Small business cybersecurity act becomes law, but is it enough?