Lawmakers on the House Small Business Subcommittee on Health and...

work to identify the “correct balance between imposing new onerous regulations for small business and protecting proprietary information and our digital infrastructure.” Collins asked witnesses what were the top three things that small businesses should focus on in order to improve their cybersecurity posture, besides migrating their IT services to the cloud. William Weber, senior vice president of cloud services provider Cbeyond, said cloud providers can help increase cybersecurity protections for small businesses by shifting the burden of maintaining firewalls, operating systems and updating virus software away from small business owners. Weber said he thinks most small businesses are using poor password protection practices. “It sounds so basic. You would think that today in 2013 people would know what they ought to be doing, but they don’t,” Weber said. “They are very dumb about password selection.” He said individuals should use passwords that are at least 12 digits long, include capitalized letters, lower-case letters and at least one number. “A password like that is not going to be cracked,” he said. “If every business in the United States started using appropriate passwords it would have a very significant effect on cybercrime.” Justin Freeman, corporate counsel for Rackspace said small businesses need to employ data encryption techniques into their operations. “Encryption is really the only means that has the fundamental integrity with which to protect data,” he said. Freeman said in his written testimony that lawmakers must avoid regulating small businesses by imposing “retrospective or overly burdensome requirements.” “Instead Congress should focus on requiring reasonable and appropriate controls to address threats in the context of a competitive business environment, disseminating critical information about current threats and best practices to the small business community and promoting a coherent set of sector specific regulations, privacy protections, security requirements and collaborative commitments,” he said. “Small businesses will be much more responsive to economic incentives rather than changing their behavior out of fear of punitive regulations,” he said. Dan Shapero, the founder of ClikCloud, said it’s critical for small businesses to ensure that their networks are compliant with antivirus, malware and firewall updates. Small businesses should also focus on cybersecurity training and education, “not just for the owner, but the staff as well.” Phyllis Schneck, McAfee chief technology officer, said small businesses need to create a “culture of resiliency” and develop a plan that fits each company’s cybersecurity needs. Lawmakers should promote policies that create tax breaks or insurance incentives for companies that adopt cybersecurity practices. “That is very attractive to small businesses,” she said. Collins said the witnesses offered “very common sense suggestions that in many cases are not that expensive.”