Press Release

April 25, 2018
Cardin: Small Businesses Vulnerable to Cyberattacks
Small businesses emerging as principal target of worldwide cybercrimes

Washington – U.S. Senator Ben Cardin (D-MD), the Ranking Member of the U.S. Senate Committee on Small Business & Entrepreneurship, today highlighted the growing threat of cyberattacks on America’s 30 million small businesses during a committee hearing on strengthening small firm cyber defenses.

Cardin heard testimony from security experts that cyberattacks cost the U.S. economy more than $57 billion in 2016.  Witnesses shared survey data indicating only 12 percent of small businesses have a cybersecurity response plan and just 21 percent provide security awareness training to employees. 

Senators were urged to help bring small business cybersecurity practices up to par with larger organizations by partnering with the Small Business Administration (SBA) to provide timely training materials to mitigate cyber threats.

“We have come to understand the risk that cyber intrusions pose to our democracy from nations like Russia and China, and consumers are increasingly aware of the economic and privacy implications from cyber incidents like the data breach at Equifax or the mishandling of personal information by Facebook,” Cardin said.  “What is much less understood is the ongoing and evolving cyber threat specifically targeting our country’s small businesses.”

A small business owner told committee members about a ransomware attack on his business and how the firm recovered with assistance from a Small Business Development Center supported by SBA. 

According to a 2018 report, 58 percent of data breach victims globally are small businesses.  Small businesses are vulnerable to a variety of risks, including ransomware, malware, and phishing schemes that trick businesses into providing sensitive information or passwords to criminals.  Approximately 90 percent of successful cyberattacks start as phishing emails.

Even with this risk, cybersecurity tools are perceived as too costly and complicated for small businesses that operate on narrow margins and lack dedicated IT personnel trained in cybersecurity.  In addition to cost, a lack of cyber expertise is a factor facing small businesses.  Cardin stressed that government and private sector policy solutions must include an education and knowledge-building component for small firms.

Cardin added: “The internet has been transformative for small businesses, offering new ways to innovate and reach customers.  But this connectivity also makes small businesses vulnerable to cyberattacks.  Unfortunately, many small businesses lack the resources and basic information to prevent or mitigate an inevitable attack.  Across government and the private sector, we need to better prepare small businesses to combat the growing threat of cybercrimes by bolstering cybersecurity training programs.

At Wednesday’s hearing, Cardin heard small business cybersecurity recommendations from Gina Abate, the President and CEO of Edwards Performance Solutions, a certified woman-owned small business in Elkridge, Maryland that provides IT and cyber consulting services to commercial and government customers.  Abate told the committee it is imperative the small business community understand the value of their business assets, engage experts to assess vulnerabilities in their security systems, and take appropriate steps to mitigate their cyber risk. 

Maryland is home to many federal, commercial, and academic cybersecurity assets, including: the National Security Agency, U.S. Cyber Command, the National Institute of Standards & Technology (NIST), Johns Hopkins University Applied Physics Lab, and the University of Maryland, College Park.