Small to medium American firms are increasingly becoming targets for hackers, and it’s driving many of them out of business, according to a panel of cybersecurity experts who spoke to the House Small Business Committee.
Sixty percent of hacked small to medium businesses are forced to go out of business within six months of being breached, Angela Dingle, founder of IT government consulting firm Ex Nihilo, told the committee.
Additionally, 60 percent of all online attacks in 2014 targeted small to medium businesses, Timothy Francis, enterprise leader of cyber insurance at Travelers, told the New York Times earlier this year.
Dingle and other witnesses at the Wednesday hearing urged committee chairman Chairman Steve Chabot, R-Ohio, to explore new solutions and to pursue action.
“The innovative small businesses that are key engines of job growth and investment in our economy… must confront the very real threats we face in cyberspace,” testified Jamil Jaffer, director of the homeland and national law program at George Mason University School of Law.
“Hard targets [for hackers] are going to be bypassed, I know, because there are plenty of weak targets out there. So, how do we get this message across to our small business owners in a way they can understand; that you can’t afford to be a soft target,” questioned Rep. Trent Kelly, R-Miss.
Justin Zeefe, co-founder of cybersecurity consulting firm the Nisos Group, told the House committee that most small to medium business owners won’t understand the growing risk of cyberattacks until they actually see other companies fail.
Education and more specifically, awareness of the issue, Zeefe explained, is the missing link causing small businesses to not follow even the most basic cybersecurity practices.
Most small to medium business are unlikely to improve their cybersecurity posture unless there is a series of “existential events” that damage the reputations and financial standings of several medium to large businesses to the point where they go out of business, stated Zeefe — whose company employs several former U.S. intelligence officers.
“That, I think, will be the clarion call that brings some awareness to the table. By-and-large, the reason small businesses are being attacked with such aggressiveness is that they are so weak because they are the third party providers to larger organizations,” Zeefe testified.
He added, “the short answer is: I don’t know if anything can be done other than making this a public affair.”
Jaffer — who works full-time as vice president of strategy at former National Security Agency Director Keith Alexander’s Md.-based cybersecurity startup IronNet Cybersecurity — said that the so-called “first responder” for cyberattacks aimed at small businesses should continue to be the FBI.
The issue, however, according to Jaffer, is that small businesses remain confused regarding which organization in government is the actual “lead” authority for specific cyber defense purposes.
Because the Department of Homeland Security, Department of Defense and FBI all have a role and have talked about their individual capabilities to defend Americans from cyber threats, Jaffer worries that small businesses are confused and therefore ignoring the opportunity to share concerns and other threat data — to “build bridges” — with the federal government.
Existing cybersecurity information sharing policy, Jaffer summarized to the committee, is a good first step in a larger partnership that must also include participation from vulnerable, small businesses.