I worked for two small businesses in the early 2000s. I was responsible for managing a Network and Security Operations Center that monitored and managed several federal agencies’ networks and systems — an environment that was much different than it is today. We focused on changes to the operating environment — internal threats. However, we operated in an environment where more than 50 percent of American households had internet access. The sophistication of the security tools at that time was limited, so threats like the Sapphire worm were able to infect hundreds of thousands of computers in less than three hours.
Fast-forward to today where at the U.S. Small Business Administration (SBA), I am responsible for securing and protecting the data of millions of entrepreneurs and small businesses across the country. Nearly 30 million small businesses employ approximately 50 percent of the nation’s workforce, and these small businesses are also responsible for protecting their own data.
Small businesses are targets, and many are unprepared for cybersecurity challenges including ever-changing and increasing threats from malware, viruses and ransomware against intellectual property and company data. Nor are they adequately prepared to recognize or respond to an internal or external incident.
Business owners depend on information technology to protect not only their own data, but their client’s data as well. Further, intellectual property must be protected. Cloud technologies make it easy to buy technology applications such as human resources and financial applications — no hardware or software capital expenses required. It’s all about the data, and data is an asset that has significant financial value.
It is important for small-business owners to understand the protections afforded by their cloud-based technology service providers. Is the data stored in the United States? Is it backed up, and where? What is the recovery or restoration time? How do I know I can trust my provider to protect my data? What happens if there is a security breach? What are the liabilities in case of a security breach, and who is responsible?
Small businesses have public records such as business licenses, DUNS records and articles of incorporation. Even registering for a web domain can expose business owners to cyberattacks if their profile is public. Each of these pieces of public information in aggregate can be compiled by cyberattackers, making business owners and their employees vulnerable to identity theft.
A small-business owner must understand his or her data exposure when employees are connecting to a public network such as the local coffee shop. Not only is it about protecting the data, but securing the connection to the data. And, it is critical to train employees on basic security awareness to address phishing and spam attacks from social media, social engineering, messaging services, and other technology or human interactions.
A small-business owner cannot be naive and assume that insider threat is not a factor. Insider threats include personnel, facilities, information, equipment, networks and computer systems. Research indicates that insider threat is a major factor for all organizations.
Navigating the many resources available is a challenge and can be confusing, especially if business owners do not understand what they need, what they must protect, and what their responsibilities are.
There are 46 identified cybersecurity programs, projects and activities available to small businesses across the federal government alone. Additionally, cybersecurity resources for small businesses can be found in a myriad of other venues, including state and local web sites, online courses, and workshops from groups such as the National Cyber Security Alliance and local chambers of commerce.
Business owners can learn how to detect a breach; be safer online; and identify key assets and ransomware and phishing attacks, to name a few. Some worthwhile investments business owners should consider is cyber insurance and subscribing to alerts from United States Computer Emergency Readiness Team (US-CERT). US-CERT is simple, free and provides valuable and timely information on cyberthreats and vulnerabilities.
The SBA, in partnership with the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST), are responding to Congress’ instructions to develop a Cyber Strategy for Small Business Development Centers (SBDC). The SBDCs must advance their capabilities to provide cybersecurity support to small businesses.
The SBA is uniquely positioned to provide the outreach and cyber-advising expertise that is responsive to small business concerns. SBDCs leverage existing partnerships and develop new ones with federal, state and local governments; educational institutions; and other private companies. In partnership with the SBA, DHS has a critical role leading the development of cybersecurity guides and promoting cybersecurity resources.
It is often stated that a breach in security is not “if” it will happen, but “when” it will happen. Organizations of all sizes have dealt with security breaches, and in the last few years, the number of cyber incidents has increased substantially. It is imperative for small businesses to be adequately informed and prepared. Small businesses constantly face this paradox— either focus on growing their business or divert their attention to cybersecurity.
This is where SBA plays a vital role with small businesses: The SBA provides the assistance small businesses need, so they can focus their energy on business growth. As small businesses grow, so too does our nation’s economy.
• Maria Roat is Chief Information Officer at the U.S. Small Business Administration.
Please read our comment policy before commenting.