Small and medium sized businesses are frequent targets for cyber-attacks and their results can be devastating, but there’s no quick fix, advocates told lawmakers during a recent hearing. There’s no uniform standard these businesses can adopt to ensure they won’t suffer a cyber breach, denial-of-service or ransomware attack or to ensure they won’t be pummeled with financial losses and lawsuits when they do.
Even when small companies want to protect themselves, they often don’t know where to turn for help. Or they may lack the financial resources for security that goes beyond basic antivirus protection and making sure their systems are reliably patched.
“The average business owner is what we call trapped in a whirlwind,” Charles Rowe, president of America’s Small Business Development Centers, a trade association, testified before the US House Small Business Committee. “They’ve got 5,000 things to worry about, and sometimes this is not the wolf closest to the sled.” Rowe advocated during the hearing for an interagency committee designed to help companies adopt cyber-security best practices, similar to the Trade Promotion Coordinating Committee, which was created to aid exporters.
Jim Mooney, cyber-security chair of the National Association of Federally-Insured Credit Unions, urged the government to develop national cyber-security standards for companies similar to those currently required for banks and other financial firms under the Gramm Leach Bliley legislations. Those standards should focus on providing “flexibility, scalability and risk-based assessments,” he said. Companies are notoriously wary of new regulations, however, and cyber threats often move too fast for firm regulations to keep up.
Companies not bound by specific regulation are currently required to take “reasonable steps” to protect customer data, according to the Federal Trade Commission. That vague standard, however, can be concerning for companies, Rowe said. “What’s reasonable is shifting all the time and it’s hard to tell if you’re a small business where the bar has moved to,” he said.
Source: Cyber Security Intelligence