Why is small business cybersecurity a problem that impacts all our supply chains?
Small business makes up a significant number of companies trading in the U.S. and abroad. These companies range in size and complexity from 1 person businesses up to those employing 500. These companies design, manufacture, and maintain the products and services that society depends on, using cyberspace as a critical tool to conduct business. Small Business America is a sector upon which the Federal Government and big business rely on. They create and deliver products and services that make their way through complex supply chains into the US economy. Small Business employs nearly 50% of the US labor force, making significant contributions to new employment, tax income, innovation, and US GDP, which the US economy is dependent on. For small businesses, cyber-risk management is a significant challenge. It is a complex, expensive, and resource-intensive risk to manage, and a risk most small businesses cannot afford. This creates a significant issue for the Federal Government and larger corporations, that are dependent upon the products and services which small businesses provide.
The Augusta Group has written a proposal under The Augusta Plan to help Federal Government address the small business cybersecurity problem.
The United States Federal Government and Small Business America
Governments and Small businesses face difficult questions concerning the oversight, assurance, and management of cybersecurity. 99% of companies in the US fall under the category of Small Business and employ over 59 million people (47% of the total workforce), generating 44% of US GDP (Small business manufacturing alone generates around 10% of US GDP), contributing to the tax income of Federal, State, Local and Tribal Governments. Cyber-attacks were once an extreme loss or a 1 in a 100-year event for many firms. Now cyber-attacks should be treated as unexpected, if not an expected loss. Small Business is more likely to suffer catastrophic failure from a cyber-attack, as they are least likely to afford the costs of implementing a cyber-risk management program and associated cybersecurity solutions. With the average cost of cyberattacks more than doubling from $700,000 in 2020 to $1.85 million in 2021, Small Businesses on their own are unlikely to afford the costs of remediation, especially at a time when cyber insurance premiums are increasing and further cyber regulation is under review by the Federal Government. The issues around cybersecurity and the management of cyber-risk have created a perfect storm for both Federal Government, Small Business America, and their associated supply chains.
A Paradigm Shift
A paradigm change is required by the U.S. Federal Government and Small Business, if cybersecurity and cyber-risk management is to be achieved in line with existing and proposed cyber regulations. Small Businesses find it challenging to manage cyber-risk, as they must implement expensive cybersecurity practices to secure their balance sheets and supply chains. The starting point is to establish a “baseline’ of the existing cybersecurity posture of Small Businesses in the U.S. We believe this can be achieved with the support of Certified Public Accountants (CPAs) and System and Organization Control 2 (SoC2) assessments. Providing organizations with a clear understanding of their cybersecurity posture and identified gaps and remediation activities. Creating a baseline cybersecurity assessment for Small Businesses that can be used to improve supply chain resilience. Funded through the Federal Government offset by tax incentives, tax credits, training grants, or other financial instruments.
In the enclosed paper we discuss the small business cyber problem and offer solutions to manage cyber risk. Using existing Federal government mechanisms, existing audit resources and the adoption of cloud services to transfer and inherit complex and expensive controls from small business to cloud providers.