As Congress this week considers legislation meant to better shield corporations and governments from cybercriminals, some experts worry the bills wouldn’t go far enough to protect and educate small businesses.
“It would be a step in the right direction, but not a panacea,” Todd McCracken, president of the National Small Business Association, said during a hearing held by the House Small Business Committee on Wednesday. He had been asked for his take on one of several bills teed up for a vote this week that would require businesses and governments to share details about data breaches and collaborate on ways to ward off attacks.
“Cybersecurity has emerged as a significant problem and concern for the small-business community,” McCracken said. He later added that “sharing cybersecurity information is useful, but what small businesses really need is to know how to use that information.”
His underlying point — that the government’s attempts to thwart cyber attacks must be coupled with stronger efforts to teach the business community how to detect and deal with attacks — was expressed by several experts on the panel. In other words, hacking attempts and data breaches are inevitable, they argued, especially against small businesses that criminals know are ill-prepared to defend themselves.
So in addition to protection measures, what businesses need are guidelines for how to quickly detect when an attack has happened and what to do to make repairs.
“There needs to be an education component to all this,” Dan Berger, president of the National Association of Federal Credit Unions based in Arlington, Va., said during the hearing. His group has long called for a national set of data security standards for retailers and merchants, which would give business owners clear direction for how to store and protect their information, as well as uniform guidelines for responding to a data breach.
Added Jane LeClair, chief operating officer at the National Cybersecurity Institute at Excelsior College in Washington, D.C.: “Often, small businesses don’t even know they have been attacked until it is too late.” LeClair later pointed to surveys showing that most small companies that fall victim to a serious cyber attack don’t recover; 60 percent of them go out of business.
One of the reasons many don’t notice an attack right away, she said, is that too few are actively monitoring and protecting their data. Caught up in the headlines about breaches at large corporations like Target, Home Depot and Sony, small employers commonly fall victim to the misconception that their company is too small to be targeted by data thieves.
However, as researchers wrote in a report released late last year by the Hartford, “Gone are the days when data breaches, privacy violations, and other network security incidents were only a big business problem.” Their report shows that a growing share of cyber attacks target small firms, yet surveys suggest business owners do not tend to take the threat seriously.
“A disconnect clearly exists between the reality of the situation and the cyber threat perception” of small employers, the researchers wrote.
The hearing was timed to coincide with votes on several cybersecurity measures. On Wednesday, the House easily approved legislation requiring private companies to give federal investigators more access to their internal data and computer networks, aimed at preventing attacks and tracking down the culprits when they do occur.
Under the proposal, data would pass through a civilian agency and be scrubbed of personally identifiable information before being put in the hands of any federal departments. Companies that share information with investigators or with other businesses would also be granted certain legal liability protections.
Other measures currently under consideration include the Data Security and Breach Notification Act, which was introduced into the Senate earlier this month and would create some of the national rules and guidelines for businesses that the panelists called for on Wednesday.