It’s time for the federal government to incentivize cybersecurity

It should come as no surprise to learn that cybercrime is on track to cost the global economy more than $600 billion in 2018. What is surprising, however, is that many of the organizations contributing to such economic peril are not of Fortune 1000 status, but rather they are the small and midsized businesses that drive the U.S. economic engine.

Today, hackers, fraudsters and cyber criminals regularly target smaller companies as larger organizations prove more difficult to breach due to the time, money and resources they have to invest in cybersecurity. A recent survey by Hiscox found that nearly half of all small businesses have experienced at least one cyberattack in the past year at an average cost of $34,604 to remediate.

Similarly, Symantec research concludes that 43 percent of all cyberattacks now target small business, while 6 in 10 of such businesses go out of business for good post breach.

Cybersecurity threats to small business

The vast majority of small businesses do not have the time, money and resources to invest in the depth of cybersecurity needed within today’s threat landscape. That’s unfortunate, as only 16 percent of small businesses report being very confident in their cybersecurity readiness, and barely half had a clearly defined cyber security strategy, according to Hiscox.

Today, SMBs rely primarily on outdated firewalls and consumer-grade solutions, or the limited security inherent to the cloud apps they use most. However, such confidence in cloud app security is misguided, creating a false sense of security. For a variety of reasons and unbeknown to most users, cloud apps, such as Office 365, G-Suite, Dropbox, Slack, etc., are highly vulnerable to cyberattack. With low risk and high reward for attackers, cloud apps mask as a primary attack vector on a regular basis.

Making cybersecurity accessible to small business

Knowing the increase in attacks targeting small businesses will not moderate anytime soon, and that the financial burden of implementing strong cybersecurity will price out many of the 30.2 million American small businesses, it’s time for the federal government to act. Offering incentives, such as tax credits or reduced costs, to small businesses to invest in cybersecurity tools could not only boost innovation and help companies acquire a much-needed safety net, but it would improve security across the entire economy.

With small businesses making up almost half of U.S. private sector employment, any mass increase in downtime and forced closures due to cyberattack, such as a data breach, would likely have ripple effects throughout the public and private sector. Such a reality represents a daunting proposition for what is already a fragile U.S. economy hampered by inequality, stagnant wages, and soaring debt and deficits.

Incentives would offer the same endgame as regulations without the stigma of companies being forced to do something. In fact, there are many cases where the federal government has used tax rebates, deductions and credits to encourage behavior that may have otherwise not occurred or been financially unattractive.

The federal solar tax credit, for example, allows consumers and businesses to deduct 30 percent of the cost of a solar system from their federal taxes, has helped consumers bridge the cost gaps in solar panels. This has made it more affordable for consumers and has encouraged more innovators to enter the space and improve the technology. Federal incentives have also been partly responsible for the rapid advancement in wind power and electric vehicles. And they have also been used to encourage the purchase of health insurance at a time when rising health costs are contributing mightily to the national debt and deficit.

Some states are already offering cybersecurity industry incentives. In Maryland, the Cybersecurity Investment Incentive Tax Credit offers a refundable income tax credit equal to 33 percent (up to a maximum of $250,000) for companies that invest in a qualified cybersecurity company. Recently, The Mayor’s Office of the Chief Technology Officer (MOCTO) of New York City, launched a ‘moonshot’ challenge, incentivizing the cybersecurity community to devise “new, affordable and scalable solutions to protect New York’s small and mid-size business from cyber-attacks.”

Maryland and New York aren’t alone. According to the National Council of State Legislators, “states are addressing cybersecurity through various initiatives, such as providing more funding for improved security measures, requiring government agencies or businesses to implement specific types of security practices, increasing penalties for computer crimes, addressing threats to critical infrastructure and more.”

Now, action is needed at the federal level. While such incentives do carry a price tag, the Atlantic Council and Zurich Insurance Group noted that a completely secure internet could result in a global net gain of $190 trillion by 2030. Incentivizing the adoption of and investment in cybersecurity could significantly reduce risk across the entire U.S. economy.

Democratizing cybersecurity through incentives

Incentives for cybersecurity adoption would likely reduce risk to not just individual businesses but would have the same effect throughout the entire economy. With global trade and economic tensions heightening, we as a country cannot afford to wait for small businesses to find the means to afford the cybersecurity that they now need, and we certainly cannot expect cybersecurity companies to reduce their costs of goods and services. Instead, we must look to the federal government to join states and municipalities and formulate an incentives program that does more than simply encourage smaller businesses to adopt cybersecurity – it makes it realistic for them to do so.