Cyberthreat Not on Small Business RadarMany Small Businesses Think They're Immune from Attacks
When one's involved in information security 24x7 (okay, I take off from work time to time, but don't tell my boss), it's easy to forget that the vast majority of the population remains oblivious to cybersecurity, especially how it affects them personally.
That lack of awareness was driven home this past week at a hearing held by the House Small Business Subcommittee on Health and Technology on protecting small businesses against emerging and complex cyber-attacks. The main takeaway from that hearing was that the biggest information security problem most small business operators face is that they're unaware they have an IT security problem.
When you incorporate a new business, there are a lot of steps people know they need to go through, and not one of them is cybersecurity.
"Most small businesses that have been hacked don't know they've been hacked," testified Justin Freeman, corporate counsel of Rackspace, an IT hosting company.
Nearly eight in 10 small business operators believe they're safe from cyber-attacks, subcommittee Chairman Chris Collins, R-N.Y., said in his opening remarks, adding: "Many of these firms have a false sense of security and believe they are immune from a possible cyber-attack. This is clearly a gap in education and resources."
Collins, later in the hearing held March 21, made this observation about small business owners: "They're coming to work everyday, to make a sale, to have some cash in the bank, to pay their bills; [cybersecurity is] not on their radar. We want to put it on the radar."
A People Problem
How widespread is this lack of awareness about IT security among small businesses? Collins asked the witnesses, all from industry, what advice they would give to small businesses to secure their digital assets. Their responses were basic, time-tested solutions very familiar for those who have paid attention to IT security for years: varied, long, multi-character passwords; encryption; compliance to IT security policies (the businesses must establish them first) and employee awareness.
"This is not just a technology problem, this is a people problem, so a lot of emphasis on the training and education," Phyllis Schneck, McAfee vice president and chief technology officer for the public sector, told the panel. "When you incorporate a new business, there are a lot of steps people know they need to go through, and not one of them is cybersecurity. That's an afterthought completely, so you already start off behind. Many small businesses are harboring some of the neatest inventions for the next decades; they don't necessarily think of where they store stuff or categorize those assets and how you protect it."
Another witness, Dan Shapero, an IT entrepreneur who represented the Computing Technology Industry Association at the hearing, said the financial burden caused by 47 different state breach notification laws could be eased by passage of a national breach notification law.
"The current patchwork of state data breach laws imposes duplicative costs and undue burden on SMBs (small and midsize businesses)," Shapero testified. "With our increasingly mobile economy, these laws are getting even more complicated to understand since it is not always clear what state a data breach may have actually occurred in, which can be different from where a consumer may reside. The creation of a national framework for data breach notification can go a long way toward reducing costs and eliminating barriers to entry for SMB firms."
Involving Small Business in Nation's Security Paradigm
Schneck pointed out that many, if not most, small business have neither the money nor cyber-expertise to exploit institutions that help businesses secure their IT, such as sector-specific information sharing and analysis centers, so-called ISACs. She encouraged the subcommittee to conduct a study or hold hearings to develop policy proposals to get small businesses to participate in ISACs. "We need to find a way to include small business in our nation's security paradigm," she said.
Finding that way is where Congress can help lead.