Helping Small Businesses Deal with Cyber Threats


Sep 15, 2017

Woman using smartphone and laptop with icon graphic cyber security network of connected devices and personal data security

Photo by oatawa/Getty Images

This commentary originally appeared on Inside Sources on September 14, 2017.

Target. Anthem. The Office of Personnel Management. HBO. The WannaCry and Petya ransomware attacks. The biggest cyber attacks of the last few years are familiar to most.

But as important as the protection of critical infrastructure run by the largest corporations is, another significant challenge could undermine U.S. economic vitality and growth. Small businesses (those employing fewer than 100 people or with less than $50 million in annual revenue) contribute greatly to economic growth in the United States. The 28 million small businesses here employ half the entire workforce. Yet they have largely been left out of the cybersecurity conversation.

Small businesses are especially vulnerable to cyber threats, since they likely do not have an independent information technology department, let alone dedicated cybersecurity staff. IT staff are concerned with constructing and operating the company's IT systems. Cybersecurity staff generally are focused on defending those systems.

Small businesses rely on IT to manage inventory, track orders and reach their customers. For the smallest companies, the sum total of the effort put into this work might be buying computers, registering a website and signing up for anti-virus services. Most companies are focused on making their businesses sustainable. They often do not pay attention to cybersecurity … until something goes wrong.

Keeper Security and the Ponemon Institute noted that in 2016, half of all small and medium-size businesses were hacked in the previous six months. At the same time, almost 90 percent of small business owners do not believe they are at risk, according to one survey.

Cloud-based services can help by relying on the service providers to protect the applications and data, but that still does not protect businesses' networks onsite.

A cyber incident at a small business is not likely to remain confined to that business.

Experience also shows that a cyber incident at a small business is not likely to remain confined to that business and could allow hackers access to larger networks. And once cyber attacks occur, many small businesses cannot afford the expense and time necessary to recover.

Enhancing cybersecurity at the small-business level is about more than securing individual businesses. It's a contribution to the public good and economic security of the United States. The problem is, the federal government cannot possibly engage with the millions of businesses that may need assistance. The FBI and the Department of Homeland Security are focused on broader tasks, such as tracking criminal enterprises using business computers for illegal gain. The Small Business Administration is trying to help, but a 30-minute video is hardly enough to enhance the security of these businesses.

Earlier this year, a group of senators introduced legislation that would direct the National Institutes of Science and Technology to develop resources for small businesses in addition to its National Initiative for Cybersecurity Education. This might help, but it is hardly enough. NIST's expertise is in developing standards and providing guidance. It isn't equipped to provide the expertise, training or personnel that so many companies really need.

So, what can be done? While much analysis remains to inform robust recommendations, there could be some potentially innovative ways to approach the issue. The push to create more cybersecurity education and training programs could offer an opportunity to develop the cybersecurity workforce the United States so desperately needs, while at the same time providing services to companies that cannot possibly compete for those workers once they are trained.

No matter how rigorous the program, very few students completing a course will be ready to operate at full capacity in their new roles as cybersecurity professionals right away. Why not put them to work and give them hands-on experience as part of their required coursework? Students could use their newly learned skills to help small businesses that express their interest to the local college or university cybersecurity program.

Another possibility would be to look at how high school students, who are learning about cybersecurity and participating in extra-curricular programs like the cyber defense exercises CyberPatriot, could help out in their local communities.

Of course, it would be a mistake to unleash talented, yet inexperienced students on the small-business community unsupervised. Practicing new skills in a classroom environment on virtual machines is one thing. Making a potentially grievous error on a real network is another. To address this, students could pair up with mentors—professionals with 10 or more years in the cybersecurity industry—who could advise them on practical approaches and be on call to assist the students.

To add extra motivation for the mentors, the various certification authorities could offer continuing education credits toward recertification—or even consider making participation in a mentoring program a requirement.

Cyber threats affect all businesses, from the mom-and-pop store to the largest bank. Ignoring the threat to half of the U.S. economy should not be an option. The approach outlined above could allow small businesses the security to continue to prosper, while at the same time enhancing America's cybersecurity workforce and making the economy more secure.

Quentin E. Hodgson is a senior researcher at the nonprofit, nonpartisan RAND Corporation.

More About This Commentary

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.