Small Business Cybersecurity: Federal Resources and Coordination

Mar 8, 2017
STATEMENT
Congresswoman Nydia Velázquez, Ranking Member
House Committee on Small Business
“Small Business Cybersecurity: Federal Resources and Coordination”
Wednesday, March 8, 2017
 
Developing new innovations is fundamental to our nation’s prosperity in the 21st century.   But these technologies can only be beneficial if small businesses can adopt them without fear of malicious cyber-attacks. Cyber-crimes are becoming more commonplace and more sophisticated. And no matter what form they take, they can be devastating to business owners and their customers. A single attack can wipe out a small business, making cyber crime a severe problem for small entities. 
 
While businesses of all sizes must increasingly monitor cyber threats, small firms must prepare for these problems with far fewer resources than their larger counterparts. Because of the complexity and cost associated with implementing a security plan, only 31 percent of small firms take active measures to guard against such attacks. 
 
More than 80 percent of the time, the owner handles cybersecurity personally – making  small firms more vulnerable than a competitor with a dedicated IT security consultant or staff member.  In fact, last year, 60% of all targeted attacks struck small and medium sized entities.
 
These actions have costly implications for the small companies. The average cost of a data breach is nearly $200,000 -- and leads to 60 percent of targeted small businesses closing their doors within 6 months of being attacked. 
 
Because small firms stand to lose so much without data protection, it is imperative they have the resources of the federal government at their disposal. The federal government has a duty to secure federal information systems and assist in protecting private systems. 
 
All agencies have their own duty to protect their systems but due to rapid changes in cyberspace, agency roles are complex. The presence of over 50 relevant statutes addressing various aspects of federal cybersecurity responsibilities adds yet more confusion. And, because agencies are busy navigating the rules pertaining to their own systems, efforts to help small firms have generally been neglected. 
 
However, the Departments of Defense, and Homeland Security -- and the National Institute of Standards and Technology have all recently embarked on efforts to assist businesses with cyber-security needs. 
Additionally, federal spending on cybersecurity is expected to rise to above $20 billion over the next several years.  Implementation of the Cybersecurity Information Sharing Act of 2015 continues moving ahead. Despite this progress, collaboration between agencies and small firms is lacking, which affects us all.
 
We must improve our efforts to help small businesses overcome these challenges. I was pleased, for example that the National Defense Authorization Act includes a provision instructing SBA to coordinate with DHS to develop a small business cyber strategy. 
 
Most importantly, it leverages the SBA’s vast network of Small Business Development Centers, which have a proven track record of helping entrepreneurs all over the country. 
 
Although this is a step in the right direction, we must do more to encourage small firms to protect themselves and their customers from cyber threats.  Today’s hearing will give us an opportunity to review federal investment in cybersecurity and how we can facilitate collaboration with the small business community. We cannot accept the bare minimum as our nation seeks to end continued data breaches.
 
In advance of the testimony, I want to thank all the witnesses for both their participation and insights into this important topic.   
 
Thank you and I yield back.