Council of Councils
Think Global Health
Online Store
Introduction
In her January testimony before Congress on the cybersecurity threats from a rising China, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly noted that the supply chain was made up not just of enterprises in the cloud, but every small business in the country. She identified clearly an entire class of “target-rich, cyber-poor” U.S. businesses that CISA is working to help. Small businesses comprise 43 percent of the U.S. gross domestic product (GDP). It is time that more officials noticed the perilous state of small business cybersecurity in this country.
Government officials should understand that (1) foreign actors are targeting U.S. small businesses because their cybersecurity posture tends to be poor, (2) small businesses cannot meet their own cyber and information technology (IT) needs internally, and (3) the U.S. government needs to support the managed service providers who are often small businesses’ only IT and cybersecurity support.
U.S. Small Businesses Are Being Targeted by Foreign Actors
More on:
In June 2023, a forty-four-bed hospital that had operated for over 120 years with approximately 100 employees in the small town of Spring Valley, Illinois, announced that it would close its doors to the public, partly because of a ransomware attack that took place in 2021. The closure means that Spring Valley residents will now need to drive more than thirty minutes to reach the nearest hospital, significantly lowering patients’ odds of surviving a critical incident such as a heart attack. Many other vital small businesses and services are under attack each day, and make no mistake, a hospital under 500 employees is absolutely both critical infrastructure and a small business.
There is a disconnect between the cybersecurity resources being provided to large enterprises and their employees and the reality lived by small businesses and their service providers. Small businesses in the United States are very low-hanging fruit for hackers and cybercriminals. Increasingly, small businesses are being farmed by government and criminal groups from China, Iran, North Korea, and Russia via ransomware, business email compromise, and invoice fraud. It has been a rich harvest. China in particular has targeted small business routers and U.S. critical infrastructure, often serviced by state and local organizations. Yet even after small businesses pay off their attackers, having experienced a cyberattack dramatically increases the chance that a small business will fail, with 60 percent of targeted U.S. small businesses going out of business within six months.
Anyone can start a business in this country. In doing so, they can collect customer data, sell it, and secure it—or fail to secure it. However, many of the smallest businesses doing so do not know about or understand their obligations under federal compliance frameworks, which could keep them safe. The security of small businesses overall has direct ties to national security, so the government should balance security and the freedom to engage in commerce.
Small Businesses Cannot Meet Their Cyber and IT Needs Internally
Small business owners are often surprised to be targeted by cybercrime. In reality, harvesting a few thousand dollars a year from U.S. small businesses via various forms of cyber fraud is a fruitful way for foreign actors to raise funds.
The federal government has frequently given mixed messages as to its own stance on the role of small business in national security via cybersecurity. It has issued guidelines but not regulations, and regulations and standards are not necessarily the same: one comes with a stick attached to it, and the other is a strongly worded suggestion.
More on:
Federal grants are one way to assist small businesses in achieving cybersecurity goals, but they often reach a smaller recipient pool or are not granted to the businesses themselves but to nonprofits or government agencies to assist them. A quick search of the grants.gov database for the keyword “cybersecurity” with eligibility for small businesses shows a scattered few misclassified grants for state governments. Otherwise, there are no federal cybersecurity grants for small business cybersecurity improvement. It is a bleak landscape.
Supporting Managed Service Providers
Small businesses are not able to know or apply all of the current Internal Revenue Service (IRS) code to their taxes. It is why they hire accountants. In the same way, it is unreasonable to expect small businesses to know and understand all the cybersecurity and compliance regulations that apply to them.
Managed service providers (MSPs), or outsourced IT (information technology) are the unsung and underappreciated heroes securing the United States’ small businesses. Almost half of U.S. workers work for a small business, and there is no doubt they fall under what distinguished cybersecurity researcher Wendy Nather called the “Security Poverty Line.” Most small businesses, having surpassed the point of existential survival, rely on MSPs or IT service providers, the equivalent of accountants or lawyers that they outsource legal and financial work to, in order to handle their technology needs. However, contracting an MSP for baseline services is not, on its own, enough to ensure effective cybersecurity.
Ignorance is bliss, and it is cheap. For small businesses, technology almost always costs money, both in initial implementation and ongoing costs. People and process improvements are as important as technology, and should be embraced by small businesses, particularly as there are low-to-no cost actions businesses can take to improve their own security. Small businesses will often reach out to their service providers to improve their security. The number of small businesses served by MSPs account for 10 to 30 percent of U.S. GDP (likely a bit less than the number of small businesses served by accountants instead of doing their own taxes).
There is not enough time nor resources to train every small business owner, which is why MSPs are where to start training and equipping small businesses that are large enough to be targets and too small to muster their own defenses.
Conclusion
In 2023, the Small Business Administration (SBA) launched a cybersecurity for small business pilot program, which granted six public entities $1 million each in 2023 to “assist small businesses in advancing cybersecurity infrastructure and mitigating cyber threats.” For perspective, the SBA’s $6,000,000 budget to start helping small businesses is not much when divided out between 33,185,550 American small businesses. That comes to eighteen cents per business or less than the cost of adding whipped cream to your morning coffee. It’s time to do better.
Policymakers and the press are celebrating new regulations to curtail the influence of Big Tech platforms, but this viewpoint risks either ignoring the unique qualities of MSPs or sweeping them up in the wake of that regulation, which will hurt small businesses in the process. The defense industrial base, supply chain, and critical infrastructure are the understandable focus of legislation and regulation, but it is time to acknowledge the country’s responsibility to small businesses. They are critical infrastructure and a vital part of national security, and supporting them means supporting their vital service providers.
Tara Donohue Bartels is Manager of Advisory Services, Dataprise
Tarah Wheeler is CEO of Red Queen Dynamics & Senior Fellow for Global Cyber Policy, Council on Foreign Relations