Small Business cyberattack congressional hearing

Cloud computing is seen as a way to protect small businesses according to the testimony from the staff of these businesses, since the cloud provider has the staff to maintain sophisticated firewalls and keep malware patches up-to-date, back up the data, etc..  But small businesses still need to protect their internal networks, protect their data as it is transmitted from one network to another and protect their network endpoints—their individual PCs—from compromise.

If you have or work at a small business, this 65-page document may be of interest, I’ve only excerpted a small part of it.




MARCH 21, 2013

Chairman Collins: One reason we are having the meeting is to shine a light on the fact that 77% of small businesses are not even considering [cyber attacks and crime]. They are coming to work every day to make a sale, to have some cash in the bank, pay their bills. It is not on their radar. We want to put it on their radar.

What the internet does for small businesses

Our nation’s digital infrastructure has become an essential component of how small businesses operate and compete in the 21st century. It provides access to a variety of innovative tools and resources to help reduce costs and increase productivity. E-mail, social media, online sales, and global video conferencing are just a few of the examples. A couple of the most dynamic industries that have emerged are cloud computing and mobile applications. It is now easier than ever for small businesses to store and access their information from anywhere in the world without purchasing thousands of dollars in IT equipment. In addition, the boom in mobile applications is a great success story for both entrepreneurs looking to create the next best app and for small businesses that use them. From mobile banking to online marketing there is a plethora of applications available to help small business firms increase productivity.

America’s 23 million small businesses are some of the savviest users of technology by using the Internet to access new markets to grow and diversify. In fact, small businesses are the driving forces behind further technological innovation as they produce about 13 times more patents per employee than other businesses. For the established small business, modern technology can expand a firm’s client base using a company website, social networking, or other forms of online advertising. Firms can utilize voice and video communication as a low cost method to connect with customers around the world and reach previously untapped markets. They can store data online, access office productivity tools, and even improve the energy efficiency of their business.


40% of all threats are focused on firms with less than 500 employees. Nearly $86 billion is lost, with companies incurring an average of $188,000 in losses.

[There are a] growing number of cyber criminals trying to steal sensitive information, including intellectual property and personal financial information. These attacks can be catastrophic, leaving many small businesses unable to recover. A recent report shows that nearly 60% of small businesses will close within 6 months of a cyber-attack.

20% of cyber-attacks are on small firms with less than 250 employees. Small businesses generally have fewer resources available to monitor and combat cyber threats, making them easy targets for expert criminals. In addition, many of these firms have a false sense of security, and they believe they are immune from a possible cyber-attack. The same report shows that 77 percent of small firms believe they are safe from a cyberattack, even though 87 percent of those firms do not have a written security policy in place.

The sophistication and scope of these attacks continues to grow at a rapid pace. A report by the Office of National Counterintelligence Executive indicated that tens of billions of dollars in trade secrets, intellectual property, and technology are being stolen each year by foreign nations like China and Russia. These are not rogue hackers. They are foreign governments engaged in complex cyber espionage with a mission to steal our trade secrets and intellectual property. As the leader in producing intellectual property, the United States and small businesses will continue to be a primary target for cyber criminals seeking an economic advantage.

McAfee: attacks on the mobile space

[Attacks have increased] 70% the past year. We went from 792 to 37,000 malware threats – with 95% of that increase in 2012. Small business leverages these mobile devices because they are inexpensive in many cases. They are easy. They can do their home transactions, their work transactions all at once. They take them on the road and they leverage it with cloud services because there is very little computing resource on the small device so they can outsource the data storage. The threats to this and mobility, we see those threats of the adversary trying to access that device to get your personal information and/or access your computer network, so the small business that cannot afford necessarily a team to watch this has an even stronger vulnerability because they have so much of their infrastructure dependent on mobile.

What to do: passwords

McAfee, cloud services, and other companies who testified promoted their businesses as solutions to congress.

Mr. Weber: if I was going to make one recommendation, the thing that hurts our customers more than anything else is using poor passwords. It sounds so basic. You would think that today in 2013 that people would know what they ought to be doing but they do not. They are very dumb about password selection. So today a secure password ought to be at least 12 digits long. It ought to have capital letters, it ought to have lower case letters, and it ought to have a number or two in it. A password like that is not going to be cracked. But small businesses do not want to do that because it feels inconvenient. There are all kind of techniques you can use for generating these passwords and make them easy to remember.

Mr. Freeman: the number one threat we see to customers are when their systems are compromised because a malicious third party has garnered a list of passwords from another service. When you reuse the same password on your Evernote account as your Gmail account and someone is able to hack one or the other, they get a list of the passwords and they are able to use that against all of your infrastructure. And routinely third parties will go out and simply bang against every provider available to see if the same user name and password combination exist.

What to do: Encryption

Businesses need to encrypt their sensitive data, both economically sensitive and regulated data. Encryption really is the only means that has the fundamental integrity with which to protect data. Because systems will be compromised because we cannot guarantee that an intruder will not get access to a system, the only thing we can do is really secure the data that they might get access to, and encryption is far and beyond the gold standard when it comes to that type of security.

Firewalls, up-to-date networks, compliance policies

Mr. Shapero: tip number one advice is make sure that your network is compliant. And when I say compliant, you do not just have anti-virus, anti-malware software, a firewall in place, but you are making sure that all your definitions are up-to-date, meaning that you are up-to-date on what the latest threats are. That your firmware on your firewall is up-to-date so that you have got the latest and greatest to protect yourself from those threats. And also your operating systems. So all those patches that come out on a regular basis. They might seem like a nuisance to many small business owners and it may be a basic thing like passwords, but make sure that you are applying them as recommended by your IT service provider. Encrypting your data is also an important part of ensuring that you have a compliant network. Doing a periodic network scan is something that you should do as part of making sure that you have a compliant network. So there is a whole list of checklists to make sure your network is compliant. The next thing is policies. So you pointed out most companies do not have a written policy for their employees. It might be something like acceptance use for mobile devices in their organization. Am I allowed to have corporate data on my personal device? Am I allowed to have personal data on my corporate device? Because it can get really tricky when a device might be lost or stolen and you are trying to lock down that data if you do not have those policies in place. Policies for what to do in case of a breach. Who do I notify? Which of those 47 states am I required to disclose to when I have lost data from my consumers?

Also training. It is really an educational process, not only for the business owner but for their staff as well.

Ms. SCHNECK.  I agree. This is not just a technology problem; this is a people problem. So a lot of emphasis on the training and education.

This entry was posted in CyberAttacks, Government Reports and tagged , , . Bookmark the permalink.

Comments are closed.