A bill making its way through the U.S. Senate proposes to do what cybersecurity experts say is long overdue: Create a set of resources and guidelines small businesses can use to protect themselves from a steadily increasing number of cyberattacks. If passed, the Main Street Cybersecurity Act, introduced at the end of March, would update the Cybersecurity Enhancement Act of 2014, which called for the National Institute of Standards and Technology to provide a voluntary set of guidelines for big businesses to follow in order to manage and reduce their cybersecurity risks. As a result of the 2014 act, cybersecurity became one of NIST's primary focus areas, and the federal government made a verbal commitment to fund cybersecurity research. This new piece of legislation — discussed during a meeting of the Senate Committee on Commerce, Science and Transportation on Wednesday — directs NIST to consider small businesses in updating those guidelines. "By creating a simple, voluntary cybersecurity framework for small businesses, the Main Street Cybersecurity Act will help them protect their data," said Sen. Maria Cantwell, D-Wash., one of the bill's five co-sponsors, in a press release.

A national crisis

The latest surveys show that small businesses need all the help they can get. In the last 12 months, hackers have breached half of all small businesses in the United States, according to the 2016 State of SMB Cybersecurity Report. Small businesses, which often don't have the revenue to afford their own IT departments, are especially susceptible to phishing attacks via email or fraudulent activity happening in their e-commerce shops. Some attacks can derail a small business' money-making activities for up to a week.

Despite the statistics showing how vulnerable they are, many of America's 28 million small businesses aren't thinking about cybersecurity. "Most small-business owners don't think they're at risk. As a result, it's fair to say they are indeed ill-prepared to safeguard against an attack," said Bryan Seely, a network engineer famous for hacking into the FBI. He now teaches on online course in ethical hacking for Udemy. A survey published by Manta last month shows that 87 percent of small-business owners don't feel that they're at risk of a cybersecurity attack, and 1 in 3 small businesses don't have the tools in place — firewalls, antivirus software, spam filters or data-encryption tools — to protect themselves. "The general majority of small-business owners don't have an IT person. It's not the first place they spend their money," said John Swanciger, CEO of Manta. "They're really relying on themselves to update their software and check for security patches."

Most small-business owners don't think they're at risk. As a result, it's fair to say they are indeed ill-prepared to safeguard against an attack. Bryan Seely network engineer

Oftentimes small-business owners don't know where to begin when it comes to beefing up their cyberdefenses, according to Matt Bromiley, a senior managing consultant at Kroll, a New York-based risk consulting firm. "One of the biggest things I get out of small-business clients is, 'What can I do to prevent this?'" he said. When people think of hacking attacks, they're inclined to remember high-profile incidents that affected millions of customers. To small businesses, the targeting of Home Depot and Target in recent years seems to indicate that hackers are more interested in grabbing large numbers of credit card data and personal information at one time. But now hackers, keen to make a quick buck, are turning their attention to smaller and medium-size companies. They attack e-commerce shops to try to steal customers' credit card information. Ransomware, which has been used by hackers interested in holding digital data hostage to extract sums of money from large companies, is now being used on small businesses, who often don't have the money to investigate a cybersecurity attack but do have just enough to pay ransoms in the $3,000 to $5,000 range to regain control of their data and computer systems. Not to mention that the hacking of Target in 2013, which led to theft of 70 million customers' personal data, is believed to have been a result of a prior breach: Hackers gained access to Target's network by successfully gaining access to the network of the small business the retail giant used for heating and air-conditioning services.

Deadly consequences