This week, U.S. Sen. Marco Rubio (R-FL), chairman of the Senate Committee on Small Business and Entrepreneurship, and Sen. Gary Peters (D-MI) introduced The Small Business Cybersecurity Assistance Act of 2019, which aims to better educate small businesses on cybersecurity through counselors and resources offered at Small Business Development Centers.
The bill directs the U.S. Small Business Administration to become a cybersecurity clearinghouse by consolidating and managing federal government cybersecurity materials so small businesses can easily access information in one place. It also requires Department of Homeland Security officials to train SBDC counselors on higher-level cybersecurity information and to develop cybersecurity materials they can disseminate to the small business community.
The bill incorporates recommendations suggested by DHS and SBA’s Small Business Development Center Cyber Strategy in a report published in March that described challenges small businesses face with implementing cybersecurity for their business, including the confusing nature of government cyber resources and a lack of training.
The news comes amid heightened cybersecurity threats. In the two months, at least three Florida cities have been victims of ransomware attacks, and not a month goes by when there is not a major breach in the news. Besides ransomware and privacy breaches, other threats to small businesses include supply chain attacks, phishing/email attacks, malware and cryptojacking, among others.
ADVICE FROM SMALL BUSINESS TRENCHES
Marc Farron, an IT consultant for Florida SBDC at FGCU, said 70% of small businesses experienced a cybersecurity attack and 2018 and 83% don’t even have a cybersecurity plan. The risks are real: 60% go out of business within six months of a major cyber attack, he said in a presentation at the Small Business Leadership Conference in Orlando in June, produced by the Jim Moran Institute and the SBDC Network. “You should be concerned. This affects you,” he said.
Small businesses need to follow a framework that provides a lens small businesses can look through to get a clearer view of cybersecurity risk and where they need to go. He recommends the NIST CyberSecurity Framework, by the U.S. Commerce Dept’s National Institute of Standards and Technology. It’s a voluntary guidance – in plain language — based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. It breaks it down in to five processes: “You Identify, Protect, Detect, once you detect you Respond and then you Recover,” Farron said.
Mitigating risk starts with identifying the risks. That means taking an inventory of your data/technology as well as your resilience requirements to run your business and detailing cyber roles and responsibilities within your org chart.
Two-factor identification should be part of your password management, which also needs to include frequent password changes. Farron also suggested employees access to data and being diligent about turning off access to departing employees and providing only temporary access to vendors.
As other experts have noted, spam and web filters, anti-virus software and spyware aren’t effective if they are not regularly updated, but you would be surprised at how many small businesses are lax about that, as well as on installing patching updates on operating system software.
And all the technology in the world may not save you if employees aren’t trained not to click on suspect emails and to monitor and alert about warning signs such as slowdowns, mysterious emails or popups and missing information. “When things go a little different, go tell someone,” Farron said.
DEVELOP A RESPONSE PLAN
Lastly, he said, develop a plan for how you will respond if you are attacked, including alerting customers of the breach required by law, if that is the case, and managing the PR risk.
“Stop making cybersecurity a technology issue and a constraining issue. … You have to manage risk and compliance,” he said.
As for the bill, it looks like the chances of passage are good. It has bipartisan support and U.S. Rep. Jason Crow (D-Colorado) introduced a companion bill that has already been added to the House’s version of the annual National Defense Authorization Act.
“As technology continues to play an integral role in the way business is conducted in the 21st century economy, we must equip our small businesses with the tools they need to combat cyber criminals and protect their networks,” Sen. Rubio said in introducing the bill. “Cyber criminals and state-sponsored foreign hackers continue to target small businesses’ online systems, paralyzing their networks and ability to operate,”
So more resources may be on the way. Still, with so many threats out there, from disgruntled employees and amateur cyber criminals to the Dark Web mafia and terrorists, it can be overwhelming for small businesses. Start somewhere. Start with software patching and awareness training and build from there.
READ MORE on GrowBiz: In the wild wild west of cyberattacks, security is everybody’s job
Please send GrowBiz topic suggestions and feedback to GrowBiz@FIU.EDU.