While both large and small companies face cybersecurity challenges, larger organizations are generally better equipped to handle cybersecurity threats than smaller ones. Indeed, few small businesses are taking the basic steps necessary to protect themselves from cybersecurity threats. In testimony before the Senate Committee on Small Business and Entrepreneurship, ITIF Vice President Daniel Castro called on Congress to take steps to bring small business cybersecurity practices up to par with larger organizations. These steps should include:
- Establishing a certification program for “part-time” cybersecurity professionals
- Creating a cybersecurity boot camp for small businesses
- Forming a small business cybersecurity co-op
Small businesses face many cybersecurity threats, and there is more the federal government can and should do to help small businesses succeed in addressing these threats. In addition to these recommendations, this committee, through its oversight, can insist that the Small Business Administration provide small businesses timely and effective training materials about mitigating cybersecurity threats.
However, these steps can ultimately fix only part of the problem. The greater challenge for the U.S. government is to reform its national cybersecurity policy to move away an emphasis on relative offensive capabilities and instead prioritize absolute defensive capabilities, including prosecuting cybercrime. Such a change would require substantially rethinking how the U.S. government allocates funding for cybersecurity, how it releases cybersecurity research into the public domain, and how it works cooperatively with the private sector, through a reformed vulnerabilities equities process (for zero-day exploits) and expanded bug bounty programs.
