Senior Vice President, National Security & Emergency Preparedness Department
You've probably heard me say more than once that there are two types of businesses - those that have been hacked and know it, and those that have been hacked and don't know it. Speaking to small business owners at America's Small Business Summit, Deputy Secretary of Homeland Security Alejandro Mayorkas implored attendees not to surrender to hackers.
Hackers, criminals, and our cyber enemies are clearly winning. Cyberattacks against governments and businesses are growing in number, frequency, and sophistication. And so is the cost to victims. According to a 2015 report on cybercrime by the Ponemon Institute and Hewlett Packard, the average cost of a cyberattack to an organization is $15 million. This report monetizes the consequences of an attack including business disruption, information loss, revenue loss, and equipment damage.
The good news for America's small businesses is that they have a partner that can help them prepare for and respond to cyberattacks against their networks. The Department of Homeland Security (DHS) has been working with the U.S. Chamber of Commerce on a host of issues including cybersecurity.
During his remarks, Mayorkas suggested three best practices for small businesses:
Passwords. Require your employees to change them frequently, every 45-60 days. Make them complicated, meaning 8-15 characters long, using a mix of upper and lower case letters, symbols, and numbers.
Cyber Hygiene. It sounds vague, because there isn't a precise definition for "what's good cyber hygiene." A couple of tips. Don't allow personal phones to be connected to networked computers. Don't allow your employees to use USB drives. Limit the number of administrators who have full access to everything. Install patches and software updates when they are available.
Test Systems and Train Employees. Resource and budget conscious organizations won't be able to afford third-party auditors to perform penetration testing, but you can exercise your response plans. As an example, send an anonymous email with an attachment to your employees and see if they open it. If they do, do they report it to IT? Phishing and spear phishing emails remain the easiest way for the bad guys to get into your network.
DHS is uniquely positioned in the government to help small businesses. More information on the departments resources and capabilities, and even a small business toolkit, is available on its website.
The U.S. Chamber is doing its part as well. Its cybersecurity awareness campaign aims to advance cybersecurity policies and educate small and medium-sized businesses about cyber threats and how to protect their organization against them.
This fall, working with Ridge Global, the Chamber will launch a new online cyber education effort aimed at preparing and defending American small businesses from cyberattacks. You can learn more here.
The bad guys have nothing but time and resources, and a determined bad actor can and will always find a way in. By working together, we can improve our defenses and make it harder for hackers.
In closing, Mayorkas asked small business owners to share information on cyber threats. There's nothing more important than having a conversation with the FBI, the Secret Service, or DHS. It may sound overly simplistic, but if you see something, say something.