SBA, NIST Offer Small Businesses Advice: Take Cybersecurity Seriously

The federal government places tremendous emphasis on cybersecurity, both for its own networks and those of private-sector companies. According to a panel of federal officials and commercial cybersecurity experts, the government cares about cybersecurity at your local mom-and-pop shop, too.

At a panel discussion yesterday in Washington, D.C., hosted by the Small Business Administration (SBA) to mark the start of National Small Business Week, experts from Microsoft, payroll software leader ADP and security software company ESET North America said that it is incumbent on small business owners and employees to educate themselves about cybersecurity and what they can do to protect their businesses. The government officials also offered an additional comment on that front: We’re here to help.

The Role Government Can Play

SBA Deputy Administrator Douglas Kramer, who moderated the panel, noted that while many small business owners often do not have the time nor money to focus on cybersecurity, they face vulnerabilities that could fatally harm their businesses.

“The threat of cyberintrusion and theft is very real,” he said. “Small businesses measure assets and inventory in different ways, but they sit on a treasure trove of information.” That includes intellectual property, personal information about customers and employees, and credit card information.

Kramer said the SBA has found that almost half of small businesses have been the victim of a cybercrime at some point, with the average cost of an attack at $21,000. Attacks can come in many forms, including malware attacks and ransomware attacks, in which companies’ data or networks are held hostage by malicious actors in exchange for payment.

SBA has partnered with the National Institute of Standards and Technology (NIST) and the Department of Energy to run a series of cybersecurity trainings for small businesses, according to Kramer, and he pointed to the educational resources on cyber that SBA has on its website.

Pat Toth, supervisory computer scientist in the computer security division at NIST, said during the panel discussion that companies need to “provide fundamental training and awareness on cybersecurity for their employees,” especially for protecting against phishing attacks that can come through email.

Toth noted that NIST provides resources and training programs for cybersecurity, as does the Department of Homeland Security and Federal Trade Commission. She said by using those resources, as well as videos on YouTube, it is relatively easy for small businesses to get a “good, fundamental understanding of cybersecurity.”

While the federal government is not yet in a position where it can mandate the kind of online activity small businesses need to engage in to protect themselves from cyberattacks, Toth said that undertaking might be coming in the next year or two.

“What small businesses need to do is start thinking about it now and have those plans and policies and procedure in place,” she said. Toth added that the federal government does not want to take a “Big Government approach” to handling cybersecurity, but would encourage companies to have cybersecurity policies in their employee handbooks. She said that the goal is to raise awareness and have employees protect commercial devices, systems and networks just as they would their personal ones.

Private Sector Dangers and Responsibilities

Stephen Cobb, senior security researcher at ESET, said during the panel that cloud technologies, like many technologies, have benefits but also risks. He noted that companies can take advantage of cloud for backup options but that small businesses run into trouble when trying to deal with different kinds of cloud, including public and private clouds.

“That’s the area where an outside adviser or IT consultant can help a small business understand how they should be doing the cloud and leveraging that technology,” he said.

Cobb also said that companies need to take a close look at their contracts to ensure that they have adequate security protections. “Although you can outsource your storage or backup, you can’t outsource responsibility,” he said.

Matt Littleton, east regional director of cybersecurity and Azure infrastructure services at Microsoft, said the benefit of working with a cloud service provider is that the provider’s security protections can cover the “vast majority” of common vulnerabilities that hackers exploit to attack businesses.