With nearly half of cyberattacks last year directed at small- and medium-size businesses, several members of Congress are hoping to get additional cybersecurity training in the hands of business owners.
The hoped-for outcome is "helping Small Business Development Centers become better equipped to assist small businesses with their cybersecurity and cyberstrategy needs," according to a press release from the lead sponsor of this year's bill, Rep. Andrew Garbarino (R-NY).
When small-business owners go to an SBDC today, they're not likely to find anyone with the expertise to help them with cybersecurity concerns. If the bill passes the Senate as it is, according to Garbarino, SBDCs would see their staff trained to help businesses with these matters, with up to $350,000 per year in training for SBDC personnel to work on these issues with business owners. In turn, businesses that seek help at SBDCs would find cybersecurity to be one of the areas they could learn about from staff.
The bill is not guaranteed to become law, however. Though the House voted overwhelmingly in favor of the bill, 409-14, the Small Business Development Center Cyber Training Act also received overwhelming support from the House in two prior bills that didn't become law. Both of those bills, in 2017 and 2019, contained substantially similar provisions, but never got to a vote in the Senate.
The cyberthreat to businesses with fewer than 1,000 employees is tracked by Verizon in its annual Data Breach Investigations Report, which reported 1,037 incidents against businesses of that size in 2020, with 263 of those considered "breaches" in which there was "confirmed data disclosure." That compares with 819 and 307, respectively, for businesses with more than 1,000 employees.
Though the numbers are more or less the same for the two groups, because the groups are different sizes (99.7 percent of businesses in the U.S. have fewer than 500 employees), the risks to small businesses are relatively quite a lot smaller than they appear: A back-of-the-envelope calculation suggests large businesses are around 500 times more likely to face a cybersecurity incident than small businesses. But the threat to small businesses is growing: In just one year, the number of attacks on these companies went from fewer than half the number targeting large businesses to near-parity, according to Verizon. And whereas small businesses used to see different kinds of attacks than large businesses, attacks are now following the same pattern, in what Verizon describes as "one size fits all."
Small-business owners generally don't see themselves as targets: According to a Nationwide Insurance survey, nearly two-thirds of small-business owners don't believe they are at risk of cyberattacks. Still, for those who do see themselves as vulnerable, help may be coming through SBDCs -- if the third time is the charm for the bill in the Senate.