Should there be legislation designed to create better cybersecurity regulations for small- and medium-sized businesses (SMBs/SMEs)?
Sort by:
This country is built on small business. What do we do with all these small businesses that have no knowledge of IT? Is there some mandate that you have to hire a small business consultant to set up your computers? I don't know how far we can take it. They certainly do that for government agencies. The ransomware committee—or whatever they're calling it—is doing SBOMs, and setting all these criteria. If you want to be a government contractor or if you're in government, you have to follow all these guidelines.
I think that's a great idea. You could divide things by the type of business you register. If you are a company that does taxation, you handle very sensitive data. I think you need a different layer, where you have to meet certain criteria but they have to be relevant to the kind of business you are in. So even if you're a small business, if you're focused on sensitive personal data, then you should have to get a certification every six months to be in business. It's similar to the way we've had mask wearing enforced during COVID. Cybersecurity measures have to be enforced, otherwise it's very hard for companies to inculcate those things into their operations. Obviously it will involve more costs, but that cost could be translated to the service they're providing. For example, maybe I have to pay my tax accountant a little more than what I pay today, but at least I am assured that my data is secure.
It could even apply to restaurants. Because they're supposed to be PCI compliant with their credit card processing, but when I see the screensaver on the point of sale machine (POS), it's Windows XP embedded. I don't know if that's safe or not.
We have financial audits that happen quarterly, as well as annual ones, so maybe we should have something similar in the data security space. There should be at least a minimum requirement that a company has to meet to store data, especially personal data.
Excellent idea. I would recommend that there can be a Cyber Security resilience committee comprising of security vendors to which companies can hook to get cyber resilience as a standard. Imagine we fighting it together and coordinated and any new organisation can hook into the framework. There could be various levels of security posture that can be defined based on industries and companies have the option to choose from. With SIEM, DLP, endPoint security etc going cloud this is very much a possibility.