A bill making its way through the U.S. Senate proposes to do what cybersecurity experts say is long overdue: Create a set of resources and guidelines small businesses can use to protect themselves from a steadily increasing number of cyberattacks.
If passed, the Main Street Cybersecurity Act, introduced at the end of March, would update the Cybersecurity Enhancement Act of 2014, which called for the National Institute of Standards and Technology to provide a voluntary set of guidelines for big businesses to follow in order to manage and reduce their cybersecurity risks. As a result of the 2014 act, cybersecurity became one of NIST's primary focus areas, and the federal government made a verbal commitment to fund cybersecurity research.
This new piece of legislation — discussed during a meeting of the Senate Committee on Commerce, Science and Transportation on Wednesday — directs NIST to consider small businesses in updating those guidelines.
"By creating a simple, voluntary cybersecurity framework for small businesses, the Main Street Cybersecurity Act will help them protect their data," said Sen. Maria Cantwell, D-Wash., one of the bill's five co-sponsors, in a press release.
A national crisis
The latest surveys show that small businesses need all the help they can get. In the last 12 months, hackers have breached half of all small businesses in the United States, according to the 2016 State of SMB Cybersecurity Report. Small businesses, which often don't have the revenue to afford their own IT departments, are especially susceptible to phishing attacks via email or fraudulent activity happening in their e-commerce shops. Some attacks can derail a small business' money-making activities for up to a week.
Despite the statistics showing how vulnerable they are, many of America's 28 million small businesses aren't thinking about cybersecurity.
"Most small-business owners don't think they're at risk. As a result, it's fair to say they are indeed ill-prepared to safeguard against an attack," said Bryan Seely, a network engineer famous for hacking into the FBI. He now teaches on online course in ethical hacking for Udemy.
A survey published by Manta last month shows that 87 percent of small-business owners don't feel that they're at risk of a cybersecurity attack, and 1 in 3 small businesses don't have the tools in place — firewalls, antivirus software, spam filters or data-encryption tools — to protect themselves.
"The general majority of small-business owners don't have an IT person. It's not the first place they spend their money," said John Swanciger, CEO of Manta. "They're really relying on themselves to update their software and check for security patches."
"Most small-business owners don't think they're at risk. As a result, it's fair to say they are indeed ill-prepared to safeguard against an attack." -Bryan Seely, network engineerOftentimes small-business owners don't know where to begin when it comes to beefing up their cyberdefenses, according to Matt Bromiley, a senior managing consultant at Kroll, a New York-based risk consulting firm.
"One of the biggest things I get out of small-business clients is, 'What can I do to prevent this?'" he said.
When people think of hacking attacks, they're inclined to remember high-profile incidents that affected millions of customers. To small businesses, the targeting of Home Depot and Target in recent years seems to indicate that hackers are more interested in grabbing large numbers of credit card data and personal information at one time.
But now hackers, keen to make a quick buck, are turning their attention to smaller and medium-size companies. They attack e-commerce shops to try to steal customers' credit card information. Ransomware, which has been used by hackers interested in holding digital data hostage to extract sums of money from large companies, is now being used on small businesses, who often don't have the money to investigate a cybersecurity attack but do have just enough to pay ransoms in the $3,000 to $5,000 range to regain control of their data and computer systems.
Not to mention that the hacking of Target in 2013, which led to theft of 70 million customers' personal data, is believed to have been a result of a prior breach: Hackers gained access to Target's network by successfully gaining access to the network of the small business the retail giant used for heating and air-conditioning services.
"Cybersecurity is clearly a concern that the entire business community shares, but it represents an especially pernicious threat to smaller businesses," the Securities and Exchange Commission wrote in a 2015 report. "The reason is simple: Small and midsize businesses are not just targets of cybercrime; they are its principal target."
Online fraud is also a growing area of weakness for small businesses. Today fraudsters will create scripts to overload online stores with phony promotional codes to purchase goods at a discount.
"Because value can be stored in so many different ways now online, it opens up so many different ways of attacking for fraudsters," said Rahul Pangam, a former Google engineer and now CEO of Simility, a start-up that makes a fraud-prevention tool that small businesses use in conjunction with their online payment processors. "Ten thousand promotion codes at $5 each — that might literally bankrupt a business in the retail sector."
Indeed, cyberattacks on small businesses represent an existential threat. About 60 percent of small businesses that suffer a cybersecurity attack go out of business within six months.
As to what small businesses can do to protect themselves, Swanciger said there's a simple first step.
"Perform your software updates. This is the No. 1 overlooked thing that small-business owners don't do," he said.
Some of the things Kroll's Bromiley recommends if the Main Street Cybersecurity Act passes: enabling two-factor authentication, performing regular backups of company data, creating stronger passwords and updating them every several months, and making sure antivirus software is installed on company computers.
Small businesses just need to realize that they, too, are now in the crosshairs.
"The main reason small-business owners bear the brunt of cyberattacks," Seely said, "is because they are uninformed and unaware of a potential attack."
— By Andrew Zaleski, special to CNBC.com