Small and medium businesses in critical infrastructure are more at risk for a breach because they lack of resources to invest in cyber best practices, according to a survey from USTelecom that suggests right-sizing policy goals to address needs of smaller operators when it comes to security.
“In the midst of an escalated cyberattack environment during the COVID-19 pandemic, this survey provides important insights on how SMB cybersecurity practitioners can enhance risk mitigation strategies and practices,” the survey released today says.
USTelecom found: “According to respondents, 50% of Board, CEO, and C-suite executives indicate cybersecurity is a high priority, while only 26% of employees view cybersecurity similarly. In the accelerated remote work environment spurred by the pandemic, closing this priority gap is essential to enhancing organization security.”
The online survey conducted in partnership with CyberRx was directed at “employees, directors/managers, and executives of SMBs with up to 2,500 employees.” Responses from 323 people who responded to the survey are used in USTelecom’s analysis.
The association also did 14 “in-depth surveys with SMB Chief Executive Officers (CEOs) and C-Level executives to identify and better understand where cybersecurity gaps and barriers exist and explore steps that should be taken to enhance the cybersecurity of the organizations they represent.”
Based on survey results, USTelecom makes recommendations for policymakers who want to develop “a focused and well-coordinated national strategy” that takes the needs of SMBs into consideration.
“Ensure expectations for SMB cybersecurity are grounded in an understanding of economics and appropriate incentives are considered,” USTelecom says, which should include “providing firms with prioritization mechanisms and guidance on how they should spend limited resources to the greatest effect.”
Considerations for incentives need to be developed with small businesses in mind that may not be able to “sustain uneconomic investments in cybersecurity beyond minimum requirements,” according to USTelecom.
The report said there also needs to be an effort to “[d]istinguish security from compliance and eschew overly prescriptive or punitive actions.”
“As the U.S. implements the DoD’s Cybersecurity Maturity Model Certification (CMMC) program and other cyber initiatives, the broad stakeholder community must ensure that we don’t compromise security for compliance,” the report said. “We need to focus on cybersecurity as opposed to compliance. Government compliance programs could waste scarce cyber resources unless they are implemented based on cost-effectiveness measures as opposed to regulatory.”
Other recommendations focus on closing the cybersecurity talent gap “between Critical Infrastructure SMBs and better-resourced enterprises” and expanding education efforts through “whole of nation effort” that goes from K-12 to higher education institutions.
According to the survey:
- 75 percent of critical infrastructure SMBs experienced a breach at least once.
- On average, it took companies 7.5 months to fully recover from a breach.
- 59 percent of SMBs reported breaches that stopped daily productivity.
- Companies spent $170,000 on average to resolve a cyber breach.
- 46 percent of SMBs reported lost customers.
USTelecom announced a partnership with America’s Small Business Development Centers last month to help small businesses improve their cybersecurity posture, through training programs built upon best practices from the CMMC program.
Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, said: “Don’t be fooled -- these companies may be small or have fewer employees than their counterparts -- but they play a big role in operating and safeguarding our country’s critical infrastructure, including energy, financial, water and communications assets. There is nothing small about the importance of bolstering their cybersecurity posture to improve our collective security."
Mayer said the survey was commissioned to “to help companies and policymakers bolster cybersecurity because a failure at any individual, but interconnected, critical infrastructure company could impact the broader digital ecosystem. SolarWinds and the recent attack at a water plant in Florida demonstrate that companies need to immediately take stock of their cyber defenses -- and get ready.”
USTelecom makes recommendations directed at SMBs including “Conduct regular cybersecurity training”; “Revisit and update policies and procedures annually”; “Conduct annual risk assessments”; Obtain cyber insurance”: and “Identify and participate in valuable formal and informal information sharing venues.” -- Sara Friedman (sfriedman@iwpnews.com)