In the US the NIST Small Business Cybersecurity Act became law a year and nearly four months after the measure was introduced after US President Donald Trump signed the legislation into law last week.
Originally proposed as H.R. 2105 in April 2017, the act was later absorbed into US federal law S.770, and requires the director of the National Institute of Standards and Technology, within within one year of the law's passing, to issue guidance and a consistent set of resources to help SMBs identity, assess and reduce their cyber-security risks.
S.770 also tasks NIST, a division of the US Commerce Department, with considering the needs of small businesses when developing these recommendations, which among other key qualities should be widely applicable and technology-neutral and "include elements that promote awareness of simple, basic controls, a workplace cyber-security culture, and third-party stakeholder relationships."
The legislation in its current form was introduced by Senators Brian Schatz and James Risch, sponsored by fellow lawmakers John Thune; Maria Cantwell; Bill Nelson; Cory Gardner; Catherine Cortez Masto; Maggie Hassan; Claire McCaskill and Kirsten Gillibrand.
In a press release, Schatz, the the lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, said that "As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that's exactly what makes them an easy target for hackers."
"This new law will give small businesses the tools to firm up their cyber-security infrastructure and fight online attacks," Schatz continued.
"The NIST Cybersecurity Small Business Act is a significant win for the cyber-security industry and for small-to-medium size businesses who struggle to operate consistent with the NIST standards," said Dr. Bret Fund, founder and CEO of cyber-security academy ServerSet, in emailed comments. "This change sets the stage for greater compliance and readiness from smaller organisations who previously thought that NIST compliance was too costly or complex to obtain."
"Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks," remarked Dirk Morris, chief product officer at Untangle, a provider of network security for SMBs. "The NIST Small Business Cybersecurity Act will provide small businesses the resources and a simplified cyber-security framework so they can effectively protect their businesses from threats."