Committee on Small Business Chairman Steve Chabot (R-OH) recently chaired a full committee hearing on the threat of cyber attacks on small businesses in the U.S.
“According to a recent study, over 70 percent of cyber attacks occur in businesses with fewer than 100 employees,” Chabot said at the start of the “Foreign Cyber Threats: Small Business, Big Target” hearing. “The average cost of recovery for a cyber attack is $32,000.”
“Symantec found in June 2015 that 75 percent of cyber attacks were directed at organizations with fewer than 2,500 employees – a dramatic increase from years prior,” Jamil N. Jaffer, director of the Homeland and National Law Program George Mason School of Law, testified. “Not a week goes by that we don’t read of a major data breach in the paper, with mention of what the attackers stole, and often how they managed to gain access.”
Small businesses are increasingly reliant on foreign technology products and services to remain competitive in the global economy. As a result, the committee has learned during prior hearings, some foreign telecommunications firms are taking steps to develop a link to American companies and markets, with small businesses serving as one of the top targets.
“The FBI reports that foreign actors and nations are responsible for many cyber attacks and they steal private data and trade secrets,” Chabot said. “Russia and China are the two largest foreign actors in cyber espionage.”
Chabot added that persistent attacks have also been traced to China.
“Why do foreign cyber threats target small businesses?” Justin Zeefe, co-founder and chief strategy officer at Nisos Group, testified. “One word and one analogy are sufficient to encapsulate this trend. The word is ‘profit’ and the analogy is that like water or electricity, malicious hackers follow the path of least resistance. As larger organizations professionalized their defensive and reactive postures to cyber incidents, and as stolen data became less profitable due to a stricter regulatory and law enforcement environment, threat actors – in search of profit – turned their focus to targets which had neither the capacity nor the budget to address cyber threat.”
Zeefe said that a failure to adapt by small businesses is one of the main reasons for the explosive growth of successful ransomware attacks.
To counter such attacks, Jaffer said, small and large businesses alike must first seen the need for cyber security at all levels of the company.
“Such buy-in will help drive appropriate resource allocation decisions that may not otherwise be prioritized,” Jaffer said. “Second, small businesses must consider working together – for example, within a given industry – to leverage their buying power for cyber security services and to take advantage of common services, such as a common security operations center, large scale cyber defense system, and the like.”
Jaffer added that small businesses need to find a way to work with the government and large businesses to share cyber threat information in real time and that the government must be more serious about deterring nation-state threat actors.
Zeefe agreed that understanding the motivations of threat actors is important in building a framework to deter cyber attacks but that more work was needed to fight such attacks.
“When taken in consideration with other factors – such as the advancement of technical solutions, both offensive and defensive – the knowledge of the enemy and their tactics, techniques and plans may permit a logical and cohesive approach to the ever-evolving problem.