Should there be legislation designed to create better cybersecurity regulations for small- and medium-sized businesses (SMBs/SMEs)?

1.4k views1 Upvote5 Comments

Head of Enterprise & Solution Architecture, 1,001 - 5,000 employees
We have financial audits that happen quarterly, as well as annual ones, so maybe we should have something similar in the data security space. There should be at least a minimum requirement that a company has to meet to store data, especially personal data.
CISO in Software, 51 - 200 employees
This country is built on small business. What do we do with all these small businesses that have no knowledge of IT? Is there some mandate that you have to hire a small business consultant to set up your computers? I don't know how far we can take it. They certainly do that for government agencies. The ransomware committee—or whatever they're calling it—is doing SBOMs, and setting all these criteria. If you want to be a government contractor or if you're in government, you have to follow all these guidelines.
2 2 Replies
VP, IT and Operations in Software, 1,001 - 5,000 employees

I think that's a great idea. You could divide things by the type of business you register. If you are a company that does taxation, you handle very sensitive data. I think you need a different layer, where you have to meet certain criteria but they have to be relevant to the kind of business you are in. So even if you're a small business, if you're focused on sensitive personal data, then you should have to get a certification every six months to be in business. It's similar to the way we've had mask wearing enforced during COVID. Cybersecurity measures have to be enforced, otherwise it's very hard for companies to inculcate those things into their operations. Obviously it will involve more costs, but that cost could be translated to the service they're providing. For example, maybe I have to pay my tax accountant a little more than what I pay today, but at least I am assured that my data is secure.

CISO in Software, 51 - 200 employees

It could even apply to restaurants. Because they're supposed to be PCI compliant with their credit card processing, but when I see the screensaver on the point of sale machine (POS), it's Windows XP embedded. I don't know if that's safe or not.

Group CIO in Manufacturing, 1,001 - 5,000 employees
Excellent idea. I would recommend that there can be a Cyber Security resilience committee comprising of security vendors to which companies can hook to get cyber resilience as a standard. Imagine we fighting it together and coordinated and any new organisation can hook into the framework.  There could be various levels of security posture that can be defined based on industries and companies have the option to choose from. With SIEM, DLP, endPoint security etc going cloud this is very much a possibility.

Content you might like


Yes, but third & Nth parties are still a concern39%



Don't know1%



First day on the job10%

Sometime during their first week52%

Sometime during their first month26%

2-3 months after their hiring date6%

It depends on their role/level3%

Other (explain in the comments section)1%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
47k views133 Upvotes324 Comments