Small businesses are prime targets for today’s hackers, according to witnesses testifying at the House Small Business Committee on Wednesday.
“Like water or electricity, malicious actors follow the path of least resistance,” said Justin Zeefe, co-founder and chief strategy officer at Nisos Group. He explained that because small businesses often don’t have the resources or training to thwart cyberattacks, hackers will choose to go after a large number of them for a small sum, rather than a single, large company that poses a greater challenge.
“They often lack the capabilities or the resources to pursue strong, entitywide cyber protections,” agreed Nova Daly, senior public policy adviser at Wiley Rein. “Further, small businesses often may not be privy to the kinds of broad, industrywide threat notifications to which other companies may be.”
“According to a recent report by Verizon Enterprise, over 70 percent of attacks occurred in businesses with fewer than 100 employees,” said Rep. Steve Chabot, R-Ohio. Angela Dingle, founder, president and CEO of Ex Nihilo, added that approximately 60 percent of businesses close within six months of a cyberattack.
Daly argued that the governmental solution to these attacks, which so often devastate the businesses they target, comes in four parts: focus on laws and enforcement, promote cyber standards, engage small businesses in education outreach and funding, and address supply chain security issues.
“Our government simply does not have the resources to address all the cybersecurity-related issues faced by businesses, critical infrastructure, and government systems, let alone those faced by small businesses,” he added.
Jamil Jaffer, director of the Homeland and National Law Program at George Mason School of Law, said that many small businesses simply do not know who to go to when a cyberattack occurs, because agencies like the FBI, NSA, DOD, and others have all presented themselves as responders to foreign cyber threats.
“The first responder in these circumstances is the FBI,” he said.
Dingle pointed out that even with the many cybersecurity webinars and training tools released by the Small Business Administration (SBA), some small business owners do not have the means to take advantage of them.
“Depending on how small the business is, finding the time to participate in those and to stay ahead of and abreast of those is really what’s difficult. And so, again, these partnerships between the SBA, and resource centers, and organizations […] to educate small businesses is what I really think would be beneficial to them,” she said. “The SBA, even if it is able to help, has to first make businesses aware that these regulations and the cybersecurity issues apply to all of us.”
Cybersecurity also poses a barrier to small businesses engaging with the Federal government through contracts.
“Entry into the Federal marketplace can really make or break a revenue source for a small business,” Dingle said, adding that the security regulations placed on businesses wishing to work with Federal agencies are often prohibitive to small businesses.
“Small businesses must consider working together collaboratively,” suggested Jaffer. He said that buying capabilities together, investing in joint operations centers, and sharing cybersecurity information could give small businesses capabilities that they would otherwise not be able to get. He also testified that the government should endeavor to provide small businesses with useful information on foreign hackers as often as possible.