On March 9th, 2021, the Center for Strategic & International Studies (CSIS) conducted an event titled, “Cybersecurity Challenges and Opportunities for Small and Medium Businesses.” The event explored the difficult environment that small and medium businesses (SMBs) face when bolstering their cybersecurity. The event offered advice on how industry and government stakeholders can promote cyber risk mitigation best practices from Representative James Langevin (D-RI). The Representative’s remarks were followed by a panel discussion on the “cybersecurity risks, readiness, and realities of SMBs that own, operate, or support U.S. critical infrastructure,” based on USTelecom’s 2021 Cybersecurity Survey of Small and Medium-Sized Businesses.The panelists were Ola Sage, CEO of CyberRx; Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA; Robert Mayer, Senior Vice President for Cybersecurity at USTelecom and Chair of the Communications Sector Coordinating Council; Jeffrey Goldthorp, Associate Bureau Chief for Cybersecurity and Communications Reliability at the FCC; Chad Kliewer, Information Security Officer at Pioneer Telephone Cooperative. The panel was moderated by Clete Johnson, Senior Fellow for the Strategic Technologies Program at CSIS.

Against the backdrop of increasingly frequent and intense cyber-attacks against the United States, Rep. Langevin took questions from Mr. Johnson. He made clear that if small businesses are to take away one thing from his remarks, it is that there is no such thing as perfect cyber security – only risk mitigation. No solution can completely prevent cyber-attacks, and SMBs must remain vigilant across all levels and departments within their organization. He also noted that not all cyber threats come from nation-states: It is crucial that SMBs and their employees take precautions against cyber criminals who seek to steal personal information or install ransomware – especially when they are assisted by a nation-state that seeks to weaken trust in American business interests and American institutions.Rep. Langevin also called for SMBs to follow government guidance on issues of cybersecurity best practices, citing the human toll that cyber crime takes on individual victims and the high cost of repairing what can be lost in a devastating cyber-attack. Addressing the SolarWinds breach, he said that policymakers will be paying much more intention to the idea that cybersecurity companies, themselves, can be a vector of system breach.

Next, the panel addressed USTelecom’s report, which was commissioned in the Spring of 2020. The group discussed the notable result that the smallest and largest businesses were each highly confident in their cybersecurity, while those in the middle were less so. Mr. Kliewer and Ms. Sage said that it is an open question as to whether the smallest businesses are so confident because they believe that they are not at risk, or whether they lacked the educational materials and resources to understand what risks they faced. Mr. Goldstein emphasized that all organizations of all sizes are vulnerable, and Mr. Kliewer agreed that cybersecurity is an organization-wide effort: All employees have a role to play in preventing a system breach.

Lastly, Mr. Mayer steered the panel towards next steps. The panel agreed that, often, cybersecurity can boil down to economics; the question moving forward must be, “How can we make cybersecurity economically viable for companies of all sizes?”. The group identified the large number of one-size-fits-all best practices recommendations from various government agencies as an area of concern, as only the largest organizations can address hundreds of cybersecurity issue areas. Instead, the government should assist industry by providing scalability of their recommendations to smaller organizations, based on the relative risks and specific cyber threats that smaller enterprises face. The group concluded that future research should focus on the relationship between “the size of an organization and their experiences with cybersecurity” to learn what the impacts of a breach are on different size enterprises, what responsibilities individual enterprises must uphold to protect themselves, and what the government can do to offer advice and protection to industry (and vice-versa).

NDIA released a report in 2019 examining how company size impacts cybersecurity practices.