New federal cybersecurity legislation could help small businesses better protect themselves from hackers, a Louisville cybersecurity expert said.
However, a small business advocate said that yet-to-be developed standards could be too onerous for very small businesses and could prevent them from landing lucrative contracts.
President Donald Trump on Aug. 14 signed the Small Business Cybersecurity Act, which requires the National Institute of Standards and Technology, which is part of the Commerce Department, to develop and disseminate resources for small businesses to help reduce their cybersecurity risk.
And that risk is increasing, according to analysis from public and private sources. Data breaches last year were up 45 percent over the prior year, according to the Identity Theft Resource Center. Last year, 61 percent of small- to medium-sized businesses told the Ponemon Institute that they had been affected by an online attack, up from 55 percent the year before.
And according to Louisville-based CloudNexus, it takes small businesses 146 days on average to even detect an attack and when they do, they incur costs between $84,000 and $1 million.
U.S. Sen. Brian Schatz, D-Hawaii, one of the authors of the NIST bill, said that as more small businesses rely on the internet to run efficiently and to gain customers, they remain vulnerable to cyberattacks.
“But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers,” Schatz said in a news release.
Molly Day, vice president of public affairs for the National Small Business Association, told Insider that cyberattacks are rising and for many small businesses represent a huge concern.
Many small businesses handle sensitive information, including credit card and Social Security numbers, and protecting that information causes small business owners a tremendous amount of stress, Day said, especially as the frequency and sophistication of cyberattacks continues to rise.
A breach can be costly to fix, she said, and can cause a significant amount of reputational damage.
“The repercussions … could be devastating to a lot of small businesses,” Day said.
According to CloudNexus, 60 percent of small businesses close six months after a cyberattack.
Jay Rollins, the firm’s founder and CEO, said that some small business owners believe that hackers are unlikely to target them because of their operation’s size, but hackers know that small businesses are less likely to be able to prevent breaches, which makes them an attractive target. Cybercriminals don’t have to breach a corporate giant to be successful, he said, because they can more easily breach hundreds or thousands of small businesses instead.
Rollins, a software developer by trade, said that cybercriminals like to target small businesses also because they represent a vital part of the nation’s supply chain and typically are connected to larger companies for whom they do work. For example, rather than targeting a power plant directly, the hackers may exploit weaknesses in the defenses of the plant’s HVAC contractor, and that breach may eventually allow access to the power plant systems.
CloudNexus provides cybersecurity services primarily for health care companies, but also for contractors, financial services and legal firms. Rollins said his company protects data for clients, but also conducts penetration tests and helps businesses recover after a breach.
The recently passed federal legislation to help small businesses makes sense, Rollins said, because the existing NIST framework was developed primarily for large organization and is too cumbersome for small businesses.
Given small business’ limited cybersecurity resources and expertise, sharing best practices can be very helpful, Rollins said, especially because many small business owners and their employees still make basic — and easy-to-fix — errors that put their data at risk.
According to CloudNexus, more than three-quarters of employees click unknown links despite knowing the risks, and 81 percent of hacking-related data breaches occurred because of weak passwords. The Ponemon Institute said that about 60 percent of small to medium-sized businesses responding to a survey said that they “do not have visibility into employees’ password practices,” and that while 43 percent had a password policy, 68 percent of those did not strictly enforce it.
Day said that NIST guidelines may help small business owners to protect themselves from hackers, but the Commerce Department has to make sure that small business representatives can provide input as the standards are being developed.
Legislative hurdles that can easily be cleared by a business with 250 employees may be much too high for business with a handful of workers, she said.
If the requirements are too onerous, Day said, small businesses may lose revenue as their clients remove them from the supply chain for noncompliance with the standards.