The beginning of this month, the White House released a new National Cybersecurity Strategy. This is the first strategy released since 2020. The strategy is built on 5 pillars. Those pillars are:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
For those of us in the Small Business community, Pillar 3 is the one that is most likely to affect us.
There are 6 objectives listed in Pillar 3. They are
- Hold the Stewards of our Data Accountable
- Drive the Development of Secure IOT Devices
- Shift Liability for Insecure Software Products and Services
- Use Federal Grants and other Incentives to Build in Security
- Leverage Federal Procurement to Improve Accountability
- Explore a Federal Cyber Insurance Backstop
This first objective is to support legislation to hold accountable entities that collect, use transfer and maintain personal data. For you that are a small businesses that keep client lists that have information like addresses, phone numbers, and email addresses may be held legally liable if that information is disclosed. This objective recommends that such information should be stored in a manner consistent with the standards and guidelines established by the National Institute of Standards and Technology.
The second objective really doesn’t effect the majority of small businesses except if you are in the business of developing electronic hardware that uses network connectivity.
The third objective is one of deep interest to the small business community. Currently the liability for a security incident is typically on the end user. The goal of this objective is to move the liability from the end user to the developer of the technology attacked. This is not going to absolve the end user of the technology of all liability. End users will be required to keep up with patching, replacing equipment/software that is beyond its supported lifetime and in general, use best practices in the area of cyber security. But if a developer is found of not following best security practices in the development of their software/hardware, they should be held responsible for any damages.
The fourth objective is pointed at all levels of government as well as private entities to help development of a secure cyber environment by funding such development by government grants.
The fifth objective is already in effect. Those small businesses that have contracts directly or indirectly with the Federal Government are already subject to cybersecurity regulation from within those contracts. This objective calls for expansion of the current program. Additionally, this objective pushes the enforcement of these contractual objections through the Department of Justice.
Finally, the sixth objective is to look into developing a federal backstop fund for insurance companies effected by a major cybersecurity event. The strategy suggests a fund similar to the Federal Deposit Insurance Corporation that backstops banks be created. From a small business perspective, development of such an agency could stabilize and possibly lower cyber insurance rates.
Actionable items for a small business look at in light of this strategy include:
- Get to know your local legislator(s). This strategy is calling for legislation at the state and local level. Your only way of affecting what is in this legislation is to have a seat at the table when the legislation is being drafted. The only way to get this seat is to known to the people writing the legislation.
- Review your cyber security policies or have your IT professional review them for you. Read the frameworks produced by NIST and the CIS controls. See what items fit your environment and budget.
- If you are using an IT Professional (like you should), make sure they are familiar with the security frameworks and are applying them you both your and their business. If they are not familiar with them, find a new IT Professional.
But remember, this is a strategy and not law…..yet. But look for more news on the items mentioned in this strategy in the near future.
Subscribe to our newsletter.
Never miss a new article by joining our mailing list!