[mos_6502]

I dont understand the intended target audience. Who is this for?

Most SMB leaders have enough trouble as it is keeping up with their day to day IT operations. The section at the start of the document is intended for “CEOs”, yet it’s likely impenetrable to that audience on account of the jargon while simultaneously giving advice that’s too high-level/broad to be useful.

Later parts of the document intended for technical leads are too focused on minutiae rather than outlining the overarching goals of their implementation, which loses the intended spirit of the document IMO.

For example, it’s more useful to start by outlining what these controls are trying to achieve. For example, “Ensuring business continuity after a ransomware attack” or “Protecting business assets with strong multi-factor authentication”, as opposed to throwing out specific individual technical controls without a high-level narrative to describe what you’re actually aiming for.

[chiefalchemist]

Agreed. Ask any SB owner to list the Top 10 things that keep them up at night and cyber-security wouldn't crack the Top 100.

Uncle Sam's concerns are embarrassing lip service without any significant monies to lend a hand. And Sam wonders why so many have less and less faith in Washington DC.

[AlotOfReading]

Almost any SMB owner that isn't concerned about cybersecurity should be. Losing access to your payment terminals, or email, or accounting docs, or production equipment, or any number of other computerized systems would be existential risks for SMBs across the country.

Maybe there's an argument that the government should do a better job systematically eliminating cybersecurity risks the way they do with natural disasters via building codes, but I'm not sure why a monetary handout would help things. Like, your idea of right sized government is half the country filing IT upgrade proposals with the feds?

[chiefalchemist]

Did I say they shouldn't be concerned?

After 2 years of Covid "disruption", immediately followed by war and drastic inflation and then predictions of recession, only the naive - and the government - would believe this ranks with SMBs.

> "I'm not sure why a monetary handout would help things." Do you know any SMBs? Ever been one yourself? If the priority is to keep the lights on and make payroll, and they ARE struggling to do that, without support, sec isn't going to get much attention. If a pricey consultant needs to be brought in, how are they going to pay for that? How are they going to make time - and time is money - for that.

[AlotOfReading]

I do know SMB owners. A pair of the ones I know had their email hacked and used to scam customers with redirected payment details on large invoices. Losing tens of thousands of dollars in invoices didn't do anything to help with their payroll or their customer retention. Another had a beverage machine used as an attack vector for PCs on the network.

The government absolutely needs to provide simple guidance for SMBs that don't know better. That's what this is.