WASHINGTON — When Rick Snow started his go-kart track 13 years ago, he was unaware of the very real threat of cyberattacks on his small business in Scarborough, Maine. But in 2011, Snow found his bank balance completely empty on payday and noticed that three wire transfers had moved $15,000 in company money to other accounts around the country.
Snow testified Wednesday before the House Small Business Committee, which is examining the state of cybersecurity threats against small businesses and what the federal government is doing to protect Main Street.
“There is no authority out trying to stop these people,” Snow said. “I know I can call local police if someone breaks into my building. In this case, there is no action being done beyond what we have to do as individual business owners.”
Fortunately for Snow, his contracted payroll company had already sent out his employees’ checks before the account was fleeced. Had it not, he said, the cyberattack would have been a “business-ending activity.”
Committee Chairman Steve Chabot, R-Ohio, said confidence in cyber protection has been shaken in light of the recent attacks on the IRS, the State Department, the Office of Personnel Management and the White House. Chabot said the IRS estimates that one million cyberattacks are made on the IRS every day.
In 2015, Chabot said an average of $32,000 was stolen from small business bank accounts.
According to a respected lobby, the National Federation of Independent Businesses, small businesses can be defined as having fewer than 10 employees and as many as 100.
“With all the uncertainty facing small businesses in today’s world of e-commerce, it will take vigilance by all federal agencies and the watchful eye of this committee to ensure the data of small businesses and individual Americans remains safe,” Chabot said.
State regulations are beginning to shape up around the cyber security rules created by the U.S. Commerce Department’s Cybersecurity Framework, what Nicholas Oldham, counsel at King and Spalding LLP, called a “promising development.” However, Oldham said, the Framework must be fine-tuned to the needs of small businesses, or it could wind up as just “one more program that they (small businesses) cannot afford to keep up with.”
Oldham said current regulations make it difficult for small business owners to understand how to protect their companies and what to do if they are attacked.
Oldham testified that the inconsistencies with state cybersecurity compliance laws place an enormous burden on owners. “Small businesses would benefit from a public sector approach that lowers the cost of compliance and the cost of implementing best practices,” he said.
Another witness, Kevin Dunn, technical vice president of Austin, Texas-based NCC Group Security Services, told a reporter that small businesses are especially vulnerable to attacks due to low awareness of the cybersecurity concepts and lack of resources for safeguards.
“You need to understand what data you have, the value of that data, and what to do according to the different values of different data,” Dunn said.
Dunn said multi-factor authentication — using SMS or email verification when signing into a secured website — is an inexpensive way to verify. Conversely, relying on a single method could lead to a “single point failure.”
It can work both ways. Dunn said when data from a government agency is compromised, it can be used for an attack against individuals and small businesses.
Snow, the small businessman from Maine, said from his perspective, the government appears to be working on larger issues like the IRS breach and falling short in assisting smaller enterprises when they are attacked.
“I was told this is just part of doing business,” said Snow.
Dunn said it is important to remember that cyber threats are worrisome for all sized companies – not only small businesses.
“Every company is typically in the same scenario where they have weaknesses and potentially easy ways to be compromised ” said Dunn. “The idea is trying to figure all those out before the bad guys do — and closing those holes.”