FCC shifts cybersecurity focus to small businesses

Small businesses must do more to safeguard their networks, intellectual property and customers' personal data, according to experts at the Federal Communications Commission's Monday roundtable on cybersecurity.

FCC Chairman Julius Genachowski convened the roundtable to discuss the importance of small and medium-sized businesses protecting their computer systems from hackers and outside attacks in the light of several high-profile data breaches in recent weeks at major technology firms.

Breaches at the digital marketing firm Epsilon and two gaming networks owned by Sony have helped cybersecurity return to the headlines, even as the White House released its first legislative guidance on the issue last week.

Speaking with The Hill after the event, Genachowski said that while the challenges facing small firms online are very real, the FCC has outlined a series of easy steps they can take to minimize their risk.

"It's readily available, low-hanging fruit when it comes to cybersecurity planning for the country," Genachowski said, pointing out that half of small businesses don't currently have network security plans in place.

"It's about taking the best practices, basic ideas that are widely accepted and making sure that they're communicated to small businesses."

Genachowski pointed to a recent study by the security firm Symantec that found almost three-fourths of small and medium-sized businesses reported suffering a cyber-attack in the past year, resulting in billions of dollars in lost revenue. He said the average attack costs a firm almost $200,000.

"Small businesses also often struggle to protect the confidential data of their customers. 42 percent of small and medium businesses surveyed reported the loss of confidential or private data in the past 12 months and 40 percent experienced direct financial costs as a result," Genachowski said, "and almost half of small businesses don’t back up their data."

Maurice Jones, chief executive officer of the Washington-area Parkinson Construction Co., described how his firm was compromised by a phishing attack that obtained login and password information for its bank accounts.

Jones said his firm later realized it was missing a significant amount of money from its accounts. By working with banks, Jones said his company was able to recoup some of the lost funds, but not all.

Still, he maintained that broadband access to the Web is vital for the company to remain competitive, since it cuts the number of administrative employees needed by almost half.

Former Secretary of Homeland Security Michael Chertoff said that while it is crucial to manage the amount of risk from cyber-attacks, no plan will completely eliminate the risk of an intrusion.

Chertoff said the only way to do that would be to abandon the network and the benefits it provides. Instead, he said small firms must strike a "realistic balance" depending on their individual concerns.

The commission released a tipsheet on Monday aimed at helping small businesses identify 10 easy steps they can take to reduce the risk of an attack. The steps include training employees in security principles, downloading and installing software updates, installing a firewall for Web connections and limiting the amount of physical and administrative access that employees have to the firm's computers.

Phyllis Schneck, public center chief technology officer for the security firm McAfee, highlighted securing physical access to network infrastructure as crucial, as some of the largest data breaches have been caused by USB flash drives containing malware. She also emphasized the importance of making users regularly change their network passwords.

Another White House announcement on an international plan of cooperation on cybersecurity issues is expected Monday afternoon. Genachowski said he will be participating, but declined to elaborate on details of the event.

---