Why is small business cybersecurity a problem that impacts all our supply chains?
Small business makes up a significant number of companies trading in the U.S. and abroad. These companies range in size and complexity from 1 person businesses up to those employing 500. These companies design, manufacture, and maintain the products and services that society depends on, using cyberspace as a critical tool to conduct business. Small Business America is a sector upon which the Federal Government and big business rely on. They create and deliver products and services that make their way through complex supply chains into the US economy. Small Business employs nearly 50% of the US labor force, making significant contributions to new employment, tax income, innovation, and US GDP, which the US economy is dependent on. For small businesses, cyber-risk management is a significant challenge. It is a complex, expensive, and resource-intensive risk to manage, and a risk most small businesses cannot afford. This creates a significant issue for the Federal Government and larger corporations, that are dependent upon the products and services which small businesses provide.
The Augusta Group has written a proposal under The Augusta Plan to help Federal Government address the small business cybersecurity problem.
Executive Summary
The United States Federal Government and Small Business America
Governments and Small businesses face difficult questions concerning the oversight, assurance, and management of cybersecurity. 99% of companies in the US fall under the category of Small Business and employ over 59 million people (47% of the total workforce), generating 44% of US GDP (Small business manufacturing alone generates around 10% of US GDP), contributing to the tax income of Federal, State, Local and Tribal Governments. Cyber-attacks were once an extreme loss or a 1 in a 100-year event for many firms. Now cyber-attacks should be treated as unexpected, if not an expected loss. Small Business is more likely to suffer catastrophic failure from a cyber-attack, as they are least likely to afford the costs of implementing a cyber-risk management program and associated cybersecurity solutions. With the average cost of cyberattacks more than doubling from $700,000 in 2020 to $1.85 million in 2021, Small Businesses on their own are unlikely to afford the costs of remediation, especially at a time when cyber insurance premiums are increasing and further cyber regulation is under review by the Federal Government. The issues around cybersecurity and the management of cyber-risk have created a perfect storm for both Federal Government, Small Business America, and their associated supply chains.
A Paradigm Shift
A paradigm change is required by the U.S. Federal Government and Small Businesses. If cybersecurity and cyber-risk management is to be achieved in line with existing and proposed cyber regulations, immediate action is required. Small Businesses might find it challenging to manage cyber-risk, as they must implement many cybersecurity practices to secure their balance sheets and supply chains. The starting point is to establish a “baseline’ of the existing cybersecurity posture of Small Businesses in the U.S. We believe this can be achieved with the support of Certified Public Accountants (CPAs) and System and Organization Controls 2 (SoC2) assessments. The American Institute of Certified Public Accountants (AICPA) has created the Trust Services Criteria (TSC), which is aligned to COSO and the NIST Cybersecurity Framework (CSF), NIST SP 800–53, ISO 27001, and COBIT 5. By assessing TSC and the suitability for control design and operating effectiveness relevant to the security, availability, or processing integrity of information and systems, you can obtain an understanding of the baseline cybersecurity posture of an organization. This provides companies with a clear understanding of their cybersecurity posture and identifies gaps that need remediation. This also creates a baseline cybersecurity assessment for Small Businesses that can be used to improve supply chain resilience. The funding could be through the Federal Government offset by tax incentives, tax credits, training grants, or other financial instruments.
Small Businesses most significant challenge (and cost) is implementing the appropriate number of cybersecurity practices necessary to protect Intellectual Property (IP). IP is invariably the digital data that small businesses create, transmit, and store to run their company or support government contracts. This data is critical to Small Business operations, and without securing it from cyberattacks, small businesses are vulnerable to having the data stolen or ransomed, leading to breaches in regulation, loss of federal contracts, cyber remediation costs, and potentially closure. Transferring Small Business data and allowing for control inheritance within the cloud under a shared responsibility model reduces the undue burden of implementing complex and expensive cybersecurity practices. In addition, the shared responsibility model ensures that Small Businesses can mitigate some of the cyber-risk by transferring some of the security controls required to protect their information.
Some of the associated costs of implementing and managing the controls through their migration to the cloud can be incentivized by U.S. Federal Government, offset by tax incentives, tax credits, training grants, or other financial instruments. By increasing cloud usage, the Federal Government has the potential to improve oversight and assurance of critical infrastructure.
We will achieve better oversight and assurance of cyber risk through existing regulated bodies such as the AICPA and by encouraging the use of cloud control inheritance. We believe that this creates the foundations for an affordable, efficient, and effective solution to manage cybersecurity for Small Businesses.
Addressing the small business cybersecurity paradigm
Why is Small business cyber the elephant in the room for Federal Government and supply chain risk management?