Cyberattacks could be fatal to small companies, Collins warns

WASHINGTON – Cybersecurity threats have come a long way since hackers temporarily crippled the computer system at one of Chris Collins’ businesses a few years ago.

For that reason, Collins – now Rep. Chris Collins, R-Clarence – Thursday dedicated his first hearing as chairman of a House Small Business subcommittee to the growing danger of cyberattacks, which he deemed an oft-ignored threat that can put companies out of business.

“Although attacks on small businesses don’t make the headlines, a recent report shows nearly 20 percent of cyberattacks are on small firms with less than 250 employees,” Collins said. “Unlike a large company, small businesses may not be able to survive a cyberattack.”

That’s because those attacks cost so much, Collins said, citing a Federal Communications Commission report showing that the average annual cost of cyberattacks on small and medium-size businesses was a whopping $188,242.

Not surprisingly, then, nearly 60 percent of small businesses that are hit by cyberattacks close within six months of the problem, he added, citing a 2011 report by Business Insider.

That didn’t happen to Bloch Industries, the Rochester kitchen cabinet manufacturer that Collins owns, which faced something of an old-fashioned cyberattack.

“We had the situation of malware getting in and shutting the system down, so we had to go reboot the system,” Collins said.

But that’s nothing compared with what small businesses are facing now, he added.

“It used to be hackers, a bunch of young kids wreaking having with your system,” he said. “It was being malicious or whatever. Now it’s these thieves who don’t want to be detected.”

Most often, such thieves access business computer systems through weak, easily guessed passwords, said William Weber, general counsel of Cbeyond, a cloud computing firm that services more than 60,000 businesses. For example, an employee of one company that Weber knows used his college mascot as his work password, thereby allowing criminals to guess it and gain access to the company’s bill-paying software.

“That company lost $40,000 because of a weak password,” Weber said.

To prevent such thievery, companies, no matter how small, should have written policies governing not only passwords, but exactly how and where company data can be stored, said Dan Shapero, who testified on behalf of the Computing Technology Industry Association.

Such policies “really are the first line of defense,” Shapero said.

Phyllis Schenck, vice president and chief technology at McAfee Inc., agreed, saying that the kind of protective software her company offers should be just part of a larger defense strategy.

But Collins noted that most small businesses appear not to have such a strategy. According to a study by the National Cyber Security Alliance, 77 percent of small businesses think that they are safe from cyberthreats – even though 87 percent don’t have a policy in place to try to prevent such attacks.

Collins, chairman of the Small Business Committee’s Subcommittee on Health and Technology, said he took his staff’s advice to have his first hearing on the topic because he wants to spread awareness of the issue among his small-business colleagues.

“Small business doesn’t think they have a problem,” he said. “And that’s exactly why it’s vulnerable.”