Federal legislation pushed by U.S. Sen. Gary Peters would boost the ability of Small Business Development Centers to help small employers guard against cyber attacks.
The bipartisan bill, which Democratic Sen. Peters of Michigan co-sponsors with Republican Sen. Marco Rubio of Florida, would enable the more than 1,000 SBDCs around the nation to coordinate with the U.S. Department of Homeland Security for distributing information on cybersecurity. Homeland Security also would have to develop materials for SBDCs to use in training programs on cybersecurity for small businesses.
The bill also would establish a nationwide common training program for SBDC consultants that provide cybersecurity training. It would require that the U.S. Small Business Administration (SBA) create and maintain a clearinghouse of the “most appropriate materials that can and should be used for small business to help advance the topic and the security of small business,” said Zara Smith, strategic programs manager for the Grand Rapids-based Michigan Small Business Development Center.
That kind of continuity is important because of the need for consistency in cybersecurity information and best practices for training, Smith said.
“We have a strong program in Michigan. That’s not the same in every state because of resources and because of vulnerability,” she said. “Continuity is so important because small businesses’ supply chains stretch nationwide. They are part of a nationwide supply chain, sometimes global, and strengthening everyone is in everyone’s business interests.”
Constantly evolving threats also require a better coordinated prevention effort and continuity in training, Smith said.
“As people learn and protect themselves from one threat, a new threat arises,” she said. “So it’s a constant battle. It’s a never-ending engagement.”
Introduced on June 27, the proposed Small Business Cybersecurity Assistance Act of 2019 sits in the Senate Committee on Small Business and Entrepreneurship, which Rubio chairs.
In proposing the legislation, Peters cited data in a March 2019 Homeland Security and SBA analysis that noted 85 percent of small business owners feel unprepared to handle an attack. More than 90 percent felt they lack adequate resources to protect themselves, according to the Homeland Security report that cited results of an SBDC survey.
The report found that “small businesses are fully cognizant that they need to take additional measures to protect against additional cyber threats.”
The bill seeks to add ammunition to the effort to protect small businesses from cyber attacks through better coordination between Homeland Security and the SBDCs.
“As we’ve seen in recent years, a breach at a small business not only has devastating consequences for that company’s future, it can also be the doorway for breaches of larger companies,” Peters said. “Yet too many small business owners say they lack the resources they need to safeguard their businesses and customers from hackers, fraudsters, and cybercriminals. This common-sense legislation will help ensure small businesses can access much needed information and training to secure their systems from malicious cyber-attacks.”
‘Room for improvement’
The Michigan SBDC, which serves more than 5,500 small businesses annually in the state, has placed greater emphasis on cybersecurity over the last few years, offering regular webinars and seminars on how small businesses can better protect themselves.
Cyber attacks “can be just as potent for some businesses” as a natural disaster, Smith said.
“Cybersecurity is a very hot topic. It’s the one disaster that can hit Michigan businesses and has the potential of doing a ton of damage,” she said. “It is part of our business reality now.”
In an annual survey by Grand Rapids-based I.T. provider US Signal Co. LLC, 83 percent of responding companies reported they had been hit by a distributed denial of service attack within the last two years. One in five said they had experienced several denial of service attacks, in which hackers get into a company’s network and disrupt service.
Trevor Bidle, vice president of information security and a compliance officer at US Signal, called the survey results “jarring” and said they served as a demonstration that “there is always room for improvement in keeping up with modern cyber threats.”
“While the survey showed that there is a clear culture of investing in I.T. security solutions across organizations, there seems to be a need for more robust security tools and managed services to help resource-strapped technical teams,” Bidle said. “The reputational and financial damage that an online attack can cause a company is immense, and we hope security vendors and service providers can use this data to enhance their offerings and further protect their customers’ websites and applications.”
More than one in four of the 100 I.T. professionals responding to the US Signal survey listed denial of service attacks as the most prevalent threat, followed by ransomware attacks at 33 percent and malware at 19 percent.
One in four respondents also said their company experienced a cyber attack on their web applications within the past two years, and 46 percent said they were attacked multiple times, according to US Signal.
Respondents put the cost to the company from a cyber attack at an average of $152,439.
The 2019 Data Breach Investigations Report by Verizon indicated that 43 percent of all cyber attacks are committed against small businesses, which generally lack the resources of larger companies or corporations to adequately protect themselves or respond to an attack.
More than half of breaches even took “months or longer” to discover, according to the report.
“(Corporations) can afford to invest in some pretty serious hardware and software, and small businesses can’t,” Smith said. “When you think of the bakery on the corner, or the mom and pop or the smaller service businesses, in a lot of cases, the I.T. hat is being worn by somebody with another four hats. There isn’t the time or the ability to be aware of all of the threats, or really to spend a lot of time being focused on them.”
That’s where the Michigan SBDC seeks to help, Smith said. Through education and prevention, the SBDC looks to “strengthen the team” at a small business and “starts laying the foundation for a cyber-safe culture in a business,” Smith said.
Smith notes that many hacks originate when someone at a company clicks on a link in an email “they shouldn’t have clicked on,” leading to an attack.
The SBDC also maintains the cybersecurity website smallbusinessbigthreat.com. The website lists upcoming webinars this month, as well as offers security assessments and white papers on issues such as online security best practices and how to respond to an attack.
The March SBA and Homeland Security report described the website as a “robust cybersecurity education portal.”