In recent hearings on Capitol Hill, Congress pushed the Small Business Administration (SBA) for its cybersecurity failings. Lawmakers claim that SBA isn’t following recommendations made by the Government Accountability Office to put more emphasis on cybersecurity. As the House Small Business Committee reported:
Until SBA fully implements all of the required IT management initiatives, the agency cannot provide reasonable assurance that its IT investments are cost-effective, meet agency goals, or are effectively managed.
I understand the concern. After all, look at the fallout from the Office of Personnel Management (OPM) breach. Victims of that breach go well beyond government employees and contractors. (One of my holiday “gifts” was the formal letter from OPM telling me that my personal information was compromised, but I’m not a government employee or contractor. However, my personal information was required as part of someone else’s background check. You see how these breaches can spread well beyond the anticipated borders.) We also know that government agencies overall aren’t doing a good enough job with cybersecurity from multiple breaches over the past couple of years. So no, it doesn’t make sense that the SBA isn’t doing enough to meet standards set in September – unless there are budget issues, which seems to be the primary stumbling block for so many organizations.
This news about the SBA got me thinking, though. Have small businesses themselves been doing a better job at stepping up their cybersecurity game?
According to a recent article posted to Sys-Con Media, the answer would be no. Surprisingly, there is still the belief that cyberattacks happen to large corporations or to government entities, that cybercriminals have no interest in small businesses. On top of that, the article stated:
Statistics say that more than half of all small businesses in the U.S. don't provide security training for their employees, only one quarter conduct outside party security tests, and more than 40% don't produce backup copies of their most important business files, in case something goes wrong.
I think it would be helpful, although a tough task, to regularly report on all breaches, so companies realize that it isn’t just the “big guys” who suffer from attacks. The more we all know, the more seriously cybersecurity will be approached. But it would be just as helpful if government agencies like the SBA would step up as the example and put their own cybersecurity house in order, while assisting small businesses to do the same. In 2016, with the increasing threats being brought into the workplace via the Internet of Things and smarter hackers, budgeting and implementing cybersecurity have to be a priority.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba