There are many policymakers in Washington who understand the threat of cybercrime and who are looking for ways to help prevent it. In particular, there's a recognition that small businesses face a significant threat of becoming cybercrime targets, but are less likely to have the time or resources to devote to prevention. An oft cited statistic reveals that 43% of spear phishing attacks target small business and an estimated 90% of cybercrimes start with a phishing email. Three new initiatives highlight some of the ways the Federal government is trying to assist small businesses to adapt to the ever-changing cyberthreat landscape.
1. One-Stop Shop for Cybersecurity
Last week, the Federal Trade Commission (FTC) launched a new page on its website that provides resources for small businesses to protect them from scams and cybercrimes. The site has guidance, videos and blog posts on topics such as computer security basics, ransomware defenses, and data breach responses. The goal is to provide easy-to-understand, plain-language guidance for small firms to use to increase their security and react appropriately if attacked.
2. Cybersecurity Guidelines for Small Business
TECHPol has described the efforts of the National Institute of Standards and Technology (NIST) to disseminate best practices for protecting cybersecurity in government and business. In both the House and Senate, legislation has been approved at the committee level that would require NIST to give specific consideration to small businesses when developing its framework for how to lower cybersecurity risks. The bicameral, bipartisan support for these companion bills bodes well for passage. The effort has earned the support of U.S. Chamber of Commerce and the National Small Business Association, among other business organizations.
3. Cyberthreat Notifications for Federal Contractors
The Department of Homeland Security (DHS) is launching a new project called "Dissect Cyber" to help small and mid-sized companies avoid cyberattacks and scams. The project monitors new domain registrations to identify attempts to spoof a web-domain as part of an internet-based scam. For example, in Business Email Compromise (BEC) scams, hackers send emails that appear to come from company executives to request wire transfer payments. These scams have exposed $5 billion to loss. The project also looks for stolen employee log-in credentials circulating on the internet. When DHS identifies potential fraud, it notifies the targeted companies. The project is focused on companies that are registered to do business with the government and listed on the System for Award Management (SAM) database. Currently, Dissect Cyber is able to notify 30% of targeted companies within five hours of identifying a fraudulent domain registration. DHS hopes to improve its level of outreach as it scales the program.
As the recent global "WannaCry" ransomware attacks demonstrate, cybercriminals are bold and always looking for weaknesses to exploit to make a buck. Small businesses are not immune, and in fact may be easier targets. The support of the Federal government to give more tools to the private sector to fight cybercrime is part of the solution. Vigilance is required by both the private and public sectors to effectively combat the threat.