Government Contractor Cybersecurity: Q&A with the Director of the Kansas SBDC Cybersecurity Center

Whether you are an active small business federal contractor, or an entrepreneur still getting your business off the ground, you are going to need a cybersecurity plan. Many DoD contractors, in particular, face a pending deadline to comply with NIST 800-171, as mandated by DFARS 252.204-7012.

The Kansas SBDC Cybersecurity Center for Small Business wants to help.

Located in downtown Lawrence, Kansas—just across town from us coincidentally—the Cybersecurity Center, housed at the KU Small Business Development Center, is the only SBDC in the country with an office dedicated to helping small businesses contend with the growing threat of data breaches. According to Director Brian S. Dennis, the center can be a resource for small businesses across the country, not just those in the state of Kansas.

Mr. Dennis has been the director of the Cybersecurity Center since it was founded in July. He was gracious enough to answer a few questions:

Q: Don’t hackers target only huge businesses? Why does a small business need to worry about cybersecurity? 

A: The International Data Corporation released a report in 2016 estimating that by 2020 over $101 billion dollars will be spent by companies trying to protect their digital footprint. America’s small businesses have not made a dedicated effort to build cybersecurity into their P&Ls [Profits and Losses]. That lack of funding on the small business side has been noticed by hackers. Small businesses are the backdoor into big business. A Fortune 500 company or the U.S. Government can throw as many dollars as they want at the threat of a cybersecurity breach, but all it takes is one small business vendor to take down the whole thing. A prime example of this is the 2013 Target data breach. The billion dollar retailer announced a huge data breach of customer information and it happened because of a third-party vendor had been granted access to the Target network.  The growing threat of a data breach is forcing the U.S. Government and corporate America to rethink how they choose their vendors.

Q: What causes most cybersecurity breaches?  

A: Almost any cybersecurity professional you speak to today will tell you that if there were no human users, there would be no cybersecurity threat. As end users of systems, we are flawed in our approach to internet safety. Ransomware is a prime example of this. The FBI estimates that $24 million was paid in ransoms in 2015. By 2016 that number was over $1 billion. Ransomware only works when a user on the receiving end of an exchange takes an action. We need to incorporate training across the board that enables each and every user with the knowledge of how to remain safe in the digital age.

Q: It seems like things change so quickly. How can a small business find out if its practices are sufficient or if it is at risk without knowing it? 

A: It all starts with planning. Creating a plan that works and can be tested is paramount to a small business surviving a cyber event. The threat of a digital interruption is looming over all of us and there is no silver bullet that will prevent every single attack or occurrence. But if a small business can build a plan that follows five steps, the likelihood of survival increases. Those steps are:

  1. Identify — What structures and practices do you have in place to identify cyber threats?
  2. Protect — What are the basic practices you have in place to protect your systems?
  3. Detect — What do you use to identify someone or something malicious?
  4. Respond — How will you deal with a breach if and when one occurs?
  5. Recover — How will you get your business back to normal after a breach?

Q: What if a small business is not as secure as it could be—by its nature, a small business has to choose where to put its resources, why does it need to spend money on cyberseucrity? 

A: According to Symantec, nearly half of all cyber attacks these days are targeted on small business. Small businesses are the entry point into larger operations. When your business decides to allocate resources away from cybersecurity, your opportunities will begin to diminish. The hard part is understanding where to potentially shift money and resources to ensure that this can even happen. America’s Small Business Development Center (ASBDC) has over 1,100 business consultants and advisers working across America. Find a local SBDC near you and ask them for help. A good business consultant can help you get a better grasp of your P&Ls and determine where dollars can be set aside for your cyber effort. The service is free, but the commitment is your time and effort.

[Ed. Note: SBDCs are funded in part by the U.S. Small Business Administration, which helps keep consulting costs down—services are often free.]

Q: Seriously though, what’s the worst that could happen? Is a business going to lose its contracts? Something worse?

A: The Federal government is moving swiftly to ensure that its vendors and contractors are secure. The National Institute of Standards and Technology (NIST) has created a framework for cybersecurity that is already being rolled out by the Department of Defense. DOD contractors have to complete the framework by December 31st of this year. And this is just the start. If you make the decision to not properly protect your business and you are doing business with the government, you will lose contracts, that is a guarantee. Losing contracts is just the start. The something worse that is looming on the horizon is the legal responsibility. Several states are looking at what types of recourse clients/consumers will have against a small business that allows data to be breached.

Q: What do you see coming in the future? 

A: There is no crystal ball for guessing what the next cyber threat will look like, but the general consensus is that cyber criminals will continue to prey upon our inability to properly train end users. Ransomware is a direct result of poor training. Attacks that started against users demanding ransoms in the hundreds of dollars range have morphed into attacks against municipalities demanding millions of dollars. Ransomware is easy to send out and easy to collect. Unfortunately, it will be here until someone develops a dedicated way to fight it.

The future will also hold the possibility for more business and industry to pick up the torch of the NIST Framework. The Framework is probably the best start to a business being protected. Banking, insurance and finance industries will be watching closely as the Framework is rolled out this year.