(As seen on WZZM TV 13) A proposed law would make cyber strategy certification the norm among a percentage of Small Business Development Center employees.
U.S. Sen. Gary Peters (D-Michigan) last month introduced bipartisan, bicameral legislation proposing a Small Business Development Center (SBDC) Cyber Training Act, which would require 10 percent of SBDC employees to get certified in cyber strategy counseling.
Peters, a member of the Senate Cybersecurity Caucus, introduced the legislation in the Senate with Senators Jim Risch (R-Idaho), chair of the Senate Small Business Committee, John Kennedy (R-Louisiana) and Tammy Duckworth (D-Illinois).
U.S. Representatives Steve Chabot (R-Ohio), chair of the House Small Business Committee, and Dwight Evans (D-Pennsylvania) introduced the companion legislation in the House of Representatives.
“Small businesses create two out of every three new jobs in our country each year, and they need the right tools and skills to identify cyberthreats and protect their customers and their livelihoods,” Peters said.
Keith Brophy, state director of the MI-SBDC at Grand Valley State University, said the MI-SBDC has been helping small businesses in Michigan address cyber safety via an online resource called Small Business, Big Threat that it debuted in late 2015.
Not all SBDCs have such programs, he said, but this legislation might change that.
“(This law) would provide a much deeper emphasis within the SBDC,” Brophy said. “What we’re doing is unique to Michigan, but this would build it into every SBDC.”
He said it’s encouraging to see legislators taking the problem seriously.
“We’ve shared (with legislators) updates and education on the SBDC’s involvement with small business and cyber safety, from providing updates on the Michigan small business activity to updates on the cyber threat,” Brophy said. “We were very happy to see the focus on cybersecurity reflected in the bill(s). It’s great to see the efforts recognized.”
The SBDC Cyber Training Act’s 10 percent certification approach follows precedents that have proven to be effective, said Zara Smith, MI-SBDC strategic programs manager.
“The proposed legislation and training follows the export trade counseling model,” she said. “A few years ago, it was recommended 10 percent of the workforce pick up an export assistance certification.
“The SBA has training that is provided to help small businesses export overseas as a way to boost the overall trade balance.”
The cyber strategy training would work in a similar vein. SBDC employees would go to already existing Small Business Administration (SBA) training conferences, and the SBA would create new training programs and certify existing cyber education at SBDCs, like the MI-SBDC’s Small Business, Big Threat program.
Brophy said the specific training requirements in the Cyber Training Act have yet to be revealed, but the MI-SBDC has built best practices for counseling small businesses on cyber strategy that could be adapted.
“The goal is to raise the awareness of the leaders and those that drive the direction of the organization on not leaving data exposed, protecting customers’ data, having a password requirement and talking with your teams about the risks of social engineering hacks,” he said.
“If we educate the businesses’ ownership, they can take the safety practices across the business.”
He said cyber strategy counseling is about creating a “game plan for staying safe.”
“It would encompass a disaster recovery plan and what to do if a cyberattack strikes,” he said, including hacks, malware, ransomware and phishing.
Risch said a stunning number of small businesses go under after experiencing a cyberattack.
“Entrepreneurs — particularly in rural areas — depend on online sales and marketing to commercialize their businesses, leaving them incredibly vulnerable to cyber risks,” he said. “With more than half of small businesses going out of business within six months of suffering a cyberattack, it is incredibly important that we address this threat head on.”
Michigan is home to 11 SBDC regional offices, which served more than 5,500 businesses in 2016. Brophy said the MI-SBDC has not definitively pinpointed the number of small businesses it serves that have experienced cyberattacks.
“We’ve had events across the state when we turn to open dialogue where a good share of the businesses share anecdotes about times they’ve been hacked,” he said. “It’s certainly happening all the time.”
Smith said one of the Small Business, Big Threat online assessments collects data on a voluntary basis from respondents.
“The question we ask is, ‘Have you been hacked?’ We have about 40 percent saying ‘yes’ or ‘I don’t know.’ It’s not representative, but it gives you an idea,” she said.
If passed, the Cyber Training Act would build on a law passed last year that enables SBDCs to work with the U.S. Department of Homeland Security to assist small businesses in planning for and protecting against cyber security attacks.
“We’re happy to see the attention on cybersecurity and how it relates to small business,” Brophy said. “It’s been often overlooked. Small businesses have less money to stay safe, and so they’re increasingly the target of hackers. It’s a much-needed focus.”