Cybersecurity

House panel presses DHS, FBI to help small biz with cyber defense

Shutterstock image (by MaximP): network defense.

Small businesses are facing big hurdles when it comes to implementing cybersecurity defenses -- and some in Congress think they can help.

At a House Small Business Committee hearing Jan. 30, lawmakers pressed cybersecurity experts from the FBI and Department of Homeland Security about how legislation and the federal government by extension could help defend U.S. small businesses from attacks.

Howard Marshall, deputy assistant director of the FBI's Cyber Division said the problem is "bad and getting worse" based on the number of cases referred to the FBI for investigation and the number of attacks known to have been prevented. Marshall estimated that business email compromise,  ransomware attacks or phishing scams that target businesses with foreign suppliers, have increased at least 40 percent year over year, resulting in millions of dollars in losses, according to his testimony.

Fellow panelist Richard Driggers, DHS deputy assistant secretary for the cybersecurity and communications, said that basic computer hygiene, such as regular software updates, could keep small businesses safer.

"It doesn't take sophistication to exploit a vulnerability in a small business. And I think all small businesses need to assume that they have some type of vulnerability that exists within their networks or devices that they're using," Driggers said. "A lot of small businesses don't have the resources to really put in place very sophisticated cyber defense mechanisms. But they do have the resources to do the low-cost things … and that should be the focus."

Committee Chairman Rep. Steve Chabot (R-Ohio) touted a bill introduced in December, the Small Business Advanced Cybersecurity Enhancements Act of 2017, that would amend the Small Business Act to provide businesses resources for cybersecurity protections and increase information sharing.

Companies are often reluctant to share information because it could lead to embarrassment or devaluation of their companies. A 2017 Ponemon Institute study found that public companies experienced an immediate 5 percent hit to stock prices following a breach disclosure. But Marshall said information sharing wasn't a "gotcha game" where the feds would report companies to regulators for failing to secure their data. All information shared with the FBI and DHS from cyberattack victims is anonymized, he said.

"I understand the stigma to a degree because who wants to do business with someone who can't protect their data. And you see that in small firms and you see it in big firms too," Marshall said. "But what it's going to take to get over that stigma -- I'm not entirely sure. Pushing the message of better cybersecurity is pretty much all we can do."

Overall, gaps in knowledge and training are what make businesses vulnerable to attack. Small businesses are "underprepared"  in part because cybersecurity isn't considered a business expense, even for bigger firms, Marshall said.

"The best thing small businesses can do is elevate the need for cybersecurity within their organizations. Hire capable, competent people to help protect data, create a culture within the organization that promotes security. It's gotta be something you do every day; it can't be after the fact," Marshall said.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at lwilliams@fcw.com, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.