, with clearly meaningful results.
In that case, try this UK simplification and encouragement for Small Businesses:
Is this a suitable approach?
So the local government of the day in New Zealand releases the statistics on Small businesses:
97% of all businesses here are fall into the category of 20 or less employees, with a total of 500,000 such organisations. The population is only 4 Million here in New Zealand, so the rest of the organisations are foreign owned or large i.e. CSPs and similar etc.
So when New Zealand changes the Privacy Act, to bring it back into alignment with the EU, and GDPR with mandatory data breach disclosure, and increased penalties - the number of liquidations may suddenly increase.
Sounds like increased collaboration is needed to assist these organisations, as they definitely have an effect on the economic outcomes of the nation.
Cyber insurance will only provide a temporary level of protection and room to maneuver, until the premiums go up and additional measures are required.
There must be similar countries with similar situations like these here too.