This month, the United States House of Representatives Committee on Small Business held a hearing on cyber risks facing small businesses and issued guidance to assist in addressing the challenges. The hearing included testimony from Maureen Ohlhausen, Acting Chairperson of the Federal Trade Commission, who warned that, in the case of small businesses, a data breach can be devastating. In fact, Chairperson Ohlhausen noted that the majority of cyberattacks target small- and mid-sized businesses, and, according to the National Cyber Security Alliance, approximately 60% of small businesses go out of business within six months of a breach.
Regarding data breach responses, the Committee suggests that small businesses follow the measures recommended by the FTC’s Protecting Personal Information: A Guide for Business and Start with Security: A Guide for Business publications. The Committee stresses the importance of immediate steps, including the assembly of the best cross-functional team reasonably available to small businesses, the need to secure physical areas and taking affected equipment off line to stop additional data loss. Next steps include interacting with service providers and forensic examiners, as well as having a communications plan in place. Further and careful consideration must be given to all notification requirements.
Regarding the challenges posed by increased connectivity, the Committee suggests that small businesses should start with the fundamentals to understand the evolving Internet of Things and take advantage of what experts have already learned about security. Businesses should design their products with proper authentication, which is a must in the Internet of Things. Careful consideration must be given to protecting the interfaces between a company’s product and other devices or services.
Regarding best practices to protect personal information, the Committee stresses the following basic but often ignored key principles:
• Take stock of the business’ personal information in its files and computers • Scale down information by keeping only what must be maintained • Lock down and properly protect maintained information • Properly dispose of information that is no longer necessary • Create a plan in advance to respond to security incidents.
The cyber risks and challenges facing small businesses can be daunting. Sole proprietorships and companies with only a few employees typically lack full-time information technology or human resources staff. They can fall easy prey to attacks on their network or phishing schemes. Also, in addition to preventative challenges, small companies may not be fully prepared for the typically rapid response required once a breach is discovered, including getting a full grasp on any notification requirements under the law. As the House Small Business Committee stresses, vigilance is a must for small businesses and maximization of available resources must be fully implemented to ensure cybersecurity.