Finally, DC pols tackle huge small-business cyberthreat

Sixty percent of small businesses shut down after a cyberattack.

Hacking hacker cyber security
Thomas Samson | AFP | Getty Images

The House recently passed the Improving Small Business Cyber Security Act of 2016, one of the first intended to help small businesses fight escalating cyberthreats.

The bill is a start, but it's been a long time coming. Complaints have been rising from the small-business community — a segment employing half of all private-sector workers — that current law mostly benefits only big business.

While these are early days, here are some thoughts on how such a bill could be implemented — with the House passing the bill, it now moves to the Senate — how the government might help mitigate cyber risk for small business, and how small businesses can protect themselves.

Small businesses are getting squeezed from all sides on cybersecurity.

Attacks against them are at an all-time high. Today approximately 71 percent of data breaches target small businesses. The average estimated cost of attacks on small business is $7,100 ($32,00 in cases where money was stolen from accounts), and 60 percent of small businesses end up shutting down after a cyberattack.

But attacks themselves are not the only problem. Large businesses assessing their supply chains are increasingly mandating that small-business partners shoulder risk for breaches that occur through their systems.

Finally, many small-business owners think outsourcing elements of their businesses to larger companies may protect them, but this is not always true. A year ago credit card companies shifted liability for fraud to merchants who do not implement chip and PIN technology (yet 25 percent to 33 percent of small businesses still do not use this technology).

In addition, while some vendors claim to have robust cybersecurity, fine print reveals some are describing their own security, not necessarily how they help their small-business customers secure data.

A key role for SBDCs

The bill tasks Small Business Development Centers with becoming resources on internet security. How SBDCs accomplish this will be determined by the Small Business Administration and Department of Homeland Security.

SBDCs arose from the Small Business Act of 1953 to provide free or low-cost training and counseling to small business on financial, marketing, organizational and other matters. There are 63 lead centers and almost 1,000 service centers across the country. Many centers already provide some cybersecurity training.

Approximately 450,000 entrepreneurs are assisted annually by the SBDCs, which, while impressive, is a fraction of the 28 million small businesses nationwide. One challenge for the SBA will be scaling cybersecurity programs to reach as many businesses as possible.

SBDCs help business owners secure SBA-backed loans and other financing, raising $4.7 billion in 2015. Marrying cybertraining (such as an online certification course) with the SBA loan-application process could be one way to encourage best practices.

Similarly, the SBDCs help businesses secure government contracts (more than $1.1 billion in 2015). As the government increasingly considers cybersecurity in its contracting process, SBDCs are poised to assist, perhaps via the SBA's HUBZone Certification Program (which certifies small businesses for access to federal procurement opportunities).

It is important the onus be not just on small businesses; many may lack the resources to fully protect themselves regardless of how much training they receive.

Perhaps an SBA certification system for companies who work with or sell to the small-business market — an accredited "cyberpartner program," if you will — would reduce the burden on small business, give businesses confidence in the partners they choose, and reduce the dampening effect that cyber risk may be having on small-business growth in this country.

Tips for business owners

Regardless of how this legislation plays out, it will take time before small businesses will benefit. In the meantime, they must take steps to protect themselves. Here are some tips to help:

  • Create a cybersecurity policy, even if you are a sole proprietor. If you have employees, ensure they are trained on your policy and receive periodic refreshers. A trusted advisor, such as an attorney, can help you build a policy that works for your business.
  • Incorporate or form an LLC; this separates personal from business assets and helps protect the business owner(s).
  • Conduct a risk assessment, and if your risk is high, consider purchasing small-business cybersecurity insurance.
  • Make cybersecurity a factor in your vendor selection criteria; do not assume vendors will protect you, and read fine print carefully.

By James Cusick, chief security officer and director of IT operations for Wolters Kluwer's BizFilings, which works with small businesses on incorporation.