WASHINGTON – Representatives from the Secret Service,FBI and Department of Homeland Security testified before a House committee Wednesday that small businesses need to change the way they think about security.
“As large companies have adopted more sophisticated protections against cybercrime,criminals have adapted by increasing their attacks against small and medium-sized businesses,banks and data processors,” A.T. Smith,Secret Service assistant director,said. “Unfortunately,many smaller businesses do not have the resources to adopt and continuously upgrade the sophisticated protections needed to safeguard data from being compromised.”
Smith told the Financial Services Committee that the Secret Service has been working with Verizon to use information gathered in the 2011 Data Breach Investigations Report,which revealed retail sales systems and online financial accounts are prime targets for cybercriminals.
Although Gordon Snow,FBI assistant director,said the highest threat is still the terrorist threat of a hacker attacking U.S. infrastructure – the electrical grid,financial systems and other large targets – small businesses and individuals are less aware and less likely to prepare their systems to withstand an attack.
“Most of the time,people’s awareness is triggered by loss or an intrusion,and it’s the first time they’re reaching out to some of their partners or law enforcement,” he said.
Greg Schaffer,Homeland Security’ acting deputy undersecretary,said business owners and data holders need to understand that a security shift has occurred,and the locks on the door aren’t enough any more.
“The theft on the Internet is happening more than break-ins through the back storage room,” Schaffer said. “People need to invest accordingly and risk manage accordingly.”
Schaffer acknowledged more needs to be done to educate the business community,but there are resources for businesses.
On its website,the United States Computer Emergency Readiness Team posts security bulletins and links for victims to report possible cybercrime incidents.
Schaffer said his department will work with individuals in October,which is Cyber Security Awareness month,and will begin the “Stop. Think. Connect.” campaign aimed at raising individuals’ awareness.
The Senate Judiciary Committee held a hearing Thursday on similar legislation,Senate Bills 1151 and 1408.
Sen. Chuck Grassley,R-Iowa,proposed amendments to decrease requirements for businesses.
“While we’ve focused on protecting information,we’ve not focused on protecting jobs,” Grassley said. “This bill will likely drive up costs through burdensome regulations. A company that hasn’t even suffered a breach may find itself unable to afford compliance with the bill’s new requirements.”
Sens. Patrick Leahy,D-Vt.,and Al Franken,D-Minn.,said the requirements are entirely reasonable.
“I worry in effort to save cyber business,if we don’t put tight controls,cyber business will be ruined,” Leahy said.
The committee did not have a quorum and will meet again later in the week to vote on the bills.
In addition to personal and small business security,the Financial Services Committee discussed the broader threat to U.S. financial institutions and infrastructure.
“Whether or not my Mastercard has been compromised is nothing compared to what would happen if our national systems were compromised,” Rep. Shelley Capito,R-W.Va.,the committee chair,said.
Smith testified that,among agencies and financial institutions,information sharing is better than it ever has been,and Snow said the FBI is improving liaisons in countries where attacks originate.
However,Schaffer pointed out that as it stands,offense has the advantage. Hackers and criminals using malicious software have to be on target only some of the time,but systems have to be solid everywhere all of the time to prevent attacks.
“To be sure,what we’ve seen is a very high percentage of the attacks can be dealt with by the implementation of current technology,” he said. “That is not to suggest that we can deal with everything in that regard. We will need to develop additional capabilities.”
Reach reporter HopeRurik at [email protected] and 202-326-9861. SHFWire stories are free to any news organization that gives the reporter a byline and credits the SHFWire.