Small businesses are susceptible to cyber threats just as their larger counterparts. And Although the Department of Defense (DOD) Office of Small Business Programs (OSBP) is not required to provide support to small businesses, the office is considering promoting outreach opportunities, according to a recent audit report by the Government Accountability Office (GAO).
DOD relies on small businesses to support its missions, encourage innovation and enhance certain technologies.
“In February 2015, the Director National Intelligence reported cyber threats to US national and economic security are increasing in frequency, scale, sophistication and security of impact,” GAO said. “Small businesses in particular have fewer resources, such as robust cybersecurity systems, than larger businesses have to counter such threats.”
During fiscal year 2014, $55.5 billion was dedicated to small business prime contractors on behalf of DOD at more than 51,000 locations. Yet, cyber threats can be especially devastating to a small business, including those that support federal operations.
The National Defense Authorization Act for Fiscal Year 2015 incorporated a Joint Explanatory Statement which noted a stipulation that GAO evaluate DOD OSBP’s education and outreach efforts to help small businesses to better understand cyber threats.
Cyber risks can originate from both unintentional and intentional threats.
“Unintentional threats can be caused by, among other things, defective computer or network equipment and careless or poorly trained employees,” GAO stated. “Intentional threats include both targeted and untargeted attacks from a variety of sources, including criminal groups, hackers disgruntled employees, foreign nations engaged in espionage and information warfare, and terrorists,”
The audit was peformed from February 2015 to September 2015, and identified the efforts the OSBP – which serves to provide small business policy advice to the Office of the Secretary of Defense and oversight to DOD military department. The audit report found OSBP has not introduced cybersecurity suggestions into its education and outreach protocol of defense small businesses.
In working to adequately address cyber threats, DOD has taken notice; it said it’s since tasked OSBP with the creation and support of small business training platforms for specialists and those working on acquisitions. They must also provide resources on the OSBP website and at conferences.
GAO additionally identified 15 federal cybersecurity resources, already in existence, which OSBP could circulate to enhance their outreach to defense small businesses.
Examples of this include:
- DOD’s Defense Security Service – Provides cybersecurity training programs to the public on topics such as cybersecurity awareness and insider threats;
- Small Business Administration – Maintains a learning center with online programs that educate small businesses on cybersecurity concepts;
- Department of Homeland Security – Works with the National Cyber Security Alliance and the Anti-Phishing Working Group, to promote awareness resources, including videos and tip sheets;
- Federal Communications Commission – hosts FCC Small Biz Cyber Planner 2.0, an online planning tool, to help small businesses plan their cybersecurity efforts.
Further, as a response to the findings of this GAO report, OSBP representatives reached out to the DOD Chief Information Officer to further review how training materials, such as videos and brochures, could be utilized at small business conferences. This would help to spread best practices and requirements pointed out by the Defense Federal Acquisition Regulation Supplement.
DOD’s Chief Information Officer was also invited to join a OSBP representative in speaking to small businesses about cybersecurity and by passing out handouts. OSBP will further add to their curriculum, making sure that their officials are properly trained in matters of cybersecurity.
As of July 2015, the office has yet to identify and disseminate that information as part of its cybersecurity education or outreach efforts to defense small businesses. DOD agreed with this recommendation, and said it plans to take action.