Yes, absolutely.
The CSE has put in place something called the small and medium baseline controls. If companies just did that, that chances are that they'd be fine because no state-level threat actor is going to go after a small business, especially if they're hard to get into. It's just not worth it.
We put the baselines in place, but the problem is that while they exist, most companies are not doing them. The threat is not enough to spur them to action, so you have to incentivize them. I would consider looking at a tax credit of some sort. If you gave small and medium enterprises 5,000 bucks back on their taxes, chances are they'd put those baselines in place.
If every small and medium enterprise in the country did it, it would cost you $50 million. I can guarantee you the amount of money being sucked out of the economy by cybercrime is a lot higher than that, so it's good economic policy. It also makes our companies more resilient.