No Quick Fixes for Small Business Cybersecurity


Small businesses are being pummeled by cyberattacks, but witnesses split on possible fixes during a House committee hearing.

Small businesses are frequent targets for cyberattacks and their results can be devastating, but there’s no quick fix, advocates told lawmakers during a Wednesday hearing.

There’s no uniform standard small businesses can adopt to ensure they won’t suffer a cyber breach, denial-of-service or ransomware attack or to ensure they won’t be pummeled with financial losses and lawsuits when they do.

Even when small companies want to protect themselves, they often don’t know where to turn for help. Or they may lack the financial resources for security that goes beyond basic antivirus protection and making sure their systems are reliably patched.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

“The average small business owner is what we call trapped in a whirlwind,” Charles Rowe, president of America’s Small Business Development Centers, a trade association, testified before the House Small Business Committee. “They’ve got 5,000 things to worry about, and sometimes this is not the wolf closest to the sled.”

Rowe advocated during Wednesday’s hearing for an interagency committee designed to help companies adopt cybersecurity best practices, similar to the Trade Promotion Coordinating Committee, which was created to aid exporters.

Jim Mooney, cybersecurity chair of the National Association of Federally-Insured Credit Unions, urged the government to develop national cybersecurity standards for companies similar to those currently required for banks and other financial firms under the Gramm Leach Bliley legislations.

Those standards should focus on providing “flexibility, scalability and risk-based assessments,” he said.

Companies are notoriously wary of new regulations, however, and cyber threats often move too fast for firm regulations to keep up.

Companies not bound by specific regulation are currently required to take “reasonable steps” to protect customer data, according to the Federal Trade Commission.

That vague standard, however, can be concerning for companies, Rowe said.

“What’s reasonable is shifting all the time and it’s hard to tell if you’re a small business where the bar has moved to,” he said.