(Washington, DC) – U.S. Senators Jim Risch (R-ID) and Ben Cardin (D-MD), Chairman and Ranking Member of the Senate Committee on Small Business and Entrepreneurship, sent a letter to Small Business Administration (SBA) Administrator Linda McMahon to examine strategies for improving the content and delivery of cybersecurity assistance for small business owners.  Their letter follows a recent committee hearing on cybersecurity preparedness, where these ideas were discussed. 

“In 2015, the National Small Business Association found that 42 percent of small businesses were victims of cyberattacks,” the Senators wrote.  “On average, cyberattacks cost small businesses approximately $7,000, and when their bank accounts were hacked, the average loss skyrocketed to $32,000.  While small businesses are concerned about cybersecurity, it’s clear they are not doing enough to prepare for and respond to cyber threats.”

Senators Risch and Cardin highlighted testimony from small business owners in Idaho and Maryland and recommendations from hearing witness Daniel Castro with the Information Technology & Innovation Foundation that the SBA could make to further protect American small business owners from cyber threats, and to provide better assistance after one occurs:

  • Establishing a Certification Program for “Part-Time” Cybersecurity Professionals: To help fill the shortage of cybersecurity professionals available to help small businesses with their IT (and encourage small business owners to not delegate this sensitive task to an unqualified employee), the SBA should work with existing professional certification organizations and the private sector to develop a low-cost, vendor-neutral certification program for small business employees who act as their company’s designated cybersecurity expert.
  • Creating a Cybersecurity Boot Camp for Small Businesses: To replace the overload of cybersecurity information that federal agencies provide for small businesses (much of which is outdated or incomplete), the SBA should offer a free online “Boot Camp” in cybersecurity.  This boot camp should be updated regularly and provide small businesses with “concrete steps” to raise the baseline level of security for participants.
  • Forming a Small Business Cybersecurity Co-Op: Since many small businesses avoid cybersecurity measures due to high cost, the SBA should establish a “cybersecurity cooperative” that would create a large pool of willing buyers for various cybersecurity products and services.   By opening up participation in a co-op to any small business interested, members could have access to services that were previously unattainable and negotiate better rates.

Senators Risch and Cardin added: “We urge you consider the ideas from this hearing to begin bolstering your cybersecurity opportunities for small businesses as soon as possible.  As the leaders of the Senate Committee on Small Business & Entrepreneurship, we have a responsibility to do all that we can to assist small business owners and individuals across the country who need access to a variety of services.”

 

Full text of the letter is below and here:

______________

 

April 30, 2018

 

The Honorable Linda McMahon
Administrator
U.S. Small Business Administration
409 3rd Street, SW
Washington, DC 20416


Dear Administrator McMahon,


We write to request that you consider several ideas for improving the content and delivery of the cybersecurity offerings that the U.S. Small Business Administration (SBA) provides small business owners. As you know, cyber criminals increasingly target small businesses.  In 2015, the National Small Business Association found that 42 percent of small businesses were victims of cyberattacks. On average, cyberattacks cost small businesses approximately $7,000, and when their bank accounts were hacked, the average loss skyrocketed to $32,000. While small businesses are concerned about cybersecurity, it’s clear they are not doing enough to prepare for and respond to cyber threats. One survey found that only one-third of small businesses took pro-active steps to protect against cyber threats and only 12 percent developed a cybersecurity response plan.


On April 25, 2018, the Senate Committee on Small Business & Entrepreneurship held a hearing entitled “Preparing Small Businesses for Cybersecurity Success.” A witness from Idaho whose business survived a ransomware attack stressed that most entrepreneurs don’t recognize how common these attacks are or the significant threat they face. He noted that increased collaboration between federal agencies and Small Business Development Centers (SBDCs) on cybersecurity training programs and educational materials would go a long way in aiding small businesses.  Unfortunately, his local SBDC was not prepared to help him with his cyber planning or in the aftermath of his attack.  Another witness, the owner of a Maryland IT and cybersecurity consulting firm, noted that many small businesses don’t see cybersecurity as critical to business success – they see it strictly as an IT issue.  She told the committee it is imperative the small business community understand the value of their business assets, engage experts to assess vulnerabilities in their security systems, and take appropriate steps to mitigate their cyber risk. 


While the Committee appreciates SBA’s efforts to help businesses with cyber planning, small businesses need a more robust cyber outreach program from the SBA.  This is why the Committee unanimously passed the bipartisan Small Business Cyber Training Act (S. 1428) last year.  This bill would require a certain number of SBDC counselors in each office to be certified in cyber strategy assistance, an important part of helping small businesses prevent and mitigate cyber threats. 


Hearing witness Daniel Castro, vice president of the Information Technology & Innovation Foundation (ITIF), also presented some specific opportunities for SBA consideration, including:

 

  • Establishing a Certification Program for “Part-Time” Cybersecurity Professionals: To help fill the shortage of cybersecurity professionals available to help small businesses with their IT (and encourage small business owners to not delegate this sensitive task to an unqualified employee), Castro recommends that the SBA “work with existing professional certification organizations and the private sector to develop a low-cost, vendor-neutral certification program for small business employees who act as their company’s designated cybersecurity expert.” Castro cites the SBA’s current 30-minute online training module as “rudimentary to the point of being inconsequential,” giving only a list of do-nots rather than proactive steps towards security.

 

  • Creating a Cybersecurity Boot Camp for Small Businesses: To replace the overload of cybersecurity information that federal agencies provide for small businesses (much of which is outdated or incomplete), Castro recommends a free online “Boot Camp” in cybersecurity. This boot camp should be updated regularly and provide small businesses with “concrete steps” to raise the baseline level of security for participants.

 

  • Forming a Small Business Cybersecurity Co-Op: Since many small businesses avoid cybersecurity measures due to high cost, Castro suggests that the SBA establish a “cybersecurity cooperative” that would create a “large pool of willing buyers for various cybersecurity products and services.” By opening up participation in a co-op to any small business interested, members could have access to services that were previously unattainable and negotiate better rates.

We urge you consider the ideas from this hearing to begin bolstering your cybersecurity opportunities for small businesses as soon as possible. As the leaders of the Senate Committee on Small Business & Entrepreneurship, we have a responsibility to do all that we can to assist small business owners and individuals across the country who need access to a variety of services. It is clear that cybersecurity is a service of particular importance that deserves our immediate attention and best efforts. Our small business owners need assistance in this area now more than ever. We would appreciate a briefing from your staff in the near future to update us on your cybersecurity efforts and to further discuss these ideas.

 

Sincerely,

James E. Risch, Chairman

Benjamin L. Cardin, Ranking Member