Cyber Readiness Institute identifies need for incentives aimed at small business best practices

May 10, 2024


Cyber Readiness Institute identifies need for incentives aimed at small business best practices

By Jacob Livesay / May 10, 2024

Small and medium-sized businesses are not adequately protecting themselves from cyber threats and require greater incentives from the federal government and insurance companies to boost their security posture, according to a report from the Cyber Readiness Institute.

“SMBs are highly vulnerable to the threat of cyber intrusion and tempting gateways to bigger prizes such as large enterprises, global supply chains, and critical infrastructure, representing the prime targets of bad actors,” CRI managing director Karen Evans said in an April 30 press release.

Evans said, “An estimated 350-to-400 million SMBs interact daily with the world’s billions of consumers and occupy essential spots in the global supply chains of the world’s largest corporations. Making these businesses cyber ready will help create a more resilient global economy.”

Evans formerly served as CIO for the Department of Homeland Security and assistant secretary for cybersecurity, energy security and emergency response at the Energy Department.

CRI’s SMB report outlines “crucial steps” for enhancing SMB cyber posture.

It says, “[T]he state of cyber readiness among SMBs requires immediate attention and concerted efforts from all stakeholders, including regulators, global enterprises, supply chain operators, industry associations, cybersecurity firms, and, of course, SMBs themselves.”

CRI identifies “cost considerations, talent shortages, and integrating cybersecurity tools with existing systems” as the most significant barriers to SMB implementation of cyber best practices, arguing SMBs lack “sufficient incentives” to raise the bar in terms of security.

“Government grants or subsidies, tax breaks for cybersecurity investments, and reduced cyber insurance premiums for cyber-secure businesses were all identified as effective incentives for encouraging SMBs to prioritize cyber readiness,” according to the report.

To assemble the report, CRI reached out to a “cross-section of SMBs, large corporations, cybersecurity providers, and non-profit organizations” to assess cyber readiness.

Concerningly, CRI reports that more than half of respondents said SMB cyber capabilities were “Somewhat Ineffective” or “Ineffective.” Over half of respondents also said SMB awareness of cyber risks is “Low” or “Very Low.”

CRI argues there are “practical steps” that can be taken to boost incentives, awareness and overall implementation of best practices.

“All stakeholders, including insurance providers, supply chain operators, government agencies, and others play an important role,” the report says.

CRI suggests implementing standards for specific industries or types of data; creating “tax breaks or subsidies” to increase investments in insurance, people, processes and technology solutions at SMBs; building requirements for cyber programming into the “local business licensing application and renewal process”; and offering “regional-level” programs free of cost to boost SMB understanding of security controls.

CRI says the report is intended to be a “call to action” for further analysis of strategies that could enhance SMB cyber resilience, as the organization’s work to support SMBs continues.

The nonprofit’s Cyber Readiness Program has grown to “an estimated 22,000 individuals in more than 1,300 organizations spanning 178 countries across nearly 100 industry sectors,” according to the report. — Jacob Livesay ([email protected])

Back to News and Press