Do I really need to worry about Cybersecurity for my Business?
By Christine Myers, Region 2 Advocate
Earlier this month more than 20 business owners gathered in Bridgewater, NJ for a forum on cybersecurity. With no pre-arranged seating, it was fascinating to witness a natural divide take place in the room; business owners unrelated to cybersecurity on one side; businesses involved in cybersecurity on the other. The conversation bounced from one side to the other like a verbal ping pong ball.
The cyber experts spoke first, one after another, explaining their view of the cyber situation. The biggest threats to small business result from the lack of awareness, education and protocol about data protection. With no IT resource, the small business either creates and implements the security measures, or it retains an outside resource to do it for them. Unfortunately many don’t do either. “It’s a risk issue. Data is what hackers are seeking and small businesses need to spend the money to secure themselves,” said the owner of a forensic security company. Another expert asserted, “America is only as safe as its weakest link, and small businesses are the weak link.”
The owner of a marketing company pointed out that she wanted to retain outside help, but had no idea how to tell a good IT person from a bad one. “There ought to be a cybersecurity certificate or credential, like a CPA or licensed insurance broker,” she suggested. The owner of a paving company told the group that he didn’t have time to deal with cybersecurity. He employs 15 people and admits he knows very little about computers. His solution was to use QuickBooks and other cloud software applications. “If anything happens it is QuickBooks’s problem,” he said.
Almost in unison the cyber experts replied “NO!” According to the owner of a cybersecurity firm, and an insurance broker who provides cybersecurity insurance, the small business owner does have responsibility if his customers’ information in QuickBooks or any other cloud based application is breached. He will need to apprise each of his customers of the breach; and he may be financially liable as well.
An owner of a retail store spoke candidly about a questionnaire he and his wife had to fill out for their credit card processing company. “My wife started to fill it out, and gave up after the second page.” It was too complicated and confusing. The husband, who just started a cybersecurity education effort, succeeded in filling it out, but said it took days, and complained that the questions did not pertain to his business and were unclear. He admitted to providing answers they felt would avoid being seen as a risk, and protect them from an increase their credit card fees.
This time the response from the cyber professionals was split. One expert asserted that if he wanted to own his own business than it was his responsibility to comply. Others were more sympathetic. “We need to provide incentives for small business to comply, because small businesses often don’t have the education (around cybersecurity) or money it takes to comply,” Said the owner of a cybersecurity firm.
All in the room agreed that education for small business was an imperative, but agreed it was challenging for small businesses to take the time to educate themselves. Several cyber business owners suggested using incentives to entice small businesses to comply. One expert suggested the implementation of federal compliance regulations. A former Secret Service agent, now a cyber expert for law practice, suggested creating a tax incentive would offset the expense of compliance. The owner of an IT company said he incented businesses owners using scare tactics by citing catastrophic examples.
Special guest Congressman Leonard Lance summarized the conversation saying that we have to change the majority of work in this area from reactive to proactive. People need to protect themselves, and the government should be as vigilant as possible to ensure that foreign actors do not penetrate our national agencies, infrastructure grid and our businesses.
For further information check out the link to the New Jersey Director of Cybersecurity and Communications Integration Cell: (https://www.cyber.nj.gov/).
Christine Myers serves as the Region 2 Advocate for the SBA Office of Advocacy, representing small businesses in New York, New Jersey, Puerto Rico and U.S. Virgin Islands. Myers works with small business owners, state and local governments, and small business associations to bring the voice of Region 2 to Washington DC. She can be reached at Christine.myers@sba.gov.